Colin’s IT, Security and Working Life blog

November 29, 2009

Cisco Syslog Firewall Rules Parser

Filed under: Programs and Scripts — chaplic @ 7:05 pm

Scenario: You’ve got a Cisco ASA Protecting some servers. The ruleset isn’t a tight as you’d like. You know some of the ports, source and destination machines that are in use, but cannot tell exactly what communications are going on.

The cisco is syslogging but it produces verbose text, like this:

009-11-25 18:14:08    Local4.Warning    192.168.10.1    %ASA-4-106100: access-list InterfaceA_access_in permitted tcp InterfaceA/Server6S009(2326) -> InterfaceB-Intl/172.16.32.17(443) hit-cnt 1 first hit [0xda6858dc, 0xe76db01]
2009-11-25 18:14:09    Local4.Warning    192.168.10.1    %ASA-4-106100: access-list Outside_access_in permitted udp Outside/172.16.19.83(50088) -> InterfaceB-Intl/Server6S002(5560) hit-cnt 1 first hit [0x4429e5e8, 0xed2c2df8]
2009-11-25 18:14:09    Local4.Warning    192.168.10.1    %ASA-4-106100: access-list InterfaceB-DMZ_access_in permitted udp InterfaceB-Intl/Server6S002(39330) -> Outside/172.16.19.83(50088) hit-cnt 1 first hit [0xab98913c, 0x5268eddb]
2009-11-25 18:14:10    Local4.Warning    192.168.10.1    %ASA-4-106100: access-list Outside_access_in permitted udp Outside/Server5S002(56942) -> InterfaceA/Server6S011(53) hit-cnt 1 first hit [0xa57e4b1c, 0xf0e9804c]
2009-11-25 18:14:11    Local4.Warning    192.168.10.1    %ASA-4-

Difficult to  pick out what’s going on and get the information you need. You could manually pick through it, or you could tightly configure the ASA to only log the rules and information you’re interested in. Tricky, time consuming and might not be possible if the firewall logging settings cannot be changed.

The solution therefore is a little script to scan the logfiles and pick out the interesting detail, aggregate and present it in a useful format.

I knocked up a little script to do this in Perl; it would be do-able in powershell or VBScript, but I just like the really nice text manipulation features of Perl. I saw it as further proof that any techie worth their salt must be able to knock together scripts to do little jobs like this.

All the script is doing is looking for lines like this

106100: access-list InterfaceB-DMZ_access_in permitted udp InterfaceB-Intl/Server6S002(39330) -> Outside/172.16.19.83

From there, it’s pretty straightforward to grab the source server, destination server, protocol and ports used then do some maths on it.

The output of the processing is shown here:

Technorati Tags: ,,

image

 

A nicely presented list showing source and destination, port, protocol and how many times it’s appeared in the syslog

To run the tool, from the command line enter:

syslogparser filename.txt

And a file filename.txt.csv will be output.

Get the application here

Advertisements

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: