Skip to content

arnesund/ruleset-analysis

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits

lib

lib

 
 

.gitignore

.gitignore

 
 

.gitmodules

.gitmodules

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

config.py

config.py

 
 

connlist-reducer.py

connlist-reducer.py

 
 

find_matching_rules.py

find_matching_rules.py

 
 

firewallrule.py

firewallrule.py

 
 

mapper.py

mapper.py

 
 

name-number-mappings.db

name-number-mappings.db

 
 

postprocess_ruleset_analysis.py

postprocess_ruleset_analysis.py

 
 

preprosess_access_lists.py

preprosess_access_lists.py

 
 

preprosess_fortigate_acl.py

preprosess_fortigate_acl.py

 
 

reducer.py

reducer.py

 
 

runAnalysis.sh

runAnalysis.sh

 
 

show_ruleset.py

show_ruleset.py

 
 

Repository files navigation

RulesetAnalysis

Analyze firewall traffic logs to determine which firewall rules are in use and what traffic matched those rules. A typical use-case is to replace a generic rule with more specific rules better matching the traffic.

Currently Cisco ASA/FWSM and Fortinet FortiGate firewalls are supported. There is a separate preprocessor for each platform, and to create support for a new platform or rule syntax all that's needed is to add a new preprocessor for it. The analysis running on Hadoop is vendor-agnostic and only depends on rules and rulesets stored in an access-list database ("input/accesslists.db" in Python Shelve format).

Walkthrough of the usage

Read this blog post for examples and a walkthrough of the usage.

Prerequisites

To be able to run the analysis as a Hadoop job, you need:

  • Firewall config file as a text file (for example config file collected by RANCID)
  • Firewall log files uploaded to HDFS
  • Hadoop tools installed, to be able to submit jobs to a cluster
    • You need the hadoop binary and the path to the hadoop-streaming jar file
    • Test availability of tools with hadoop version in a terminal
  • Python module 'ciscoconfparse' installed (only on host performing preprocessing of firewall config)
  • Python module 'IPy' installed on all cluster nodes
    • Install with 'easy_install -U IPy' or get tarball from https://pypi.python.org/pypi/IPy
    • Ask your cluster administrator for help if you don't have access to installing packages on the cluster nodes
  • Git submodule 'fw-regex' checked out after checking out this repo: 'git submodule init && git submodule update'

Quick Start Guide

Before launching your first analysis, first make sure all prerequisites listed above are met.

To perform a ruleset-analysis, you need to complete the following steps:

  1. Preprocess firewall config to create a database of accesslists: ./preprosess_access_lists.py -f <INSERT_FILE_PATH> with the path to the firewall config file as the only argument
  2. Launch the job on the cluster by running ./runAnalysis.sh <INSERT_HDFS_PATH> with the HDFS path to log files (supplying more than one path is supported)
  3. Copy the result files to local disk:
outputdir="<INSERT_OUTPUT_PATH_FROM_JOB_OUTPUT>";
hadoop dfs -getmerge $outputdir output/$outputdir```
 4. Run postprocessing script to generate the ruleset report:
```./postprocess_ruleset_analysis.py -f output/$outputdir > output/$outputdir-postprocessed.log```
 5. Display results: `less output/$outputdir-postprocessed.log`

About

Analyze firewall logs using Hadoop to determine which firewall rules are in use and what traffic matched those rules.

Resources

Readme

License

GPL-2.0 license
Activity

Stars

6 stars

Watchers

5 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages