2014/02/14

Parse Cisco ASA logs with python to create security policy

When you are implementing new firewall in the network segment where there was no firewall before, you often wondering what access rules to implement. You can interview administrators of the other systems but usually you will not get detailed feedback about which ports and IP addresses should be permitted.

Therefore one of the method to implement firewall between segment is to permit all traffic at the beginning and log all traffic that was permitted. This learning period should be implemented for some time to get baseline traffic. After sufficient time, logs should be analyzed to found out which ports and IP addresses to permit. 

The downside of this method is that you will not catch ports and IP addresses that were not used during learning period. Before implementing blocking policy you should always check with administrators of the other systems if anything else is needed. 

If you are using Cisco ASA as your firewall you can enable logging on the access-list with the log command.

access-list FW permit ip any any log

In this way Cisco ASA will generate log %ASA-6-106100 when new connection is matched on the access-list entry. You can export this logs to syslog server and store these logs to text file. To export only these messages to log server you can use the following configuration.

logging enable
logging timestamp
logging list acl_permit_list message 106100
logging trap acl_permit_list
logging host inside 192.168.1.100

After logs are collected you can use some tool to parse information that you need. You will find simple python script bellow to extract protocol, source interface, source IP address, destination interface, destination IP address and destination port from the logs. You need to put file location in the first line of the script. 


file_location = 'PUT YOUR LOG FILE LOCATION HERE'
f = open(file_location,'r')

ports = []

for line in f:
    temp = []
    temp.append(line.split(" ")[9])
    temp.append(line.split(" ")[10].split("/")[0])
    temp.append(line.split(" ")[10].split("/")[1].split("(")[0])
    temp.append(line.split(" ")[12].split("/")[0])
    temp.append(line.split(" ")[12].split("/")[1].split("(")[0])
    temp.append(line.split(" ")[12].split("/")[1].split("(")[1][:-1])
    ports.append("_".join(temp))

ports_final = list(set(ports))

print len(ports_final)

for i in ports_final:
    print i.split("_")


f.close()

6 comments:

  1. Very interesting blog. Alot of blogs I see these days don't really provide anything that I'm interested in, but I'm most definately interested in this one. Just thought that I would post and let you know. free vpns

    ReplyDelete
  2. I am all that much satisfied with the substance you have specified. I needed to thank you for this extraordinary article.  vpn France

    ReplyDelete
  3. I think this is a better than average article. You make this data intriguing and locks in. You give perusers a considerable measure to consider and I welcome that sort of composing. more info

    ReplyDelete
  4. It is the best portal to pay bills online within minutes without any complications. It avails maximum possible flexibility to users to complete their tasks in real quick time. Apart from bill payments it also avails most popular and reputed brands products to customers in affordable prices. PayTM came into existence in 2010. vpnveteran.com

    ReplyDelete
  5. That gives off an impression of being fabulous anyway i am still not very beyond any doubt that I like it. At any rate will look much more into it and choose by and by!  internetprivatsphare.at

    ReplyDelete
  6. Many homework on the continual hunt along with offstage on the road to winning. Definitely not attached, simple to-fall as a result of wayside; And not investigation, afterward into a path travel toward the black. lemigliorivpn

    ReplyDelete