Advanced XML Rules by uzd19483

VIEWS: 12 PAGES: 14

									                                                                          A P P E N D I X                         A
                     Advanced XML Rules

                     This appendix contains the following topics:
                      •   Advanced XML Rules Syntax, page A-1
                          Using Traffic and Web URL Rules within Advanced Rules, page A-6
                          Advanced Rule Examples, page A-7
                          Cisco NAC Profiler Document Type Definition (DTD), page A-9


              Note                                        for additional information.

                     The Cisco NAC Profiler Advanced Rule option offers the ability to define custom rules using Extensible
                     Markup Language (XML) to combine the Profiler rule types using the Boolean logic operators OR, AND
                     and NOT. You can combine multiple rules of a single type, and different types of rules, into a single
                     Advanced Rule to evaluate any endpoint data collected by Cisco NAC Profiler via the NetMap, NetWatch
                     and NetRelay (for Traffic Rules) modules.
                     This appendix expands the information provided in Advanced Rules, page 9-17 to assist advanced
                     Profiler administrators with the design and configuration of Advanced Rules, an advanced feature of the
                     product. When designed properly, Advanced Rules significantly increase the flexibility of Cisco NAC
                     Profiler. However, invalid XML configuration in Advanced Rules can also prevent the Server module of
                     the Profiler Server from starting, and poorly constructed rule logic can negatively impact overall system
                     performance. In the current version, the Advanced Rule editor checks Advanced Rules for valid XML
                     prior to saving the rule to the configuration, which provides some level of error checking.
                     Like any advanced technique, Cisco recommends approaching Advanced Rules with the requisite level
                     of attention to the documentation and requirements specific to the Cisco NAC Profiler product. For
                     example, although the Profiler leverages techniques similar to those used in other applications, such as
                     Intrusion Prevention, Cisco NAC Profiler was not designed to be an IPS. It is important to consider this
                     when configuring Profiles using these advanced techniques and when designing a Cisco NAC Profiler
                     deployment. If questions regarding the design of an Advanced Rule or potential performance impacts
                     arise, it is best to contact Cisco NAC Profiler Technical Support for assistance and guidance.



Advanced XML Rules Syntax
                     Advanced Rules are configured using valid XML syntax conforming to the Profiler Document Type
                     Description (DTD) as described in Cisco NAC Profiler Document Type Definition (DTD), page A-9. The
                     general format of an Advanced Rule is as follows:
                     <Rule name="Advanced Rule">



                                                                    Cisco NAC Profiler Installation and Configuration Guide
OL-15633-01                                                                                                                   A-1
                                                                                                      Appendix A   Advanced XML Rules
  Advanced XML Rules Syntax




                         <RuleEntity entity="Profile Name" cf="certainty_value"/>
                         <logical_operator 1>
                              Rule 1
                              Rule n
                         </logical_operator 1>
                      </Rule>




                      operator: AND, OR or NOT. It is acceptable to “nest” multiple logic blocks within logical operators to
                      create complex rules that check multiple criteria. The NOT operator can be designed to exclude other
                      criteria.
                      In an Advanced Rule, the Profiler Modeling Engine (“Modeler”) does not use the Rule name syntax on
                      the first line itself. This is used only to name the rule so that it can be identified. When creating Advanced
                      Rules, Cisco highly recommends choosing a descriptive name to facilitate system description, although
                      you can name the rule anything that you like.
                      The RuleEntity on second line of an Advanced Rule is critical. This line directs the Modeler to associate
                      each Advanced Rule to the Profile to which it is bound.
                      The second line of each Advanced Rule must use the following syntax:
                      <RuleEntity entity="[Profile-Name]" cf="x"/>


                      Where:
                              [Profile-Name]      is replaced with the name of the Profile (case sensitive)
                              x   is replaced with the certainty value for this rule, a number between .01 and 1
                      In the following example, the named Advanced Rule is interpreted as bound to the Profile named
                      Advanced Printer. Any endpoint for which the logic of this Advanced Rule tests true will be placed in
                      the Advanced Printer profile with a certainty of 65%:
                      <RuleEntity entity="Advanced Printer" cf="0.65"/>

                      Immediately following the “entity=” line of the Advanced Rule, the syntax of the rule which defines the
                      rule logic is entered with proper XML format, as described in the sections which follow.


