def p_addr_service_set_line_3(p): '''service_set_line : START_PORT NUMBER''' if p_info['range_port']: object_dict[p_info['current_object']].append({'port_dst': Operator('RANGE', Port(p[2]), p_info['range_port'])}) p_info['range_port'] = None else: p_info['range_port'] = Port(p[2])
def p_service_plus_2(p): '''service_plus : PLUS protocol SRC_PORT NUMBER HYPHEN NUMBER DST_PORT NUMBER HYPHEN NUMBER''' p_info['current_object'].append( {'service': Operator('EQ', Protocol(p[2]))}) p_info['current_object'].append( {'src-port': Operator('RANGE', Port(p[4]), Port(p[6]))}) p_info['current_object'].append( {'dst-port': Operator('RANGE', Port(p[8]), Port(p[10]))})
def p_port_destination_2(p): '''port_destination : BANG PORT_DESTINATION port_list''' for v1, v2 in p[3]: if not v2: p_info['current_rule'].port_dest.append(Operator('NEQ', Port(v1))) else: p_info['current_rule'].port_dest.append( Operator('RANGE', Port(v1), Port(v2)).toggle())
def p_port_object_line_1(p): '''port_object_line : PORT_OBJECT OP_EQ item''' if p[3] in CiscoAsaPort.CiscoAsaPort: object_dict[p_info['object_group_name']].append( {'port': Operator('EQ', Port(CiscoAsaPort.CiscoAsaPort[p[3]]))}) else: object_dict[p_info['object_group_name']].append( {'port': Operator('EQ', Port(p[3]))})
def p_port_source_1(p): '''port_source : PORT_SOURCE port_list''' for v1, v2 in p[2]: if not v2: p_info['current_rule'].port_source.append(Operator('EQ', Port(v1))) else: p_info['current_rule'].port_source.append( Operator('RANGE', Port(v1), Port(v2)))
def p_port_source_2(p): '''port_source : BANG PORT_SOURCE port_list''' for v1, v2 in p[3]: if not v2: p_info['current_rule'].port_source.append(Operator( 'NEQ', Port(v1))) else: p_info['current_rule'].port_source.append( Operator('RANGE', Port(v1), Port(v2)).toggle())
def p_port_dst_line(p): '''port_dst_line : PORT_DST COLON words''' for port_dst in p[3].split(','): if '-' in port_dst: p_info['current_rule'].port_dest.append( Operator('RANGE', Port(int(port_dst.split('-')[0])), Port(int(port_dst.split('-')[1])))) else: p_info['current_rule'].port_dest.append( Operator('EQ', Port(int(port_dst))))
def p_nat_rule_static1(p): '''nat_rule_line : STATIC LPAREN WORD COMA WORD RPAREN TCP IP_ADDR NUMBER IP_ADDR NUMBER NETMASK IP_ADDR | STATIC LPAREN WORD COMA WORD RPAREN UDP IP_ADDR NUMBER IP_ADDR NUMBER NETMASK IP_ADDR | STATIC LPAREN WORD COMA WORD RPAREN WORD IP_ADDR NUMBER IP_ADDR NUMBER NETMASK IP_ADDR ''' in_iface = p_info['firewall'].get_interface_by_name(p[3]) out_iface = p_info['firewall'].get_interface_by_name(p[5]) rule = Nat_Rule(None, None, [Protocol(p[7])], [Ip(p[8], p[13])], [], [], [Port(int(p[9]))], [Ip(p[10], p[13])], [Port(int(p[11]))], 'static', [out_iface], [in_iface]) p_info['firewall'].nat_rule_list.append(rule)
def get_all_flows(self): for flow in self.liststore: current_rule = Rule(None, None, [], [], [], [], [], Action(False)) try: if isinstance(flow[0], str) and len(flow[0]) != 0: current_rule.identifier = int(flow[0]) if isinstance(flow[1], str) and len(flow[1]) != 0: protocols = flow[1].split(',') for protocol in protocols: current_rule.protocol.append( Operator('EQ', Protocol(protocol))) if isinstance(flow[2], str) and len(flow[2]) != 0: ips = flow[2].split(',') for ip in ips: if '/' in ip: mask = ip[ip.index('/') + 1:] ip = ip[:ip.index('/')] current_rule.ip_source.append( Operator( 'EQ', Ip(ip, self.fromDec2Dotted(int(mask))))) else: current_rule.ip_source.append( Operator('EQ', Ip(ip, '255.255.255.255'))) if isinstance(flow[3], str) and len(flow[3]) != 0: ports = flow[3].split(',') for port in ports: current_rule.port_source.append( Operator('EQ', Port(int(port)))) if isinstance(flow[4], str) and len(flow[4]) != 0: ips = flow[4].split(',') for ip in ips: if '/' in ip: mask = ip[ip.index('/') + 1:] ip = ip[:ip.index('/')] current_rule.ip_dest.append( Operator( 'EQ', Ip(ip, self.fromDec2Dotted(int(mask))))) else: current_rule.ip_dest.append( Operator('EQ', Ip(ip, '255.255.255.255'))) if isinstance(flow[5], str) and len(flow[5]) != 0: ports = flow[5].split(',') for port in ports: current_rule.port_dest.append( Operator('EQ', Port(int(port)))) if flow[6] == 'deny': current_rule.action = Action(False) elif flow[6] == 'accept': current_rule.action = Action(True) except KeyError: print 'error' # self.flows.append(current_rule)
def p_opt_service_3(p): '''opt_service : SOURCE operator DESTINATION operator''' res = [] p[2].v1 = Port(p[2].v1) if p[2].v2: p[2].v2 = Port(p[2].v2) res.append({'source': p[2]}) p[4].v1 = Port(p[4].v1) if p[4].v2: p[4].v2 = Port(p[4].v2) res.append({'destination': p[4]}) p[0] = res
def p_port_src_line(p): '''port_src_line : PORT_SRC COLON words''' for port_src in p[3].split(','): if '-' in port_src: p_info['current_rule'].port_source.append( Operator( 'RANGE', Port(int(port_src.split('-')[0]), Port(int(port_src.split('-')[1]))))) else: p_info['current_rule'].port_source.append( Operator('EQ', Port(int(port_src))))
def get_rule_from_iptable_line(self, rule_line): """ get one iptable line and return a corresponding rule This function need some improvement in order to manage every case """ action = Action(True) if rule_line[0] != "DROP" else Action(False) if rule_line[3] == "anywhere": ip_source = [] else: if "/" not in rule_line[3]: ip_source = [Operator("EQ", Ip(rule_line[3]))] else: ip_source = [ Operator( 'EQ', Ip(rule_line[3].split('/')[0], fromDec2Dotted(int(rule_line[3].split('/')[1])))) ] if rule_line[4] == "anywhere": ip_dest = [] else: if "/" not in rule_line[4]: ip_dest = [Operator("EQ", Ip(rule_line[4]))] else: ip_dest = [ Operator( 'EQ', Ip(rule_line[4].split('/')[0], fromDec2Dotted(int(rule_line[4].split('/')[1])))) ] port_source = [] port_dest = [] protocol = [] if rule_line[1] == "all" else [ Operator("EQ", Protocol(rule_line[1])) ] if len(rule_line) >= 7: if "spt" in rule_line[6]: port_source.append(Operator("EQ", Port(rule_line[6][4:-1]))) elif "dpt" in rule_line[6]: port_dest.append(Operator("EQ", Port(rule_line[6][4:-1]))) elif "multiport" in rule_line: tmp_idx = rule_line.index("multiport") if rule_line[tmp_idx + 1] == "dports": ports_dest_list = rule_line[tmp_idx + 2].split(",") for tmp_port_dest in ports_dest_list: port_dest.append(Operator("EQ", Port(tmp_port_dest))) else: tmp_line = "" for tmp_elem in rule_line: tmp_line += " " + tmp_elem print tmp_line return Rule(0, "", protocol, ip_source, port_source, ip_dest, port_dest, action)
def toBDD(self, index): """Construct the ROBDD Parameters ---------- index : int. Used for variable index in ROBDD. Return ------ Return the computed ROBDD """ if self.operator == 'LT': if isinstance(self.v1, Protocol): return Protocol.range2bdd(0, self.v1.get_value(), index) elif isinstance(self.v1, Ip): return Ip.range2bdd(0, self.v1.ip | ~self.v1.mask & 0xFFFFFFFF, index) elif isinstance(self.v1, Port): return Port.range2bdd(0, self.v1.get_value(), index) else: return self.v1.toBDD(index) elif self.operator == 'GT': if isinstance(self.v1, Protocol): return Protocol.range2bdd(self.v1.get_value(), 2**8 - 1, index) elif isinstance(self.v1, Ip): return Ip.range2bdd(self.v1.ip & self.v1.mask, 2**32 - 1, index) elif isinstance(self.v1, Port): return Port.range2bdd(self.v1.get_value(), 2**16 - 1, index) else: return self.v1.toBDD(index) elif self.operator == 'EQ': return self.v1.toBDD(index) elif self.operator == 'NEQ': return negate_bdd(self.v1.toBDD(index)) elif self.operator == 'RANGE': if isinstance(self.v1, Protocol): return Protocol.range2bdd(self.v1.get_value(), self.v2.get_value(), index) elif isinstance(self.v1, Ip): return Ip.range2bdd(self.v1.ip & self.v1.mask, self.v2.ip | ~self.v2.mask & 0xFFFFFFFF, index) elif isinstance(self.v1, Port): return Port.range2bdd(self.v1.get_value(), self.v2.get_value(), index) else: return self.v1.toBDD(index) else: return self.v1.toBDD(index)
def fill_service(app, protocols, _protocols, _dest_ports, dest_ports): for service in services: if service['name'] == app: if service.has_key('protocol'): if service['protocol'] not in protocols: protocols.append(service['protocol']) _protocols.append( Operator('EQ', Protocol(service['protocol']))) if service.has_key('port'): _dest_ports.append(Operator('EQ', Port(int(service['port'])))) if service.has_key('lport') and service.has_key('rport'): _dest_ports.append( Operator('RANGE', Port(int(service['lport'])), Port(int(service['rport']))))
def merge_port(self, ports_list): """ return a list with all common element present in each list of port """ len_ports_list = len(ports_list) for idx, ports in enumerate(ports_list): if idx + 1 <= len_ports_list - 1: tmp_list = None if len(ports_list[idx]) == 0: continue elif len(ports_list[idx + 1]) == 0: ports_list[idx + 1] = ports_list[idx] continue for port1 in ports_list[idx]: for port2 in ports_list[idx + 1]: if port1.operator == "EQ" and port2.operator == "EQ": if port1.v1.port == port2.v1.port: tmp_list = tmp_list.append( port1) if tmp_list is not None else [ port1 ] break elif port1.operator == "RANGE" and port2.operator == "EQ": if port1.v1.port < port2.v1.port < port1.v2.port: tmp_list.append(port2) elif port1.operator == "EQ" and port2.operator == "RANGE": if port2.v1.port < port1.v1.port < port2.v2.port: tmp_list.append(port1) elif port1.operator == "RANGE" and port2.operator == "RANGE": p1v1 = port1.v1.port p1v2 = port1.v2.port p2v1 = port2.v1.port p2v2 = port2.v2.port if p1v1 < p2v1 < p1v2 and p1v1 < p2v2 < p1v2: tmp_list.append(port2) elif p1v1 < p2v1 < p1v2 and p1v2 < p2v2: tmp_list.append( Operator("RANGE", Port(p2v1), Port(p1v2))) elif p2v1 < p1v1 and p1v1 < p2v2 < p1v2: tmp_list.append( Operator("RANGE", Port(p1v1), Port(p2v2))) elif p2v1 < p1v1 < p2v2 and p2v1 < p1v2 < p2v2: tmp_list.append(port1) ports_list[idx + 1] = tmp_list if tmp_list == None: ports_list[len(ports_list) - 1] = None break return ports_list[len(ports_list) - 1]
def p_service_set_line_3_1(p): '''service_set_line : SET PROTOCOL WORD''' if p[3].lower() in ('ftp', 'http'): object_dict[p_info['current_object']].append( {'port_dst': Operator('EQ', Port(p[3].lower()))}) else: object_dict[p_info['current_object']].append( {'protocol': Operator('EQ', Protocol(p[3].lower()))})
def fill_obj_dict_serv1(obj): if nd.has_key(obj['name']): if obj.has_key('portL'): nd[obj['name']].append({ obj['name']: Operator('RANGE', Port(obj['portL']), Port(obj['portR'])) }) elif obj.has_key('port'): nd[obj['name']].append( {obj['name']: Operator('EQ', Port(obj['port']))}) else: nd[obj['name']] = list() if obj.has_key('portL'): if obj['portR'] == 'infinite': nd[obj['name']].append( {obj['name']: Operator('GT', Port(obj['portL']))}) else: nd[obj['name']].append({ obj['name']: Operator('RANGE', Port(obj['portL']), Port(obj['portR'])) }) elif obj.has_key('port'): nd[obj['name']].append( {obj['name']: Operator('EQ', Port(obj['port']))}) else: pass #print obj ????????????????????????????????
