def p_service_set_line_3_4(p): '''service_set_line : SET PROTOCOL TCP_UDP_SCTP''' object_dict[p_info['current_object']].append( {'protocol': Operator('EQ', Protocol('tcp'))}) object_dict[p_info['current_object']].append( {'protocol': Operator('EQ', Protocol('udp'))}) object_dict[p_info['current_object']].append( {'protocol': Operator('EQ', Protocol('sctp'))})
def fill_obj_dict_serv2(obj): if nd.has_key(obj['name']): nd[obj['name']].append( {obj['name']: Operator('EQ', Protocol(obj['protocol']))}) else: nd[obj['name']] = list() nd[obj['name']].append( {obj['name']: Operator('EQ', Protocol(obj['protocol']))})
def fill_obj_dict_serv3(obj): if nd.has_key(obj['name']): nd[obj['name']].append( {obj['name']: Operator('EQ', Protocol(obj['type'].lower()))}) else: nd[obj['name']] = list() nd[obj['name']].append( {obj['name']: Operator('EQ', Protocol(obj['type'].lower()))})
def toBDD(self, index): """Construct the ROBDD Parameters ---------- index : int. Used for variable index in ROBDD. Return ------ Return the computed ROBDD """ if self.operator == 'LT': if isinstance(self.v1, Protocol): return Protocol.range2bdd(0, self.v1.get_value(), index) elif isinstance(self.v1, Ip): return Ip.range2bdd(0, self.v1.ip | ~self.v1.mask & 0xFFFFFFFF, index) elif isinstance(self.v1, Port): return Port.range2bdd(0, self.v1.get_value(), index) else: return self.v1.toBDD(index) elif self.operator == 'GT': if isinstance(self.v1, Protocol): return Protocol.range2bdd(self.v1.get_value(), 2**8 - 1, index) elif isinstance(self.v1, Ip): return Ip.range2bdd(self.v1.ip & self.v1.mask, 2**32 - 1, index) elif isinstance(self.v1, Port): return Port.range2bdd(self.v1.get_value(), 2**16 - 1, index) else: return self.v1.toBDD(index) elif self.operator == 'EQ': return self.v1.toBDD(index) elif self.operator == 'NEQ': return negate_bdd(self.v1.toBDD(index)) elif self.operator == 'RANGE': if isinstance(self.v1, Protocol): return Protocol.range2bdd(self.v1.get_value(), self.v2.get_value(), index) elif isinstance(self.v1, Ip): return Ip.range2bdd(self.v1.ip & self.v1.mask, self.v2.ip | ~self.v2.mask & 0xFFFFFFFF, index) elif isinstance(self.v1, Port): return Port.range2bdd(self.v1.get_value(), self.v2.get_value(), index) else: return self.v1.toBDD(index) else: return self.v1.toBDD(index)
def p_policy_set_line_10(p): '''policy_set_line : SET PERMIT_ANY_HOST WORD | SET PERMIT_STUN_HOST WORD''' if get_state() == 'policy': if re.search('enable', p[3], re.I): p_info['current_rule'].protocol.append( Operator('EQ', Protocol('udp')))
def resolve(name, policy, src_dst=None): if name not in object_dict: if name not in JuniperNetscreenPort.JuniperNetscreenPort: if 'ICMP' in name or name in ('Traceroute', 'PING'): policy.protocol.append(Operator('EQ', Protocol('icmp'))) policy.protocol_name.append(name) else: print 'Critical: %s not found in dictionary' % name raise SyntaxError else: resolve_predefined_juniper(name, policy) else: p_info['used_object'].add(name) values = object_dict[name] for elem in values: for k1, v1 in elem.items(): if k1 == 'object': resolve(v1, policy, src_dst) elif k1 == 'address': if src_dst == 'src': policy.ip_source.append(v1) policy.ip_source_name.append(name) else: policy.ip_dest.append(v1) policy.ip_dest_name.append(name) elif k1 == 'service': policy.protocol.append(v1) policy.protocol_name.append(name) elif k1 == 'src-port': policy.port_source.append(v1) policy.port_source_name.append(name) elif k1 == 'dst-port': policy.port_dest.append(v1) policy.port_dest_name.append(name)
def p_protocol_object_line(p): '''protocol_object_line : PROTOCOL_OBJECT item | PROTOCOL_OBJECT TCP | PROTOCOL_OBJECT UDP | PROTOCOL_OBJECT ICMP | PROTOCOL_OBJECT ICMP6''' object_dict[p_info['object_group_name']].append({'protocol': Operator('EQ', Protocol(p[2]))})
def p_service_set_line_3_1(p): '''service_set_line : SET PROTOCOL WORD''' if p[3].lower() in ('ftp', 'http'): object_dict[p_info['current_object']].append( {'port_dst': Operator('EQ', Port(p[3].lower()))}) else: object_dict[p_info['current_object']].append( {'protocol': Operator('EQ', Protocol(p[3].lower()))})
def p_service_plus_2(p): '''service_plus : PLUS protocol SRC_PORT NUMBER HYPHEN NUMBER DST_PORT NUMBER HYPHEN NUMBER''' p_info['current_object'].append( {'service': Operator('EQ', Protocol(p[2]))}) p_info['current_object'].append( {'src-port': Operator('RANGE', Port(p[4]), Port(p[6]))}) p_info['current_object'].append( {'dst-port': Operator('RANGE', Port(p[8]), Port(p[10]))})
def try_resolve_service(name): if re.search('icmp6', name, re.I) or re.search('ping', name, re.I): p_info['current_rule'].protocol.append(Operator( 'EQ', Protocol('icmp'))) return True try: # try port p_info['current_rule'].port_dest.append(Operator('EQ', Port(name))) p_info['current_rule'].protocol.append(Operator('EQ', Protocol('tcp'))) except socket.error: # not a port, try protocol try: p_info['current_rule'].protocol.append( Operator('EQ', Protocol(name))) except socket.error: # not a port or a protocol return False return True
def p_nat_rule_static1(p): '''nat_rule_line : STATIC LPAREN WORD COMA WORD RPAREN TCP IP_ADDR NUMBER IP_ADDR NUMBER NETMASK IP_ADDR | STATIC LPAREN WORD COMA WORD RPAREN UDP IP_ADDR NUMBER IP_ADDR NUMBER NETMASK IP_ADDR | STATIC LPAREN WORD COMA WORD RPAREN WORD IP_ADDR NUMBER IP_ADDR NUMBER NETMASK IP_ADDR ''' in_iface = p_info['firewall'].get_interface_by_name(p[3]) out_iface = p_info['firewall'].get_interface_by_name(p[5]) rule = Nat_Rule(None, None, [Protocol(p[7])], [Ip(p[8], p[13])], [], [], [Port(int(p[9]))], [Ip(p[10], p[13])], [Port(int(p[11]))], 'static', [out_iface], [in_iface]) p_info['firewall'].nat_rule_list.append(rule)
def get_all_flows(self): for flow in self.liststore: current_rule = Rule(None, None, [], [], [], [], [], Action(False)) try: if isinstance(flow[0], str) and len(flow[0]) != 0: current_rule.identifier = int(flow[0]) if isinstance(flow[1], str) and len(flow[1]) != 0: protocols = flow[1].split(',') for protocol in protocols: current_rule.protocol.append( Operator('EQ', Protocol(protocol))) if isinstance(flow[2], str) and len(flow[2]) != 0: ips = flow[2].split(',') for ip in ips: if '/' in ip: mask = ip[ip.index('/') + 1:] ip = ip[:ip.index('/')] current_rule.ip_source.append( Operator( 'EQ', Ip(ip, self.fromDec2Dotted(int(mask))))) else: current_rule.ip_source.append( Operator('EQ', Ip(ip, '255.255.255.255'))) if isinstance(flow[3], str) and len(flow[3]) != 0: ports = flow[3].split(',') for port in ports: current_rule.port_source.append( Operator('EQ', Port(int(port)))) if isinstance(flow[4], str) and len(flow[4]) != 0: ips = flow[4].split(',') for ip in ips: if '/' in ip: mask = ip[ip.index('/') + 1:] ip = ip[:ip.index('/')] current_rule.ip_dest.append( Operator( 'EQ', Ip(ip, self.fromDec2Dotted(int(mask))))) else: current_rule.ip_dest.append( Operator('EQ', Ip(ip, '255.255.255.255'))) if isinstance(flow[5], str) and len(flow[5]) != 0: ports = flow[5].split(',') for port in ports: current_rule.port_dest.append( Operator('EQ', Port(int(port)))) if flow[6] == 'deny': current_rule.action = Action(False) elif flow[6] == 'accept': current_rule.action = Action(True) except KeyError: print 'error' # self.flows.append(current_rule)