                      Cisco highly recommends inserting comments into Advanced Rules to properly document them so others
                      can understand the underlying logic of the rule without assistance from the original author of the rule.
                      You can add comment lines to an Advanced Rule using the following syntax:
                      <!-- comment text -->




Multiple Logic Blocks
                      One of the primary advantages of using Advanced Rules is the ability to use other available logical
                      operators within the rule logic, such as AND and NOT, and different rule types, such as MAC Vendor
                      and DHCP Vendor Class, in a single rule.
                      When multiple rules are added to Profiles via the GUI Profile editor of the Profiler Server, the individual
                      rules are added to the Modeler as distinct entities. During a remodel, the Modeler must evaluate each of
                      the rules specified in the enabled Profiles individually through the standard Profile creation process.
                      When multiple rules are added to a Profile using the GUI, the default logical operator is OR. Because
                      individual rules in a Profile are evaluated independently, it is possible for multiple rules to test true and




 A-2
 Appendix A    Advanced XML Rules
                                                                                                                Advanced XML Rules Syntax




                        therefore the certainty algorithm that represents the combined certainty resulting from the match of
                        multiple rules is used. The key concept to consider regarding using the GUI for defining multiple rules
                        in a Profile is that they are evaluated by the Modeler independently.
                        In contrast, an Advanced Rule can have multiple logic blocks using the logical operators, and those logic
                        blocks can be nested within additional operators providing maximum flexibility. However, in the case of
                        Advanced Rules, the logic embedded in the rule is evaluated sequentially according to the specified
                        logical operation. For example, if there are two or more logical blocks nested within an AND operator,
                        and if the first block tests false, the Modeler ceases to evaluate the remaining logical blocks in the rule
                        because the AND requires all blocks to test true. Similarly if two or more logical blocks are nested within
                        an OR, as soon as one logical block tests true, the condition of the Advanced Rule is met (that is, at least
                        one condition tests true), and the Modeler ceases to evaluate the remaining logic in the Advanced Rule.
                        Therefore, when testing against multiple criteria, you can define Advanced Rules (when properly
                        constructed) that are much more efficient than if you specified multiple rules using the GUI.


OR Operator and Order of Rules/Logic Blocks
                        When creating Advanced Rule logic, prefix notation is used. In prefix notation, you specify the logic
                        operator (e.g., AND, OR, NOT) to the outside of the items (rules) to which the logic will apply. For
                        example, consider the following logical block taken from the system-generated Advanced Rule for the
                        Generic Printer Profile:
                        <OR>
                          <TrafficRule ipaddr="0.0.0.0" sport="0" dport="515"/>
                          <TrafficRule ipaddr="0.0.0.0" sport="0" dport="9100"/>
                        </OR>

                        In the logic block example above, two traffic rules are defined inside an OR operator— that is, between
                        the <OR> and </OR>. When evaluating this rule, the Modeler evaluates the first rule and then the second
                        rule, only if necessary, in the order implied by the rule itself. Because the logical operator is OR, this
                        logic block will test true if either of the Traffic Rules is true. Therefore, if the first rule in the list tests
                        true, the Modeler does not continue to check the remaining rule. This block of logic will test true for the
                        Target of Evaluation (TOE) and the Modeler will continue to the next block, or next rule.
                        When multiple rules are specified within a logic block using the OR operator, it is good practice to order
                        the rules in the logic block so that any rules more likely to test true are defined in the logic block at the
                        very top of the list. Similarly, if logic blocks are nested within an OR, the logic blocks most likely to test
                        true should be placed first so that the Modeler finds the hit and exits the Advanced Rule as efficiently as
                        possible.
                        This highlights a key general concept in efficient design of Advanced Rules. Because the AND operator
                        requires all rules (or nested logic blocks) to test true, strategic use of AND can greatly improve the
                        efficiency of rules. The AND logical operator can be used within Advanced Rules to create logic blocks
                        that are “pre-qualifiers” for the rule to increase efficiency and performance of the Modeler.


Generic Printer Rule
                        The following is an example of how this principle can be used in practice. The Generic Printer rule is an
                        Advanced Rule that includes a series of traffic rules that match traffic from the print servers specified in
                        MyNetwork to endpoints on ports 9100 to 515, the standard printer ports. The primary logic block in this
                        system-generated Advanced Rule is created by using the OR operator on two traffic rules for each known
                        print server IP address (added to MyNetwork configuration) as shown in the following example:
                                    <OR>
                                     <TrafficRule ipaddr="1.1.2.50" sport="0" dport="515"/>



                                                                          Cisco NAC Profiler Installation and Configuration Guide
 OL-15633-01                                                                                                                          A-3
                                                                                                     Appendix A   Advanced XML Rules
  Advanced XML Rules Syntax




                                   <TrafficRule        ipaddr="1.1.2.50"   sport="0"   dport="9100"/>
                                   <TrafficRule        ipaddr="1.1.2.51"   sport="0"   dport="515"/>
                                   <TrafficRule        ipaddr="1.1.2.51"   sport="0"   dport="9100"/>
                                   <TrafficRule        ipaddr="1.1.2.52"   sport="0"   dport="515"/>
                                   <TrafficRule        ipaddr="1.1.2.52"   sport="0"   dport="9100"/>
                                   <TrafficRule        ipaddr="1.1.2.53"   sport="0"   dport="515"/>
                                   <TrafficRule        ipaddr="1.1.2.53"   sport="0"   dport="9100"/>
                                  </OR>

                       In this example, there are 4 print servers known to be at the following addresses and entered in the
                       MyNetwork configuration of Cisco NAC Profiler:
                       1.1.2.50
                       1.1.2.51
                       1.1.2.52
                       1.1.2.53

                       As outlined above, if this logic block is used by itself, the Modeler evaluates each of the traffic rules until
                       a match occurs. On the first match, the Modeler will exit with the result that the Advanced Rule tested
                       true for the Target of Evaluation (ToE).


AND Operator
                       You can increase the efficiency of the Advanced Rule using the AND operator with a specific logic block
                       (as described in Generic Printer Rule, page A-3) and a new, more general “pre-screening” logic block as
                       shown in the following example. This example illustrates how the system-generated Advanced Rule for
                       Generic Printer is constructed in practice in the current Profiler version:


Pre-Screen AND Logic Block
                       <AND>
                                  <OR>
                                   <TrafficRule        ipaddr="0.0.0.0" sport="0" dport="515"/>
                                   <TrafficRule        ipaddr="0.0.0.0" sport="0" dport="9100"/>
                                  </OR>
                                  <OR>
                                   <TrafficRule        ipaddr="1.1.2.50"   sport="0"   dport="515"/>
                                   <TrafficRule        ipaddr="1.1.2.50"   sport="0"   dport="9100"/>
                                   <TrafficRule        ipaddr="1.1.2.51"   sport="0"   dport="515"/>
                                   <TrafficRule        ipaddr="1.1.2.51"   sport="0"   dport="9100"/>
                                   <TrafficRule        ipaddr="1.1.2.52"   sport="0"   dport="515"/>
                                   <TrafficRule        ipaddr="1.1.2.52"   sport="0"   dport="9100"/>
                                   <TrafficRule        ipaddr="1.1.2.53"   sport="0"   dport="515"/>
                                   <TrafficRule        ipaddr="1.1.2.53"   sport="0"   dport="9100"/>
                                  </OR>
                                 </AND>

                       The AND operator and the new OR logic block is added to the original logic block that specifically
                       matches the traffic from the known print servers as described in Generic Printer Rule, page A-3.
                       The new logic block in conjunction with the AND operator ensures that the traffic comes from one of
                       the desired port numbers associated with printing before it is evaluated for whether it comes from the
                       specified list of print servers (i.e., the original OR logic block). When used in conjunction with the AND
                       operator, this technique provides a pre-screening function for the Advanced Rule. Both of the logic
                       blocks, the general AND specific, have to test true to satisfy the conditional. When the general logic
                       block tests false (e.g., the traffic is not on the port numbers known to be associated with printing), the
                       Modeler will exit out of the rule and move on—not wasting the cycles to verify if this is traffic from a



