Named Pipes in CSA (and a sidenote on the bash shell)
First, the sidenote: .bash_profile is the one that is used when a new shell is created; .bashrc is used when you jump in to another shell (su, for instance). So put the aliases for your own account in the .bash_profile, and login stuff for root, put in root’s .bashrc. If you’re using bash.
Now, on to the meat of the mystery– hooray, mystery meat!– namely, how to use Named Pipes in the Cisco Security Agent’s Management Console (CSAMC). I have found almost no documentation on the subject other than a very literal explanation (“Enable Named Pipes to log to a named pipe.” Ok, thanks.) as to how this feature works precisely. Seeing as how it seemed to be the solution to my problem, I set about figuring this puppy out.
So first of all, what is a named pipe and why do I want to use it? Well, named pipes are somewhat akin to piped outputs on a *nix OS; essentially, it’s used for inter-process communication, so programs can talk to one another. In my own particular instance, I wanted to capture alerts from the CSA management console in real-time and send them securely over the internet (in this case, via SSH, although TLS would work) to another device for logging and reporting and whathaveyou. So, with a named pipe in place, I could capture the output from the CSA MC and send it on its merry way.
The first thing to note is that you have to create your own server process for the pipe. The CSA MC is going to be looking for a pre-existing pipe to write to, so you have to build that. Fortunately, in Perl, using “Win32::Pipe”, this is as simple as:
use Win32::Pipe;
my $pipe = new Win32::Pipe("csamc") || die "Can't Create Named Pipe\n";
(see http://www.roth.net/perl/pipe/ for more detail on this library).
With the pipe created, you enter into your infinite while loop (“while(1){…”), and start looking for the data. Simple enough. Now, you have to make sure that whatever you called your pipe above (“csamc” in this instance) is the same name that you put in the Management Console when you set up the pipe output for logging.
Additionally, there’s one other trick here: the default type of named pipe looks for a byte stream. Unfortunately, that’s not what the CSAMC will be giving us. You’ll know if there’s a problem because the management console will complain about not being able to write to the named pipe. To make a long story short, here’s actually the kind of pipe you’ll need to create:
my $pipe = new Win32::Pipe("csamc", DEFAULT_WAIT_TIME, PIPE_TYPE_MESSAGE, PIPE_READMODE_MESSAGE) || die "Couldn't create your fancy old pipe. \n";
Additionally, you’ll need to bump up the buffer size before reading from the pipe to capture the entirety of the often-lengthy CSA messages. 512 is the default and wasn’t enough; I bumped it up to 4096 bytes:
$pipe->ResizeBuffer(4096);
Now we’re seeing some serious output! The basic information is readily apparent, as the timestamp, machine name, and alert text are all easily visible. But what’s with all of the other crazy-ass ASCII hearts and smily faces? Well, folks, that’s the next mystery I intend to unravel, but I’m happy to take any suggestions.
1 comment January 29th, 2007