def resolve_predefined_juniper(name, policy): values = JuniperNetscreenPort.JuniperNetscreenPort[name] for v1, v2 in values: if v1 == 'protocol': policy.protocol.append(Operator('EQ', Protocol(v2))) policy.protocol_name.append(name) else: port = policy.port_source if v1 == 'src' else policy.port_dest port_name = policy.port_source_name if v1 == 'src' else policy.port_dest_name port_name.append(name) if isinstance(v2, str): res = v2.split('-') port.append(Operator('RANGE', Port(res[0]), Port(res[1]))) if isinstance(v2, list): for i in v2: port.append(Operator('EQ', Port(i))) else: port.append(Operator('EQ', Port(v2)))
def finish_serv(s): tmpObj = resolve(s) if tmpObj['type'] in { 'udp', 'UDP', 'Udp', 'tcp', 'Tcp', 'TCP', 'icmp', 'Icmp', 'igmp', 'Igmp', 'Gre', 'gre', 'GRE', 'ospf', 'OSPF', 'Ospf' }: p_info['current_rule'].protocol.append( Operator('EQ', Protocol(tmpObj['type'].lower()))) if tmpObj.has_key('port'): p_info['current_rule'].port_dest.append( Operator('EQ', Port(tmpObj['port']))) elif tmpObj.has_key('portL'): if tmpObj['portR'] == 'infinite': p_info['current_rule'].port_dest.append( Operator('GT', Port(tmpObj['portL']))) else: p_info['current_rule'].port_dest.append( Operator('RANGE', Port(tmpObj['portL']), Port(tmpObj['portR']))) elif tmpObj['type'] in {'group', 'Group'}: for member in tmpObj['members']: subTmpOBj = resolve(member) if subTmpOBj['type'] in { 'udp', 'UDP', 'Udp', 'tcp', 'Tcp', 'TCP', 'icmp', 'Icmp', 'igmp', 'Igmp', 'Gre', 'gre', 'GRE', 'ospf', 'OSPF', 'Ospf' }: p_info['current_rule'].protocol.append( Operator('EQ', Protocol(subTmpOBj['type'].lower()))) if subTmpOBj.has_key('port'): p_info['current_rule'].port_dest.append( Operator('EQ', Port(subTmpOBj['port']))) elif subTmpOBj.has_key('portL'): p_info['current_rule'].port_dest.append( Operator('RANGE', Port(subTmpOBj['portL']), Port(subTmpOBj['portR']))) elif tmpObj['type'] in {'other', 'Other'}: p_info['current_rule'].protocol.append( Operator('EQ', Protocol(tmpObj['protocol']))) elif tmpObj['type'] in {'Rpc', 'rpc'}: p_info['current_rule'].port_dest.append( Operator('EQ', Port(tmpObj['port'])))
def try_resolve_service(name): if re.search('icmp6', name, re.I) or re.search('ping', name, re.I): p_info['current_rule'].protocol.append(Operator( 'EQ', Protocol('icmp'))) return True try: # try port p_info['current_rule'].port_dest.append(Operator('EQ', Port(name))) p_info['current_rule'].protocol.append(Operator('EQ', Protocol('tcp'))) except socket.error: # not a port, try protocol try: p_info['current_rule'].protocol.append( Operator('EQ', Protocol(name))) except socket.error: # not a port or a protocol return False return True
def p_port_dst_line(p): '''port_dst_line : PORT_DST COLON WORD''' p_info['current_rule'].port_dest.append(Operator('EQ', Port(p[3])))
def p_port_src_line(p): '''port_src_line : PORT_SRC COLON WORD''' p_info['current_rule'].port_source.append(Operator('EQ', Port(p[3])))
def p_port_service_3(p): '''port_service : NUMBER MINUS NUMBER COLON NUMBER MINUS NUMBER''' object_dict[p_info['current_object']].append( {'port_dst': Operator('RANGE', Port(p[1]), Port(p[3]))}) object_dict[p_info['current_object']].append( {'port_src': Operator('RANGE', Port(p[5]), Port(p[7]))})
