This article explains Farsight Security® Inc.’s Advanced Exchange Access (AXA) accounting subsystem. This is the mechanism by which AXA tracks, logs, and communicates server-side packet information. This information is intended for users of SIE Remote Access (SRA).
To get the most from this article, it is recommended that you be comfortable with the material in the following Farsight Security Blog articles:
Accounting is AXA’s way of keeping track of traffic totals. Server-side, AXA maintains a series of per-client packet counters (a full list is below). The AXA protocol message AXA_P_OP_ACCT sent from client to server is used query this data. The command is available from sratool and radtool as acct. It is also available from sratunnel and radtunnel via the -A command line option. Accounting messages are also logged server-side.
The AXA accounting counters are described below.
Let’s have a look at a common sratool-based example. sratool is used to connect to an SRA server and a “fire hose” watch is set for our popular DNS Changes channel.
$ sratool sra> connect tls:mschiffm@sra-server,1021 * HELLO srad version 1.2.1 sra-server AXA protocol 1 sra> ch 214 on ; 1 wa ch=214 [watch hits omitted]
This is left to run for approximately three minutes of wall clock time. Next, the output is paused and the accounting command is run.
sra> pause * OK PAUSE output paused sra> acct * OK ACCOUNTING total-filtered=66360 total-missed=0 total-collected=0 total-sent=64912 total-ratelimited=0 total-congested=0
Let’s have a look at another example, this time using sratunnel. Using the timeout utility, sratunnel is invoked to run for three minutes. It connects to the same SRA server and sets a fire hose watch for the DNS Errors channel. Finally, the -A 180 -d option string instructs sratunnel to emit accounting statistics every 180 seconds and the results are written to a file.
$ timeout 180 sratunnel -s tls:mschiffm@sra-server,1021 -w "ch=220" -c 220 -A 180 -d -o nmsg:file:test-220.nmsg connecting to tls:mschiffm@sra-server,1021 ACCOUNTING total-filtered=4183437 total-missed=44 total-collected=0 total-sent=84371 total-ratelimited=0 total-congested=4096266
Now that you know how to use AXA Accounting, you can use this information along with other data to learn more about your Farsight SRA data flows and in some cases, find and troubleshoot issues. If you’re interested in learning more about Farsight Products and Services, please reach out.
Farsight Security, Inc. is the world’s largest provider of historical and real-time DNS intelligence solutions. We enable security teams to qualify, enrich and correlate all sources of threat data and ultimately save time when it is most critical - during an attack or investigation. Our solutions provide enterprise, government and security industry personnel and platforms with unmatched global visibility, context and response. Farsight Security is headquartered in San Mateo, California, USA. Learn more about how we can empower your threat platform and security team with Farsight Security passive DNS solutions at www.farsightsecurity.com or follow us on Twitter: @FarsightSecInc.
This document was originally published on Farsight’s blog as Farsight’s Advanced Exchange Access Internals: Understanding Accounting by Mike Schiffman https://www.farsightsecurity.com/txt-record/2015/09/24/mschiffm-axa-accounting/