Ejemplo n.º 1
0
def run_script(args):
  # configure the command line args
  parser = core.get_arg_parser(prog='ds-to-aws-waf.py iplists', add_help=True)
  parser.add_argument('-l', '--list', action='store_true', required=False, help='List the available Deep Security IP Lists and the AWS WAF IP Sets')
  # change to i from -d/--ds?
  parser.add_argument('-i', '--id', action='store', dest="ip_list", required=False, help='Specify an IP List by ID within Deep Security as the source for the AWS WAF IP Set')
  
  script = Script(args[1:], parser)

  if script.args.list:
    # List the available Deep Security IP Lists and AWS WAF IP Sets
    script.connect()
    script.get_available_aws_sets()
    script.print_lists()

  elif script.args.ip_list:
    script.connect()
    if script.args.dryrun:
      script._log("***********************************************************************", priority=True)
      script._log("* DRY RUN ENABLED. NO CHANGES WILL BE MADE", priority=True)
      script._log("***********************************************************************", priority=True)
    # get the specified Deep Security IP Lists (already cached)
    ip_list = script.get_ds_list(script.args.ip_list)
    # create the IP Set
    if ip_list:
      script.create_ip_set(ip_list)

  script.clean_up()
Ejemplo n.º 2
0
def run_script(args):
  # configure the command line args
  parser = core.get_arg_parser(prog='ds-to-aws-waf.py sqli', add_help=True)
  parser.add_argument('-l', '--list', action='store_true', required=False, help='List the available EC2 instances')
  parser.add_argument('--tag', action=core.StoreNameValuePairOnEquals, nargs="+", dest="tags", required=False, help='Specify the tags to filter the EC2 instances by. Multiple tags are cumulative')

  parser.add_argument('--create-match', action='store_true', required=False, dest="create_match", help='Create the SQLi match condition for use in various rules')
  parser.add_argument('--map-to-wacl', action='store_true', required=False, dest="map_to_wacl", help='Attempt to map each instance to an AWS WAF WACL')
  parser.add_argument('--create-rule', action='store_true', required=False, dest="create_rule", help='Create the SQLi rule for instances that can be mapped to an AWS WAF WACL. Used in conjunction with -l/--list')
  
  script = Script(args[1:], parser)

  if script.args.list:
    # List the available EC2 instances and cross reference with Deep Security
    script.connect()
    script.get_ec2_instances()
    script.get_deep_security_info()
    script.get_waf_support_structures()
    script.map_instances_to_wacls()
    recommendations = script.compare_ec2_to_deep_security()
    script.print_recommendations(recommendations)
    if script.args.create_rule:
      if script.args.dryrun:
        script._log("***********************************************************************", priority=True)
        script._log("* DRY RUN ENABLED. NO CHANGES WILL BE MADE", priority=True)
        script._log("***********************************************************************", priority=True)
      
      # create the rule and update the WACLs 
      # --dryrun is handled directly in the functions
      rule_created = False
      for instance_id, wacl_id in script.instances_to_wacls.items():
        if not rule_created:
          script.create_wacl_rule() # idempotent
          rule_created = True

        script.update_wacl(wacl_id)

  if script.args.create_match:
    script.connect()
    if script.args.dryrun:
      script._log("***********************************************************************", priority=True)
      script._log("* DRY RUN ENABLED. NO CHANGES WILL BE MADE", priority=True)
      script._log("***********************************************************************", priority=True)
    
    # create the recommend SQLi match condition
    script.create_match_condition()

  if script.args.map_to_wacl:
    script.connect()
    script.get_waf_support_structures()
    script.map_instances_to_wacls()
    script.print_instances_to_wacls_map()

  if script.args.create_rule and not script.args.list:
    script._log("The --create-rule switch must be used with the -l/--list switch", priority=True)

  script.clean_up()
Ejemplo n.º 3
0
def run_script(args):
    # configure the command line args
    parser = core.get_arg_parser(prog='ds-analyze-findings analyze',
                                 add_help=True)
    parser.add_argument(
        '-l',
        '--list',
        action='store_true',
        required=False,
        help='List the available Amazon Inspector assessment runs')
    parser.add_argument(
        '--run-arn',
        action='store',
        dest='run_arn',
        required=False,
        help='Analyze the findings of this Amazon Inspector assessment run')
    parser.add_argument(
        '--mitigate',
        action='store_true',
        dest='mitigate',
        required=False,
        help=
        'Mitigate Amazon Inspector findings when possible using Deep Security')
    #parser.add_argument('-i', '--id', action='store', dest="ip_list", required=False, help='Specify an IP List by ID within Deep Security as the source for the AWS WAF IP Set')

    script = Script(args[1:], parser)

    details = None
    if script.args.list:
        # List the available findings in Amazon Inspector
        script.connect()
        details = script.get_findings()
        script.list_run_arns(details)
    elif script.args.run_arn:
        script.connect()
        details = script.get_findings()
        if details:
            results = script.reconcile_findings(details, script.args.run_arn)

            if results: script.print_results(results, details)

            if script.args.mitigate:
                if script.args.dry_run:
                    script._log(
                        "***********************************************************************",
                        priority=True)
                    script._log("* DRY RUN ENABLED. NO CHANGES WILL BE MADE",
                                priority=True)
                    script._log(
                        "***********************************************************************",
                        priority=True)

                script.mitigate(results)

    script.clean_up()