def p_port_service_1(p): '''port_service : NUMBER''' object_dict[p_info['current_object']].append( {'port_dst': Operator('EQ', Port(p[1]))})
def p_opt_protocol_dst_1(p): '''opt_protocol_dst : DST_PORT NUMBER HYPHEN NUMBER | DST_PORT NUMBER HYPHEN NUMBER TIMEOUT NUMBER | DST_PORT NUMBER HYPHEN NUMBER TIMEOUT NEVER''' p_info['current_object'].append( {'dst-port': Operator('RANGE', Port(p[2]), Port(p[4]))})
def p_port_dest_1(p): '''port_dest : operator''' p[1].v1 = Port(p[1].v1) if p[1].v2 is not None: p[1].v2 = Port(p[1].v2) p_info['current_rule'].port_dest.append(p[1])
def p_port_object_line_2(p): '''port_object_line : PORT_OBJECT OP_RANGE NUMBER NUMBER''' object_dict[p_info['object_group_name']].append({'port': Operator('RANGE', Port(p[3]), Port(p[4]))})
def p_opt_service_2(p): '''opt_service : DESTINATION operator''' p[2].v1 = Port(p[2].v1) if p[2].v2: p[2].v2 = Port(p[2].v2) p[0] = [{'destination': p[2]}]
def p_opt_service_1(p): '''opt_service : SOURCE operator''' p[2].v1 = Port(p[2].v1) if p[2].v2: p[2].v2 = Port(p[2].v2) p[0] = [{'source': p[2]}]
def get_all_flows(self): """ this function is intend to retrieve the flows in the matrix table as Rules, and return them into a list (of Rule class instance) """ print(self.liststore) for flow in self.liststore: current_rule = Rule(None, None, [], [], [], [], [], Action(False)) try: if isinstance(flow[0], str) and len(flow[0]) != 0: current_rule.identifier = int(flow[0]) if isinstance(flow[1], str) and len(flow[1]) != 0: protocols = flow[1].replace(' ', '').split(',') for protocol in protocols: current_rule.protocol.append( Operator('EQ', Protocol(protocol))) if isinstance(flow[2], str) and len(flow[2]) != 0: ips = flow[2].split(',') if "-" in ips: ip1 = ips[:ip.index("-")] ip2 = ips[ip.index("-") + 1:] current_rule.ip_source.append( Operator('RANGE', Ip(ip1, ip2))) else: for ip in ips: if '/' in ip: mask = ip[ip.index('/') + 1:] ip = ip[:ip.index('/')] current_rule.ip_source.append( Operator( 'EQ', Ip(ip, self.fromDec2Dotted(int(mask))))) else: current_rule.ip_source.append( Operator('EQ', Ip(ip, '255.255.255.255'))) if isinstance(flow[3], str) and len(flow[3]) != 0: ports = flow[3].split(',') for port in ports: current_rule.port_source.append( Operator('EQ', Port(int(port)))) if isinstance(flow[4], str) and len(flow[4]) != 0: ips = flow[4].split(',') if "-" in ips: ip1 = ips[:ip.index("-")] ip2 = ips[ip.index("-") + 1:] current_rule.ip_source.append( Operator('RANGE', Ip(ip1, ip2))) else: for ip in ips: if '/' in ip: mask = ip[ip.index('/') + 1:] ip = ip[:ip.index('/')] current_rule.ip_dest.append( Operator( 'EQ', Ip(ip, self.fromDec2Dotted(int(mask))))) else: current_rule.ip_dest.append( Operator('EQ', Ip(ip, '255.255.255.255'))) if isinstance(flow[5], str) and len(flow[5]) != 0: ports = flow[5].split(',') for port in ports: current_rule.port_dest.append( Operator('EQ', Port(int(port)))) if flow[6] == 'deny': current_rule.action = Action(False) elif flow[6] == 'accept': current_rule.action = Action(True) except KeyError: print 'error' self.flows.append(current_rule)