            Cisco NAC Profiler Installation and Configuration Guide
 A-4                                                                                                                      OL-15633-01
               specific IP address on the specified ports. This technique can substantially increase performance,
               particularly in situations where the specific logic block contains many entries, for example several
               hundred print servers. The design of the rule using the pre-screening block ensures the Modeler only
               evaluates traffic known to be associated with printing, potentially avoiding evaluating non-conforming
               traffic.


NOT Operator



               with host address (last octet) of .1 through .10 and the subnet broadcast (.255) addresses, the following
               logic block employing the NOT operator can be used:

                   <AddressRule ipaddr="10.180.0.0" mask="255.255.255.0"/>
                 <NOT>
                      <OR>
                          <AddressRule ipaddr="10.180.0.0" mask="255.255.255.248"/>
                          <AddressRule ipaddr="10.180.0.8" mask="255.255.255.255"/>
                          <AddressRule ipaddr="10.180.0.9" mask="255.255.255.255"/>
                          <AddressRule ipaddr="10.180.0.10" mask="255.255.255.255"/>
                          <AddressRule ipaddr="10.180.0.255" mask="255.255.255.255"/>
                     </OR>
                   </NOT>
                 </AND>




               that matches all host addresses on the 10.180.0 subnet and the negation of the logic block interpreted as
               any host address not .1 through .10 and .255.
               The following example shows how to use NOT in an Advanced Rule to exclude certain endpoints known
               to not connect wirelessly (based on host IP address using an Address Rule) when communicating with
               a known Novell server. In the example, endpoints connected via wireless are known to be assigned host
               addresses on the 10.200.0.0/21 subnet. Accordingly the NOT operator is used to exclude hosts with an
               address on this subnet from the hosts matching a traffic rule indicating communication with a specified
               Novell server on the designated port number (e.g., using a Traffic Rule):

                 <RuleEntity entity="Novell_Employee" cf="0.90"/>
                 <AND>
                   <NOT>
                       <AddressRule ipaddr="10.200.0.0" mask="255.255.248.0"/>
                   </NOT>
                   <TrafficRule ipaddr="192.168.1.101" dport="524" sport="0"/>
                 </AND>
               </Rule>




                                                                                                                 A-5
                                                                                                   Appendix A   Advanced XML Rules
  Using Traffic and Web URL Rules within Advanced Rules




Using REGEX Within Advanced Rules
                        Many of the rule types that are used within the logic blocks of Advanced Rules utilize a Regular
                        Expression (REGEX) for the matching data, like the standard rules defined through the GUI. Many of
                        the examples in this document illustrate the use of REGEX within their logic blocks.



Using Traffic and Web URL Rules within Advanced Rules
                        As described in Chapter 9, “Configuring Endpoint Profiles,” Traffic Rules and the Web URL Application
                        Rule type require Cisco NAC Profiler to perform collection of specific network traffic—traffic meeting
                        certain criteria specified in the Profile rules themselves. This requires both the NetWatch and NetRelay
                        (in the case of Traffic Rules only) modules to be configured to collect traffic that the Modeler will in
                        turn evaluate for rule matches in enabled Profiles utilizing these rule types.
                        When the GUI is used to create Traffic Rules and/or Web URL Application Rules within Profiles, it
                        automatically makes the necessary configuration changes to the NetWatch and NetRelay modules
                        throughout the system necessary for the Profiler to begin collecting this network traffic from the
                        Collector monitor ports, or via NetFlow on Collectors running NetRelay.
                        During the Apply Changes -> Update Modules that must follow the addition/enabling of Profiles using
                        Traffic or Web URL Application Rules, the new XML configuration files for all NetWatch and NetRelay
                        modules in the system are generated and upon module restart, the system begins collecting this data so
                        that the Modeler can begin examining it for rule matches.


