def run_script(args):
# configure the command line args
parser = core.get_arg_parser(prog='ds-to-aws-waf.py iplists', add_help=True)
parser.add_argument('-l', '--list', action='store_true', required=False, help='List the available Deep Security IP Lists and the AWS WAF IP Sets')
# change to i from -d/--ds?
parser.add_argument('-i', '--id', action='store', dest="ip_list", required=False, help='Specify an IP List by ID within Deep Security as the source for the AWS WAF IP Set')
script = Script(args[1:], parser)
if script.args.list:
# List the available Deep Security IP Lists and AWS WAF IP Sets
script.connect()
script.get_available_aws_sets()
script.print_lists()
elif script.args.ip_list:
script.connect()
if script.args.dryrun:
script._log("***********************************************************************", priority=True)
script._log("* DRY RUN ENABLED. NO CHANGES WILL BE MADE", priority=True)
script._log("***********************************************************************", priority=True)
# get the specified Deep Security IP Lists (already cached)
ip_list = script.get_ds_list(script.args.ip_list)
# create the IP Set
if ip_list:
script.create_ip_set(ip_list)
script.clean_up()
def run_script(args):
# configure the command line args
parser = core.get_arg_parser(prog='ds-to-aws-waf.py sqli', add_help=True)
parser.add_argument('-l', '--list', action='store_true', required=False, help='List the available EC2 instances')
parser.add_argument('--tag', action=core.StoreNameValuePairOnEquals, nargs="+", dest="tags", required=False, help='Specify the tags to filter the EC2 instances by. Multiple tags are cumulative')
parser.add_argument('--create-match', action='store_true', required=False, dest="create_match", help='Create the SQLi match condition for use in various rules')
parser.add_argument('--map-to-wacl', action='store_true', required=False, dest="map_to_wacl", help='Attempt to map each instance to an AWS WAF WACL')
parser.add_argument('--create-rule', action='store_true', required=False, dest="create_rule", help='Create the SQLi rule for instances that can be mapped to an AWS WAF WACL. Used in conjunction with -l/--list')
script = Script(args[1:], parser)
if script.args.list:
# List the available EC2 instances and cross reference with Deep Security
script.connect()
script.get_ec2_instances()
script.get_deep_security_info()
script.get_waf_support_structures()
script.map_instances_to_wacls()
recommendations = script.compare_ec2_to_deep_security()
script.print_recommendations(recommendations)
if script.args.create_rule:
if script.args.dryrun:
script._log("***********************************************************************", priority=True)
script._log("* DRY RUN ENABLED. NO CHANGES WILL BE MADE", priority=True)
script._log("***********************************************************************", priority=True)
# create the rule and update the WACLs
# --dryrun is handled directly in the functions
rule_created = False
for instance_id, wacl_id in script.instances_to_wacls.items():
if not rule_created:
script.create_wacl_rule() # idempotent
rule_created = True
script.update_wacl(wacl_id)
if script.args.create_match:
script.connect()
if script.args.dryrun:
script._log("***********************************************************************", priority=True)
script._log("* DRY RUN ENABLED. NO CHANGES WILL BE MADE", priority=True)
script._log("***********************************************************************", priority=True)
# create the recommend SQLi match condition
script.create_match_condition()
if script.args.map_to_wacl:
script.connect()
script.get_waf_support_structures()
script.map_instances_to_wacls()
script.print_instances_to_wacls_map()
if script.args.create_rule and not script.args.list:
script._log("The --create-rule switch must be used with the -l/--list switch", priority=True)
script.clean_up()
def run_script(args):
# configure the command line args
parser = core.get_arg_parser(prog='ds-analyze-findings analyze',
add_help=True)
parser.add_argument(
'-l',
'--list',
action='store_true',
required=False,
help='List the available Amazon Inspector assessment runs')
parser.add_argument(
'--run-arn',
action='store',
dest='run_arn',
required=False,
help='Analyze the findings of this Amazon Inspector assessment run')
parser.add_argument(
'--mitigate',
action='store_true',
dest='mitigate',
required=False,
help=
'Mitigate Amazon Inspector findings when possible using Deep Security')
#parser.add_argument('-i', '--id', action='store', dest="ip_list", required=False, help='Specify an IP List by ID within Deep Security as the source for the AWS WAF IP Set')
script = Script(args[1:], parser)
details = None
if script.args.list:
# List the available findings in Amazon Inspector
script.connect()
details = script.get_findings()
script.list_run_arns(details)
elif script.args.run_arn:
script.connect()
details = script.get_findings()
if details:
results = script.reconcile_findings(details, script.args.run_arn)
if results: script.print_results(results, details)
if script.args.mitigate:
if script.args.dry_run:
script._log(
"***********************************************************************",
priority=True)
script._log("* DRY RUN ENABLED. NO CHANGES WILL BE MADE",
priority=True)
script._log(
"***********************************************************************",
priority=True)
script.mitigate(results)
script.clean_up()
return details
def run_script(args):
# configure the command line args
parser = core.get_arg_parser(prog='ds-to-aws-waf.py iplists',
add_help=True)
parser.add_argument(
'-l',
'--list',
action='store_true',
required=False,
help='List the available Deep Security IP Lists and the AWS WAF IP Sets'
)
