2014/02/14

Parse Cisco ASA logs with python to create security policy

When you are implementing new firewall in the network segment where there was no firewall before, you often wondering what access rules to implement. You can interview administrators of the other systems but usually you will not get detailed feedback about which ports and IP addresses should be permitted.

Therefore one of the method to implement firewall between segment is to permit all traffic at the beginning and log all traffic that was permitted. This learning period should be implemented for some time to get baseline traffic. After sufficient time, logs should be analyzed to found out which ports and IP addresses to permit. 

The downside of this method is that you will not catch ports and IP addresses that were not used during learning period. Before implementing blocking policy you should always check with administrators of the other systems if anything else is needed. 

If you are using Cisco ASA as your firewall you can enable logging on the access-list with the log command.

access-list FW permit ip any any log

In this way Cisco ASA will generate log %ASA-6-106100 when new connection is matched on the access-list entry. You can export this logs to syslog server and store these logs to text file. To export only these messages to log server you can use the following configuration.

logging enable
logging timestamp
logging list acl_permit_list message 106100
logging trap acl_permit_list
logging host inside 192.168.1.100

After logs are collected you can use some tool to parse information that you need. You will find simple python script bellow to extract protocol, source interface, source IP address, destination interface, destination IP address and destination port from the logs. You need to put file location in the first line of the script. 


file_location = 'PUT YOUR LOG FILE LOCATION HERE'
f = open(file_location,'r')

ports = []

for line in f:
    temp = []
    temp.append(line.split(" ")[9])
    temp.append(line.split(" ")[10].split("/")[0])
    temp.append(line.split(" ")[10].split("/")[1].split("(")[0])
    temp.append(line.split(" ")[12].split("/")[0])
    temp.append(line.split(" ")[12].split("/")[1].split("(")[0])
    temp.append(line.split(" ")[12].split("/")[1].split("(")[1][:-1])
    ports.append("_".join(temp))

ports_final = list(set(ports))

print len(ports_final)

for i in ports_final:
    print i.split("_")


f.close()