Scenario: You’ve got a Cisco ASA Protecting some servers. The ruleset isn’t a tight as you’d like. You know some of the ports, source and destination machines that are in use, but cannot tell exactly what communications are going on.
The cisco is syslogging but it produces verbose text, like this:
009-11-25 18:14:08 Local4.Warning 192.168.10.1 %ASA-4-106100: access-list InterfaceA_access_in permitted tcp InterfaceA/Server6S009(2326) -> InterfaceB-Intl/172.16.32.17(443) hit-cnt 1 first hit [0xda6858dc, 0xe76db01]
2009-11-25 18:14:09 Local4.Warning 192.168.10.1 %ASA-4-106100: access-list Outside_access_in permitted udp Outside/172.16.19.83(50088) -> InterfaceB-Intl/Server6S002(5560) hit-cnt 1 first hit [0x4429e5e8, 0xed2c2df8]
2009-11-25 18:14:09 Local4.Warning 192.168.10.1 %ASA-4-106100: access-list InterfaceB-DMZ_access_in permitted udp InterfaceB-Intl/Server6S002(39330) -> Outside/172.16.19.83(50088) hit-cnt 1 first hit [0xab98913c, 0x5268eddb]
2009-11-25 18:14:10 Local4.Warning 192.168.10.1 %ASA-4-106100: access-list Outside_access_in permitted udp Outside/Server5S002(56942) -> InterfaceA/Server6S011(53) hit-cnt 1 first hit [0xa57e4b1c, 0xf0e9804c]
2009-11-25 18:14:11 Local4.Warning 192.168.10.1 %ASA-4-
Difficult to pick out what’s going on and get the information you need. You could manually pick through it, or you could tightly configure the ASA to only log the rules and information you’re interested in. Tricky, time consuming and might not be possible if the firewall logging settings cannot be changed.
The solution therefore is a little script to scan the logfiles and pick out the interesting detail, aggregate and present it in a useful format.
I knocked up a little script to do this in Perl; it would be do-able in powershell or VBScript, but I just like the really nice text manipulation features of Perl. I saw it as further proof that any techie worth their salt must be able to knock together scripts to do little jobs like this.
All the script is doing is looking for lines like this
106100: access-list InterfaceB-DMZ_access_in permitted udp InterfaceB-Intl/Server6S002(39330) -> Outside/172.16.19.83
From there, it’s pretty straightforward to grab the source server, destination server, protocol and ports used then do some maths on it.
The output of the processing is shown here:
A nicely presented list showing source and destination, port, protocol and how many times it’s appeared in the syslog
To run the tool, from the command line enter:
And a file filename.txt.csv will be output.
Get the application here