# change to i from -d/--ds?
parser.add_argument(
'-i',
'--id',
action='store',
dest="ip_list",
required=False,
help=
'Specify an IP List by ID within Deep Security as the source for the AWS WAF IP Set'
)
script = Script(args[1:], parser)
if script.args.list:
# List the available Deep Security IP Lists and AWS WAF IP Sets
script.connect()
script.get_available_aws_sets()
script.print_lists()
elif script.args.ip_list:
script.connect()
if script.args.dryrun:
script._log(
"***********************************************************************",
priority=True)
script._log("* DRY RUN ENABLED. NO CHANGES WILL BE MADE",
priority=True)
script._log(
"***********************************************************************",
priority=True)
# get the specified Deep Security IP Lists (already cached)
ip_list = script.get_ds_list(script.args.ip_list)
# create the IP Set
if ip_list:
script.create_ip_set(ip_list)
script.clean_up()
def run_script(args):
# configure the command line args
parser = core.get_arg_parser(prog='ds-analyze-findings coverage', add_help=True)
parser.add_argument('--print-cve-only', action='store_true', dest='print_cve_only', required=False, help='Print only the CVEs covered by both Amazon Inspector and Deep Security. Useful to piping to other commands when not used with the --verbose switch')
script = Script(args[1:], parser)
script.connect()
in_inspector = script.get_cves_from_inspector()
in_ds = script.get_cves_in_ds()
coverage = script.compare_cves(in_inspector, in_ds)
if script.args.print_cve_only:
coverage.sort()
print "\n".join(coverage)
else:
script.print_coverage(coverage, in_inspector, in_ds)
script.clean_up()
return coverage
def run_script(args):
# configure the command line args
parser = core.get_arg_parser(prog='ds-analyze-findings coverage', add_help=True)
parser.add_argument('--print-cve-only', action='store_true', dest='print_cve_only', required=False, help='Print only the CVEs covered by both Amazon Inspector and Deep Security. Useful to piping to other commands when not used with the --verbose switch')
script = Script(args[1:], parser)
script.connect()
in_inspector = script.get_cves_from_inspector()
in_ds = script.get_cves_in_ds()
coverage = script.compare_cves(in_inspector, in_ds)
if script.args.print_cve_only:
coverage.sort()
print "\n".join(coverage)
else:
script.print_coverage(coverage, in_inspector, in_ds)
script.clean_up()
return coverage
def run_script(args):
# configure the command line args
parser = core.get_arg_parser(prog='ds-to-aws-waf.py xss', add_help=True)
parser.add_argument('-l',
'--list',
action='store_true',
required=False,
help='List the available EC2 instances')
parser.add_argument(
'--tag',
action=core.StoreNameValuePairOnEquals,
nargs="+",
dest="tags",
required=False,
help=
'Specify the tags to filter the EC2 instances by. Multiple tags are cumulative'
)
parser.add_argument(
'--create-match',
action='store_true',
required=False,
dest="create_match",
help='Create the SQLi & XSS match conditions for use in various rules')
parser.add_argument('--map-to-wacl',
action='store_true',
required=False,
dest="map_to_wacl",
help='Attempt to map each instance to an AWS WAF WACL')
parser.add_argument(
'--create-rule',
action='store_true',
required=False,
dest="create_rule",
help=
'Create the SQLi & XSS rule for instances that can be mapped to an AWS WAF WACL. Used in conjunction with -l/--list'
)
script = Script(args[1:], parser)
if script.args.list:
# List the available EC2 instances and cross reference with Deep Security
script.connect()
script.get_ec2_instances()
script.get_deep_security_info()
script.get_waf_support_structures()
script.map_instances_to_wacls()
xss_recommendations = script.compare_ec2_to_deep_security()
sqli_recommendations = script.compare_ec2_to_deep_security()
script.print_recommendations(recommendations)
if script.args.create_rule:
if script.args.dryrun:
script._log(
"***********************************************************************",
priority=True)
script._log("* DRY RUN ENABLED. NO CHANGES WILL BE MADE",
priority=True)
script._log(
"***********************************************************************",
priority=True)
# create the rule and update the WACLs
# --dryrun is handled directly in the functions
rule_created = False
for instance_id, wacl_id in script.instances_to_wacls.items():
if not rule_created:
script.create_wacl_rule() # idempotent
rule_created = True
script.update_wacl(wacl_id)
if script.args.create_match:
script.connect()
if script.args.dryrun:
script._log(
"***********************************************************************",
priority=True)
script._log("* DRY RUN ENABLED. NO CHANGES WILL BE MADE",
priority=True)
script._log(
"***********************************************************************",
priority=True)
# create the recommend XSS match condition
script.create_match_condition()
if script.args.map_to_wacl:
script.connect()
script.get_waf_support_structures()
script.map_instances_to_wacls()
script.print_instances_to_wacls_map()
if script.args.create_rule and not script.args.list:
script._log(
"The --create-rule switch must be used with the -l/--list switch",
priority=True)
script.clean_up()