def finish_serv(s): tmpObj = resolve(s) if tmpObj['type'] in { 'udp', 'UDP', 'Udp', 'tcp', 'Tcp', 'TCP', 'icmp', 'Icmp', 'igmp', 'Igmp', 'Gre', 'gre', 'GRE', 'ospf', 'OSPF', 'Ospf' }: p_info['current_rule'].protocol.append( Operator('EQ', Protocol(tmpObj['type'].lower()))) if tmpObj.has_key('port'): p_info['current_rule'].port_dest.append( Operator('EQ', Port(tmpObj['port']))) elif tmpObj.has_key('portL'): if tmpObj['portR'] == 'infinite': p_info['current_rule'].port_dest.append( Operator('GT', Port(tmpObj['portL']))) else: p_info['current_rule'].port_dest.append( Operator('RANGE', Port(tmpObj['portL']), Port(tmpObj['portR']))) elif tmpObj['type'] in {'group', 'Group'}: for member in tmpObj['members']: subTmpOBj = resolve(member) if subTmpOBj['type'] in { 'udp', 'UDP', 'Udp', 'tcp', 'Tcp', 'TCP', 'icmp', 'Icmp', 'igmp', 'Igmp', 'Gre', 'gre', 'GRE', 'ospf', 'OSPF', 'Ospf' }: p_info['current_rule'].protocol.append( Operator('EQ', Protocol(subTmpOBj['type'].lower()))) if subTmpOBj.has_key('port'): p_info['current_rule'].port_dest.append( Operator('EQ', Port(subTmpOBj['port']))) elif subTmpOBj.has_key('portL'): p_info['current_rule'].port_dest.append( Operator('RANGE', Port(subTmpOBj['portL']), Port(subTmpOBj['portR']))) elif tmpObj['type'] in {'other', 'Other'}: p_info['current_rule'].protocol.append( Operator('EQ', Protocol(tmpObj['protocol']))) elif tmpObj['type'] in {'Rpc', 'rpc'}: p_info['current_rule'].port_dest.append( Operator('EQ', Port(tmpObj['port'])))
def get_rule_from_iptable_line(self, rule_line): """ get one iptable line and return a corresponding rule This function need some improvement in order to manage every case """ action = Action(True) if rule_line[0] != "DROP" else Action(False) if rule_line[3] == "anywhere": ip_source = [] else: if "/" not in rule_line[3]: ip_source = [Operator("EQ", Ip(rule_line[3]))] else: ip_source = [ Operator( 'EQ', Ip(rule_line[3].split('/')[0], fromDec2Dotted(int(rule_line[3].split('/')[1])))) ] if rule_line[4] == "anywhere": ip_dest = [] else: if "/" not in rule_line[4]: ip_dest = [Operator("EQ", Ip(rule_line[4]))] else: ip_dest = [ Operator( 'EQ', Ip(rule_line[4].split('/')[0], fromDec2Dotted(int(rule_line[4].split('/')[1])))) ] port_source = [] port_dest = [] protocol = [] if rule_line[1] == "all" else [ Operator("EQ", Protocol(rule_line[1])) ] if len(rule_line) >= 7: if "spt" in rule_line[6]: port_source.append(Operator("EQ", Port(rule_line[6][4:-1]))) elif "dpt" in rule_line[6]: port_dest.append(Operator("EQ", Port(rule_line[6][4:-1]))) elif "multiport" in rule_line: tmp_idx = rule_line.index("multiport") if rule_line[tmp_idx + 1] == "dports": ports_dest_list = rule_line[tmp_idx + 2].split(",") for tmp_port_dest in ports_dest_list: port_dest.append(Operator("EQ", Port(tmp_port_dest))) else: tmp_line = "" for tmp_elem in rule_line: tmp_line += " " + tmp_elem print tmp_line return Rule(0, "", protocol, ip_source, port_source, ip_dest, port_dest, action)
def fill_service(app, protocols, _protocols, _dest_ports, dest_ports): for service in services: if service['name'] == app: if service.has_key('protocol'): if service['protocol'] not in protocols: protocols.append(service['protocol']) _protocols.append( Operator('EQ', Protocol(service['protocol']))) if service.has_key('port'): _dest_ports.append(Operator('EQ', Port(int(service['port'])))) if service.has_key('lport') and service.has_key('rport'): _dest_ports.append( Operator('RANGE', Port(int(service['lport'])), Port(int(service['rport']))))