              Note      In the case of URL rules, there is no configuration change to NetRelay, only to NetWatch. Traffic Rules
                        require configuration of both modules for specific collection.

                        However, the GUI does not parse the Advanced XML Rules in version 2.1.8 and earlier. Therefore, if
                        Traffic Rules or Web URL application rules are used in Advanced Rules, the configuration of the
                        NetWatch and NetRelay for collection of specific network traffic for evaluation against these rules is not
                        automated, and must be done manually. This can be accomplished simply by creating an additional rule
                        using the GUI. A standard Traffic or Web URL rule is added to the Profile containing the Advanced Rule
                        containing Traffic or Web URL rule(s). The standard rule which acts as a “collection rule” is added with
                        a low level of certainty (1% typically will suffice). Its intended purpose is to activate the specific
                        collection needed so the Profiler begins collecting traffic via NetWatch and or NetRelay to evaluate
                        against the Advanced Rule.
                        The construction of these “collection rules” for Traffic Rules in particular can have performance
                        implications as described earlier in this document: each time a standard rule is added using the GUI, it
                        must be evaluated by the Modeler. Therefore a technique that may be employed is to make these
                        collection rules open and not attempt to add a standard rule for the specific destination or source
                        addresses of interest—that is use the IP address of 0.0.0.0 for the source or destination IP in the
                        collection rule as applicable. This will result in the system collecting all traffic observed on the
                        designated source or destination port number. The Advanced Rule logic will be used to identify the
                        desired match. It is good practice to avoid configuring a list of collection rules with specific hosts
                        identified and forcing the Modeler to evaluate each of the collection rules and the Advanced Rule.
                        To illustrate this concept, consider the Advanced Rule discussed under NOT Operator, page A-5 that
                        includes a Traffic Rule that is designed to match endpoints communicating with a Novell Server IP on
                        port 524. In the same Profile (Profile name Novell_Employee in the example), a standard Traffic Rule is




             Cisco NAC Profiler Installation and Configuration Guide
 A-6                                                                                                                   OL-15633-01
 Appendix A    Advanced XML Rules
                                                                                                                Advanced Rule Examples




                        defined using the GUI to act as a collection rule for the Advanced Rule. That Traffic Rule has the
                        following parameters to ensure the set up of NetWatch and NetRelay modules in the system for traffic
                        collection:

                        Dest IP
                        Src Port 0
                        Dest Port 524
                        Certainty 1%
                        After adding the standard Traffic Rule used as a collection rule and the Advanced Rule to the
                        Novell_Employee Profile and enabling the Profile, an Apply Changes -> Update Modules needs to be
                        executed to generate the NetWatch and NetRelay configurations and begin collection of the traffic
                        needed to match the Advanced Rule. After the restart, as endpoints are observed matching the criteria:
                        communicating with the Novell Server on port 524 but not having a wireless host address, they are added
                        to the Novell_Employee Profile with a certainty of 90% (as specified in the Advanced Rule above).
                        If the step of adding the collection rule as well as the Advanced Rule to the Novell_Employee Profile is
                        not taken, NetWatch and NetRelay are not programmed to collect this traffic, and no matches will occur.



Advanced Rule Examples
                        The example Advanced Rules provided in this section are designed to provide the reader with additional
                        examples of Advanced Rule construction to further illustrate the concepts outlined in this section.


               Note     Although properly constructed, the rules in this section are not necessarily useful in all environments
                        as-is. They are provided primarily as examples of how the rule types and logic available in Advanced
                        Rules might be combined to Profile certain endpoints.



