Colin’s IT, Security and Working Life blog

November 29, 2009

Cisco Syslog Firewall Rules Parser

Filed under: Programs and Scripts — chaplic @ 7:05 pm

Scenario: You’ve got a Cisco ASA Protecting some servers. The ruleset isn’t a tight as you’d like. You know some of the ports, source and destination machines that are in use, but cannot tell exactly what communications are going on.

The cisco is syslogging but it produces verbose text, like this:

009-11-25 18:14:08    Local4.Warning    192.168.10.1    %ASA-4-106100: access-list InterfaceA_access_in permitted tcp InterfaceA/Server6S009(2326) -> InterfaceB-Intl/172.16.32.17(443) hit-cnt 1 first hit [0xda6858dc, 0xe76db01]
2009-11-25 18:14:09    Local4.Warning    192.168.10.1    %ASA-4-106100: access-list Outside_access_in permitted udp Outside/172.16.19.83(50088) -> InterfaceB-Intl/Server6S002(5560) hit-cnt 1 first hit [0x4429e5e8, 0xed2c2df8]
2009-11-25 18:14:09    Local4.Warning    192.168.10.1    %ASA-4-106100: access-list InterfaceB-DMZ_access_in permitted udp InterfaceB-Intl/Server6S002(39330) -> Outside/172.16.19.83(50088) hit-cnt 1 first hit [0xab98913c, 0x5268eddb]
2009-11-25 18:14:10    Local4.Warning    192.168.10.1    %ASA-4-106100: access-list Outside_access_in permitted udp Outside/Server5S002(56942) -> InterfaceA/Server6S011(53) hit-cnt 1 first hit [0xa57e4b1c, 0xf0e9804c]
2009-11-25 18:14:11    Local4.Warning    192.168.10.1    %ASA-4-

Difficult to  pick out what’s going on and get the information you need. You could manually pick through it, or you could tightly configure the ASA to only log the rules and information you’re interested in. Tricky, time consuming and might not be possible if the firewall logging settings cannot be changed.

The solution therefore is a little script to scan the logfiles and pick out the interesting detail, aggregate and present it in a useful format.

I knocked up a little script to do this in Perl; it would be do-able in powershell or VBScript, but I just like the really nice text manipulation features of Perl. I saw it as further proof that any techie worth their salt must be able to knock together scripts to do little jobs like this.

All the script is doing is looking for lines like this

106100: access-list InterfaceB-DMZ_access_in permitted udp InterfaceB-Intl/Server6S002(39330) -> Outside/172.16.19.83

From there, it’s pretty straightforward to grab the source server, destination server, protocol and ports used then do some maths on it.

The output of the processing is shown here:

Technorati Tags: ,,

image

 

A nicely presented list showing source and destination, port, protocol and how many times it’s appeared in the syslog

To run the tool, from the command line enter:

syslogparser filename.txt

And a file filename.txt.csv will be output.

Get the application here

Advertisements

November 19, 2009

Exchange 2010 install – first thoughts

Filed under: Uncategorized — chaplic @ 4:49 pm

 

Just upgraded my companies mail server to Exchange 2010. It’s not a large affair, has about 10 mailboxes, 7GB store. The user estate is more forgiving than most, and half of them on holiday, so I had a bit of leeway.

It was previously running Exchange 2007 on a hyper-V VMs on a Dell quad-core server with 10GB of RAM and a handful of other VMs running.

First task was to setup a 2008R2 VM and install Ex2010, both of which completed without incident. Nice to not need to install a gazillion pre-requisites, as it is with Exchange 07 and 2008 vanilla.

At this point I notice performance issues. My Exchange 07 box had 4GB of RAM assigned to it, the Ex10 2GB (all I had left). Interactively the performance was dire, as was web access.

Changing both boxes to 3GB helped slightly – well, it made performance on  both boxes poor. Moral of the story Exchange 200x, even for the most basic applications, needs 4GB of RAM to be acceptable.

Once most things were settled, I decided to go hell-for-leather and retire my Ex07 box. This was possibly the trickiest element of all!

Move mailboxes completed without incident, the 3GB mailbox taking just over two hours.

The Exchange uninstall would crash upon starting; it seems stopping all the services is necessary.

To uninstall the server I needed to remove the public folder store. Try as I might, I couldn’t – after deleting all PFs I could, and taken replicas off, various powershell scripts, still no joy.

So, the hackers tool of last resort? ADSIEdit

image

 

I opened the path shown and deleted the reference to the Public Folder. Success! I shut down Ex07 and gave Ex10 the memory it needed. Much better performance!

After some sanity checking and building of internet connectors, I change the NAT and Firewalls rules to swing new email to the Ex10 server.

EEeeek!

All Email was bounced with an error message of

“Client host x.y.z.a UnknownDNSName”

I think this was caused by the fact I used OpenDNS.

Turning off the “Enable Forefront DNSBL checking” cured this, and (so far) no noticeable increase in spam

image

 

ActiveSync and Outlook anywhere took a bit of work to bring to life. The excellent https://www.testexchangeconnectivity.com/ helped me out with the Outlook Anywhere config errors. Didn’t help with ActiveSync, but sometimes, just sometimes, event log tells you exactly what’s wrong:

image

After adding the permissions, my iPhone buzzed into life automatically.

Overall, clearly NOT a migration approach suitable for a large scale exchange implementation with high availability requirements, but it was fairly smooth, and to my mind more reminiscent of a Exchange 2000 to 2003 upgrade than “step changes” we saw from 03 to 07 or 5.5 to 2000

Technorati Tags: ,

.

Create a free website or blog at WordPress.com.