def export_rules(fw, out_dir): # export operator to string def op_to_string(op): res = ", ".join([x.to_string() for x in op]) if res == "": res = "ANY" return res # for each acl in acl list of the firewall for acl in fw.acl: with open(out_dir + "/rules_" + acl.name, 'ab+') as csvfile: rule_writer = csv.writer(csvfile, delimiter=';', quotechar='|', quoting=csv.QUOTE_MINIMAL) if not acl.rules: rule_writer.writerow(["NO RULES"]) continue for rule in acl.rules: proto_res = [] port_dest_res = [] if not rule.protocol: proto_res.append("IP") else: for op_proto in rule.protocol: for proto in op_proto.get_services(): proto_res.append(Protocol(proto).to_string()) if not rule.port_dest: port_dest_res.append("ANY") else: for op_port_dst in rule.port_dest: port_dest_res.append(op_port_dst.to_string()) # delete duplicate proto_res = list(set(proto_res)) port_dest_res = list(set(port_dest_res)) for proto in proto_res: for port_dst in port_dest_res: rule_writer.writerow([ rule.identifier, rule.name, proto, op_to_string(rule.ip_source), op_to_string(rule.port_source), op_to_string(rule.ip_dest), port_dst, "permit" if rule.action else "deny" ])
def resolve_predefined_juniper(name, policy): values = JuniperNetscreenPort.JuniperNetscreenPort[name] for v1, v2 in values: if v1 == 'protocol': policy.protocol.append(Operator('EQ', Protocol(v2))) policy.protocol_name.append(name) else: port = policy.port_source if v1 == 'src' else policy.port_dest port_name = policy.port_source_name if v1 == 'src' else policy.port_dest_name port_name.append(name) if isinstance(v2, str): res = v2.split('-') port.append(Operator('RANGE', Port(res[0]), Port(res[1]))) if isinstance(v2, list): for i in v2: port.append(Operator('EQ', Port(i))) else: port.append(Operator('EQ', Port(v2)))
def p_service_set_line_3_2(p): '''service_set_line : SET PROTOCOL_NUMBER NUMBER''' object_dict[p_info['current_object']].append( {'protocol': Operator('EQ', Protocol(p[3]))})
def p_protocol_1(p): '''protocol : PROTOCOL item''' p_info['current_rule'].protocol.append( Operator('EQ', Protocol(get_value(p[2]))))
def p_protocol_2(p): '''protocol : BANG PROTOCOL item''' p_info['current_rule'].protocol.append( Operator('NEQ', Protocol(get_value(p[3]))))
def p_protocol_1(p): '''protocol : item''' p_info['current_rule'].protocol.append(Operator('EQ', Protocol(p[1])))
def p_tcp_udp_2(p): '''tcp_udp : UDP''' p_info['current_rule'].protocol.append(Operator('EQ', Protocol('udp'))) p[0] = p[1]
def p_rule_3(p): '''rule : action ICMP user_arg security_arg address_source security_arg address_dest icmp_arg log access_option''' p_info['current_rule'].protocol.append(Operator('EQ', Protocol('icmp')))
def p_service_object_line_4(p): '''service_object_line : SERVICE_OBJECT ICMP6 optitem''' object_dict[p_info['object_group_name']].append({'protocol': Operator('EQ', Protocol(p[2]))})
def p_service_object_line_2(p): '''service_object_line : SERVICE_OBJECT object_tcp_udp opt_service''' object_dict[p_info['object_group_name']].append({'protocol': Operator('EQ', Protocol(p[2]))}) for i in p[3]: object_dict[p_info['object_group_name']].append(i)
def p_icmp_object_line(p): '''icmp_object_line : ICMP_OBJECT item''' object_dict[p_info['object_group_name']].append({'protocol': Operator('EQ', Protocol('icmp'))})
def p_service_set_line_6(p): '''service_set_line : SET UDP_PORTRANGE port_services''' object_dict[p_info['current_object']].append( {'protocol': Operator('EQ', Protocol('UDP'))})
def p_service_line_3(p): '''service_line : SERVICE ICMP optitem''' object_dict[p_info['object_name']].append({'protocol': Operator('EQ', Protocol(p[2]))})
def p_protocol_line(p): '''protocol_line : PROTOCOL COLON WORD''' p_info['current_rule'].protocol.append(Operator('EQ', Protocol(p[3])))
def p_object_group_line_2(p): '''object_group_line : OBJECT_GROUP SERVICE item object_opt_tcp_udp''' object_dict[p[3]] = [] p_info['object_group_name'] = p[3] if p[4]: object_dict[p[3]].append({'protocol': Operator('EQ', Protocol(p[4]))})