AND Operator with Multiple Logic Blocks
                        This first example illustrates the use of the AND operator with multiple logic blocks: one consisting of
                        a single MAC Vendor rule, and the other multiple Address Rules with the OR operator applied. The
                        devices that match this rule must have a MAC address with an OUI containing Cisco (case-insensitive)
                        and have an IP address on one of the 17 specified subnets of the 192.168.240.0 network.
                        <Rule name="CiscoRouterAdv">
                              <RuleEntity entity="Cisco Infrastructure" cf="0.6"/>
                            <AND>
                              <Vendor vendor="/^cisco/i"/>
                             <OR>
                              <AddressRule ipaddr="192.168.208.0" mask="255.255.255.240"/>
                              <AddressRule ipaddr="192.168.208.16" mask="255.255.255.240"/>
                              <AddressRule ipaddr="192.168.208.48" mask="255.255.255.240"/>
                              <AddressRule ipaddr="192.168.208.64" mask="255.255.255.240"/>
                              <AddressRule ipaddr="192.168.208.80" mask="255.255.255.240"/>
                              <AddressRule ipaddr="192.168.208.96" mask="255.255.255.240"/>
                              <AddressRule ipaddr="192.168.208.112" mask="255.255.255.240"/>
                              <AddressRule ipaddr="192.168.208.128" mask="255.255.255.240"/>
                              <AddressRule ipaddr="192.168.208.144" mask="255.255.255.240"/>
                              <AddressRule ipaddr="192.168.208.160" mask="255.255.255.240"/>
                              <AddressRule ipaddr="192.168.208.176" mask="255.255.255.240"/>
                              <AddressRule ipaddr="192.168.208.192" mask="255.255.255.240"/>
                              <AddressRule ipaddr="192.168.208.208" mask="255.255.255.240"/>



                                                                       Cisco NAC Profiler Installation and Configuration Guide
 OL-15633-01                                                                                                                       A-7
                                                                                              Appendix A   Advanced XML Rules
  Advanced Rule Examples




                               <AddressRule       ipaddr="192.168.208.224" mask="255.255.255.240"/>
                               <AddressRule       ipaddr="192.168.208.240" mask="255.255.255.240"/>
                               <AddressRule       ipaddr="192.168.209.0" mask="255.255.255.240"/>
                               <AddressRule       ipaddr="192.168.209.16" mask="255.255.255.240"/>
                              </OR>
                             </AND>
                            </Rule>




Access Point / DHCP Vendor Classes

                        •


                        •


                       <Rule name="Advanced Access Points">
                             <RuleEntity entity="ETS Access Points" cf="0.90"/>
                           <AND>
                             <TrafficRule ipaddr="10.4.1.5" sport="0" dport="5000"/>
                            <OR>
                             <DHCPVendor vendor="/WIRELESS-AP:AP1002/i"/>
                             <DHCPVendor vendor="/WIRELESS-AP:AP3000/i"/>
                             <DHCPVendor vendor="/WIRELESS-AP:AP4102/i"/>
                            </OR>
                           </AND>
                          </Rule>




Wireless Windows Endpoints




                       <Rule name="Win User Wireless">
                             <RuleEntity entity="Windows Users - Wireless" cf="0.85"/>
                           <AND>
                            <OR>
                             <AddressRule ipaddr="10.1.0.0" mask="255.255.255.0"/>
                             <AddressRule ipaddr="10.1.1.0" mask="255.255.255.0"/>
                             <AddressRule ipaddr="10.1.2.0" mask="255.255.255.0"/>
                             <AddressRule ipaddr="10.1.4.0" mask="255.255.252.0"/>
                             <AddressRule ipaddr="10.2.0.0" mask="255.255.255.0"/>
                             <AddressRule ipaddr="10.2.1.0" mask="255.255.255.0"/>
                             <AddressRule ipaddr="10.2.2.0" mask="255.255.255.0"/>
                             <AddressRule ipaddr="10.2.4.0" mask="255.255.252.0"/>
                            </OR>
                            <OR>
                             <WebClient banner="/Windows|Win32/i"/>
                             <DHCPVendor vendor="MSFT 5.0"/>
                             <DHCPVendor vendor="MSFT 98"/>
                             <DHCPVendor vendor="Microsoft Windows CE"/>




            Cisco NAC Profiler Installation and Configuration Guide
 A-8                                                                                                              OL-15633-01
Appendix A     Advanced XML Rules
                                                                                     Cisco NAC Profiler Document Type Definition (DTD)




                               </OR>
                              </AND>
                             </Rule>




Cisco NAC Profiler Document Type Definition (DTD)




           Warning      Improper XML syntax used in an Advanced Rule that is committed to the system configuration will
                        result in a Server module failure on the system upon restart of the system via Apply Changes -> Update
                        Modules.