    return details
Ejemplo n.º 4
0
def run_script(args):
    # configure the command line args
    parser = core.get_arg_parser(prog='ds-to-aws-waf.py iplists',
                                 add_help=True)
    parser.add_argument(
        '-l',
        '--list',
        action='store_true',
        required=False,
        help='List the available Deep Security IP Lists and the AWS WAF IP Sets'
    )
    # change to i from -d/--ds?
    parser.add_argument(
        '-i',
        '--id',
        action='store',
        dest="ip_list",
        required=False,
        help=
        'Specify an IP List by ID within Deep Security as the source for the AWS WAF IP Set'
    )

    script = Script(args[1:], parser)

    if script.args.list:
        # List the available Deep Security IP Lists and AWS WAF IP Sets
        script.connect()
        script.get_available_aws_sets()
        script.print_lists()

    elif script.args.ip_list:
        script.connect()
        if script.args.dryrun:
            script._log(
                "***********************************************************************",
                priority=True)
            script._log("* DRY RUN ENABLED. NO CHANGES WILL BE MADE",
                        priority=True)
            script._log(
                "***********************************************************************",
                priority=True)
        # get the specified Deep Security IP Lists (already cached)
        ip_list = script.get_ds_list(script.args.ip_list)
        # create the IP Set
        if ip_list:
            script.create_ip_set(ip_list)

    script.clean_up()
def run_script(args):
  # configure the command line args
  parser = core.get_arg_parser(prog='ds-analyze-findings coverage', add_help=True)
  parser.add_argument('--print-cve-only', action='store_true', dest='print_cve_only', required=False, help='Print only the CVEs covered by both Amazon Inspector and Deep Security. Useful to piping to other commands when not used with the --verbose switch')

  script = Script(args[1:], parser)

  script.connect()
  in_inspector = script.get_cves_from_inspector()
  in_ds = script.get_cves_in_ds()
  coverage = script.compare_cves(in_inspector, in_ds)
  if script.args.print_cve_only:
    coverage.sort()
    print "\n".join(coverage)
  else:
    script.print_coverage(coverage, in_inspector, in_ds)

  script.clean_up()

  return coverage
Ejemplo n.º 6
0
def run_script(args):
  # configure the command line args
  parser = core.get_arg_parser(prog='ds-analyze-findings coverage', add_help=True)
  parser.add_argument('--print-cve-only', action='store_true', dest='print_cve_only', required=False, help='Print only the CVEs covered by both Amazon Inspector and Deep Security. Useful to piping to other commands when not used with the --verbose switch')

  script = Script(args[1:], parser)

  script.connect()
  in_inspector = script.get_cves_from_inspector()
  in_ds = script.get_cves_in_ds()
  coverage = script.compare_cves(in_inspector, in_ds)
  if script.args.print_cve_only:
    coverage.sort()
    print "\n".join(coverage)
  else:
    script.print_coverage(coverage, in_inspector, in_ds)

  script.clean_up()

  return coverage
Ejemplo n.º 7
0
def run_script(args):
    # configure the command line args
    parser = core.get_arg_parser(prog='ds-to-aws-waf.py xss', add_help=True)
    parser.add_argument('-l',
                        '--list',
                        action='store_true',
                        required=False,
                        help='List the available EC2 instances')
    parser.add_argument(
        '--tag',
        action=core.StoreNameValuePairOnEquals,
        nargs="+",
        dest="tags",
        required=False,
        help=
        'Specify the tags to filter the EC2 instances by. Multiple tags are cumulative'
    )

    parser.add_argument(
        '--create-match',
        action='store_true',
        required=False,
        dest="create_match",
        help='Create the SQLi & XSS match conditions for use in various rules')
    parser.add_argument('--map-to-wacl',
                        action='store_true',
                        required=False,
                        dest="map_to_wacl",
                        help='Attempt to map each instance to an AWS WAF WACL')
    parser.add_argument(
        '--create-rule',
        action='store_true',
        required=False,
        dest="create_rule",
        help=
        'Create the SQLi & XSS rule for instances that can be mapped to an AWS WAF WACL. Used in conjunction with -l/--list'
    )

    script = Script(args[1:], parser)

    if script.args.list:
        # List the available EC2 instances and cross reference with Deep Security
        script.connect()
        script.get_ec2_instances()
        script.get_deep_security_info()
        script.get_waf_support_structures()
        script.map_instances_to_wacls()
        xss_recommendations = script.compare_ec2_to_deep_security()
        sqli_recommendations = script.compare_ec2_to_deep_security()
        script.print_recommendations(recommendations)
        if script.args.create_rule:
            if script.args.dryrun:
                script._log(
                    "***********************************************************************",
                    priority=True)
                script._log("* DRY RUN ENABLED. NO CHANGES WILL BE MADE",
                            priority=True)
                script._log(
                    "***********************************************************************",
                    priority=True)

            # create the rule and update the WACLs
            # --dryrun is handled directly in the functions
            rule_created = False
            for instance_id, wacl_id in script.instances_to_wacls.items():
                if not rule_created:
                    script.create_wacl_rule()  # idempotent
                    rule_created = True

                script.update_wacl(wacl_id)

    if script.args.create_match:
        script.connect()
        if script.args.dryrun:
            script._log(
                "***********************************************************************",
                priority=True)
            script._log("* DRY RUN ENABLED. NO CHANGES WILL BE MADE",
                        priority=True)
            script._log(
                "***********************************************************************",
                priority=True)

        # create the recommend XSS match condition
        script.create_match_condition()

    if script.args.map_to_wacl:
        script.connect()
        script.get_waf_support_structures()
        script.map_instances_to_wacls()
        script.print_instances_to_wacls_map()

    if script.args.create_rule and not script.args.list:
        script._log(
            "The --create-rule switch must be used with the -l/--list switch",
            priority=True)

    script.clean_up()