InfoSecter Analyzer

Generally InfoSecter Analyzer will be invoked via the Visualizer or Querent. However, Analyzer can also be invoked directly or invoked from scripts. A summary of Analyzer's command line options is shown below.

Syntax

USAGE: Analyzer <cfg1> [-o <cfg2>] [-V <version string>] 
[-V2 <version string>] [-D <base directory>]
[-R <family registration file>]
[-R2 <family2 registration file>]
[-x]
[-t]
(-c <expression file> [<expression name> [<dictionary name>]])* 
(-q <expression file> [<expression name> [<dictionary name>]])*
(-C <expression cst file>)*
(-Q <expression cst file>)*
[-f <outfile>]

• <cfg1> - For all operations at least one configuration file must be specified.
• -o <cfg2;> - Specify a second configuration file to perform Cross Conflict operation.
• -V <version string> - If the configuration file does not contain a version string or if you do not want to rely on that version, use this option to specify the version of the first config, e.g. 6.3.1.
• -V2 <version string> - If the second configuration file does not contain a version string or if you do not want to rely on that version, use this option to specify the version of the second config, e.g. 6.3.1. If -V is specified and -V2 is not specified, the version specified with -V1 will be used for the second configuration file too.
• -D <base directory> - Specify the base directory. The files specfied in the registration file will be expressed relative to the base directory.
• -R <family registration> - Specify the registration file for a particular family of devices. These registration files are generally installed as .plat files in the lib subdirectory of the install directory.
• -R2 <family registration> - If there is a second configuration file specified, it will use the family registration specified by the -R option. If the families of the two configuration files are different use the -R2 option to specify the family of the second device, e.g. to compare PIX and IOS configurations.
• -x - Augment the operation to use the Cross Interface calculation.
• -t - Dissection operation
• -f <outfile> - Specify the output file. Otherwise, the results will be printed to standard out.
• -c <expression file> [<expression name> [<dictionary name>]] - Compute the Constraint Policy Validation. Enumerate the packets that will not be processed in the configuration file in the same way they are expressed in the expression file. If the expression is not named, the first expression in the file is used. If the dictionary is not named, the Primary dictionary in the file will be used.
• -q <expression file> [<expression name> [<dictionary name>]] - Compute a Query Policy Validation, which is very similar to the constraint, but unlike the constraint the query returns a listing of the packet regions in the configuration that match the expression.
• -C <expression cst file> - As with the -c option, this causes a Constraint Policy Validation to be computed. The difference is in the form of the expression file. The -c option takes a query XML file. This option takes a simple text files that includes the expression. This form cannot use macros or dictionaries. The syntax is the filter language syntax described in Filter Expressions.
• -Q <expression cst file> As with the -q option, this causes a Query Policy Validation to be computed. The difference is in the form of the expression file. The -q option takes a query XML file. This option takes a simple text files that includes the expression. This form cannot use macros or dictionaries. The syntax is the filter language syntax described in Filter Expressions.

Examples

To compute a Self Conflict operation on PIX configuration pix1.cfg, use the following command line.

analyzer pix1.cfg -D /infosecter -R /infosecter/lib/pix-reg.plat -f out.xml

To compute a Cross Conflict operation on PIX configurations pix1.cfg and pix2.cfg, use the following command line.

analyzer pix1.cfg -o pix2.cfg 
-D /infosecter -R /infosecter/lib/pix-reg.plat -f out.xml

To compute Dissection with Cross Interface calcuations on PIX configuration pix1.cfg, use the following command line.

analyzer pix1.cfg -t -x -D /infosecter -R /infosecter/lib/pix-reg.plat -f out.xml

To compute a Cross Conflict operation on PIX configuration pix1.cfg and FWSM configuration fwsm1.cfg use the following command line.

analyzer pix1.cfg -o fwsm1.cfg 
-D /infosecter -R /infosecter/lib/pix-reg.plat 
-R2 /infosecter/lib/fwsm-reg.plat
-f out.xml

To compute a Constraint Policy Validation operation on a NetScreen configuration ns-comp.cfg and an expression named "test" stored in file constrain.query use the following command line.

analyzer ns-comp.cfg -D /infosecter -R /infosecter/lib/ns-reg.plat
-c constrain.query test -f out.xml