                         •


                         •




                        Note




                        <Rule name="MacOSAdv">
                               <RuleEntity entity="Mac OS" cf="0.75"/>
                               <AND>
                                <Vendor vendor="/^Apple/i"/>



                                                                     Cisco NAC Profiler Installation and Configuration Guide
 OL-15633-01                                                                                                                      A-9
                                                                                          Appendix A   Advanced XML Rules
  Cisco NAC Profiler Document Type Definition (DTD)




                                  <DHCPReqOptions option-list="/^1,3,6,15,112,113,78,79,95/"/>
                                 </AND>
                              </Rule>


                        <Rule name="Win31Adv">
                               <RuleEntity entity="Windows 3.1" cf="0.50"/>
                               <AND>
                                <StackRule list="/^2$/" ttl="32" window="8192" df="2"/>
                                <DHCPReqOptions option-list="/^1,3,15,6,44,46,47,43/"/>
                               </AND>
                            </Rule>




Profiler DTD for Rules and Events


                        <!ELEMENT ModelConfiguration ( Entity+,
                                                       Rule+,
                                                       Event*,
                                                       CCARule* ) >

                        <!ELEMENT Entity EMPTY >
                        <!ATTLIST Entity name        CDATA #required
                                         description CDATA #implied
                                         user        ( t | f ) "f" >

                        <!ELEMENT Rule ( RuleEntity,
                                         AddressRule*,
                                         Vendor*,
                                         DHCPHost*,
                                         DHCPVendor*,
                                         DHCPReqOptions*,
                                         DHCPOptions*,
                                         WebServer*,
                                         WebClient*,
                                         SMTPServer*,
                                         DNS*,
                                         SNMP*,
                                         CTNBT*,
                                         FTPServer*,
                                         SSHServer*,
                                         WebURL*,
                                         StackRule*,
                                         TrafficRule*,
                                         PortRule*,
                                         AND*,
                                         OR*,
                                         NOT* ) >
                        <!ATTLIST Rule name CDATA #implied >

                        <!ELEMENT AND         ( AddressRule*,
                                                Vendor*,
                                                DHCPHost*,
                                                DHCPVendor*,
                                                DHCPReqOptions*,
                                                DHCPOptions*,
                                                WebServer*,
                                                WebClient*,



             Cisco NAC Profiler Installation and Configuration Guide
 A-10                                                                                                         OL-15633-01
Appendix A    Advanced XML Rules
                                                                               Cisco NAC Profiler Document Type Definition (DTD)




                                         SMTPServer*,
                                         DNS*,
                                         SNMP*,
                                         CTNBT*,
                                         FTPServer*,
                                         SSHServer*,
                                         WebURL*,
                                         StackRule*,
                                         TrafficRule*,
                                         PortRule* ) >

                       <!ELEMENT OR    ( AddressRule*,
                                         Vendor*,
                                         DHCPHost*,
                                         DHCPVendor*,
                                         DHCPReqOptions*,
                                         DHCPOptions*,
                                         WebServer*,
                                         WebClient*,
                                         SMTPServer*,
                                         DNS*,
                                         SNMP*,
                                         CTNBT*,
                                         FTPServer*,
                                         SSHServer*,
                                         WebURL*,
                                         StackRule*,
                                         TrafficRule*,
                                         PortRule* ) >

                       <!ELEMENT NOT   ( AddressRule*,
                                         Vendor*,
                                         DHCPHost*,
                                         DHCPVendor*,
                                         DHCPReqOptions*,
                                         DHCPOptions*,
                                         WebServer*,
                                         WebClient*,
                                         SMTPServer*,
                                         DNS*,
                                         SNMP*,
                                         CTNBT*,
                                         FTPServer*,
                                         SSHServer*,
                                         WebURL*,
                                         StackRule*,
                                         TrafficRule*,
                                         PortRule* ) >

                       <!ELEMENT RuleEntity EMPTY>
                       <!ATTLIST RuleEntity name CDATA #required
                                            cf   CDATA #required>

                       <!ELEMENT AddressRule EMPTY>
                       <!ATTLIST AddressRule ipaddr CDATA #required
                                             mask   CDATA #required >

                       <!ELEMENT Vendor EMPTY>
                       <!ATTLIST Vendor vendor CDATA #required >

                       <!ELEMENT DHCPHost EMPTY>
                       <!ATTLIST DHCPHost name CDATA #required >

                       <!ELEMENT DHCPVendor EMPTY>



                                                               Cisco NAC Profiler Installation and Configuration Guide
OL-15633-01                                                                                                                A-11
                                                                                    Appendix A   Advanced XML Rules
 Cisco NAC Profiler Document Type Definition (DTD)




                       <!ATTLIST DHCPVendor vendor CDATA #required >

                       <!ELEMENT DHCPReqOptions EMPTY>
                       <!ATTLIST DHCPReqOptions option-list CDATA #required >

                       <!ELEMENT DHCPOptions EMPTY>
                       <!ATTLIST DHCPOptions option-list CDATA #required >

                       <!ELEMENT WebServer EMPTY>
                       <!ATTLIST WebServer banner CDATA #required >

                       <!ELEMENT WebClient EMPTY>
                       <!ATTLIST WebClient banner CDATA #required >

                       <!ELEMENT SMTPServer EMPTY>
                       <!ATTLIST SMTPServer banner CDATA #required >

                       <!ELEMENT DNS EMPTY>
                       <!ATTLIST DNS name CDATA #required >

                       <!ELEMENT SNMP EMPTY>
                       <!ATTLIST SNMP description CDATA #required >

                       <!ELEMENT CTNBT EMPTY>
                       <!ATTLIST CTNBT nbt CDATA #required >

                       <!ELEMENT FTPServer EMPTY>
                       <!ATTLIST FTPServer banner CDATA #required >

                       <!ELEMENT SSHServer EMPTY>
                       <!ATTLIST SSHServer banner CDATA #required >

                       <!ELEMENT WebURL EMPTY>
                       <!ATTLIST WebURL url CDATA #required >

                       <!ELEMENT StackRule EMPTY>
                       <!ATTLIST StackRule ttl                 CDATA   #implied
                                           df                  CDATA   #implied
                                           scale               CDATA   #implied
                                           mss                 CDATA   #implied
                                           window              CDATA   #implied
                                           list                CDATA   #implied >

                       <!ELEMENT TrafficRule EMPTY>
                       <!ATTLIST TrafficRule ipaddr CDATA #required
                                             sport CDATA #required
                                             dport CDATA #required >

                       <!ELEMENT PortRule EMPTY>
                       <!ATTLIST PortRule port CDATA #required >

                       <!-- Events -->
                       <!ELEMENT Event EMPTY>
                       <!ATTLIST Event name   CDATA              #required
                                       valid CDATA               #required
                                       id     CDATA              #required
                                       level CDATA               #required
                                       fauth ( t |               f ) "f"
                                       snmp   ( t |              f ) "f"
                                       web    ( t |              f ) "f"
                                       syslog ( t |              f ) "f"
                                       asm    ( t |              f ) "f" >

                       <!-- CCA Rules -->



            Cisco NAC Profiler Installation and Configuration Guide
A-12                                                                                                    OL-15633-01
Appendix A    Advanced XML Rules
                                                                                   Cisco NAC Profiler Document Type Definition (DTD)




                       <!ELEMENT CCARule EMPTY>
                       <!ATTLIST CCARule name     CDATA   #required
                                         match    CDATA   #required
                                         cf       CDATA   #required
                                         type     CDATA   #required
                                         role     CDATA   #required >




                                                                   Cisco NAC Profiler Installation and Configuration Guide
OL-15633-01                                                                                                                    A-13
                                                                      Appendix A   Advanced XML Rules
 Cisco NAC Profiler Document Type Definition (DTD)




            Cisco NAC Profiler Installation and Configuration Guide
A-14                                                                                      OL-15633-01

								
To top