Download Latest Version
All Threee Tools, Example Commands and README files (156.1 kB)
Get an email when there's a new version of Build FW1 Cisco Netscreen PolicyFromLogs
| Name | Modified | Size | Downloads / Week |
|---|---|---|---|
| wooterwoot | 2011-02-24 | ||
| 360AnalyticsLtd-WooterWoot.zip | 2011-04-19 | 156.1 kB | |
| choot_readme.rtf | 2011-04-19 | 4.9 kB | |
| choot | 2011-04-19 | 8.2 kB | |
| nwoot_readme.rtf | 2011-04-19 | 5.0 kB | |
| nwoot | 2011-04-19 | 7.6 kB | |
| woot_readme.rtf | 2011-04-19 | 9.1 kB | |
| woot | 2011-04-19 | 5.1 kB | |
| woot.v1.1.pl | 2011-04-19 | 5.1 kB | |
| woot.v1.pl | 2011-04-19 | 4.8 kB | |
| Totals: 10 Items | 205.9 kB | 0 |
{\rtf1\mac\ansicpg10000\cocoartf824\cocoasubrtf480
{\fonttbl\f0\fswiss\fcharset77 Helvetica;\f1\fmodern\fcharset77 CourierNewPS-BoldMT;\f2\fmodern\fcharset77 CourierNewPSMT;
\f3\fmodern\fcharset77 CourierNewPS-ItalicMT;}
{\colortbl;\red255\green255\blue255;}
\paperw11904\paperh16836\margl1440\margr1440\vieww23900\viewh17080\viewkind0
\pard\tx566\tx1133\tx1700\tx2267\tx2834\tx3401\tx3968\tx4535\tx5102\tx5669\tx6236\tx6803\ql\qnatural\pardirnatural
\f0\fs24 \cf0 cHoot Readme v1 by Dan Martin 2010, 360 Analytics Limited, http://www.360analytics.co.uk, dan at 360 analytics dot co dot uk\
\
cHoot is a simple perl script that converts logexported TCP, UDP and ICMP connection permit log entries into host and service objects and then writes rules with multiple objects that can be cut and pasted into the firewall.... however, to look at these rules are a bit complicated so you can print to the terminal in CSV format to cut and paste into a .csv file and open in a spreadsheet app to view the rules proposed by choot more easily.\
\
Its VERY easy to use. EASIER than woot even!! ;-)\
\
It has two (optional) filters that can be used to filter any part of the log entry such as ip or port (needs \\/ before to match) or time or date. \
\
\
Its command structure is:\
\f1\b choot <Logexport file> <MODE> [<policy name if DBEDIT mode>] [<filter string 1>] [<filter string 2>]
\f0\b0 \
...the filters are optional\
\
\
Its modes are:\
\
\f1\b DEBUG
\f0\b0 \
This mode prints the source int, source ip, destination int, destination ip and destination port. \
Its handy if you want to be able to do grep | sort -u | wc -l sort of stuff on individual syslog entries without the time/date/sourceport/etc getting in the way.\
\
\f1\b DBEDIT
\f0\b0 \
This mode builds rules for each type of connection seen that matched the filters (if any were used). It then prints
\f2 DBEDIT
\f0 statements for the unknown hosts from the log (hosts that were not named) that are used in the rules, and statements for TCP, UDP, and ICMP services seen. It then prints the rules numbering +1 each rule. The rules group together hosts that all did exactly the same thing. They are printed in
\f2 DBEDIT
\f0 format.\
\
\f1\b CSV
\f0\b0 \
- this mode does exactly the same as the ZONE mode but prints to the terminal in CSV format. Its useful to see the rules you are making in a more user friendly way.\
\
\
an example:\
\
Step 1\
======================================================================================\
Export the log from your logserver with name resolution on (of off if you want to create a bunch of hosts called "Host_ipaddress". \
I've called mine
\f2 superfly.log
\f0 ... why not?\
Run:\
\f1\b fwm logexport -i superfly.log
\f3\i\b0 ...I think? ...maybe need some other bits to ;-)
\f0\i0 \
\
Step 2\
======================================================================================\
Run:\
\f1\b ./choot superfly.log DBEDIT AntHouse 1.2.3
\f2\b0 \
\
\
!!CHOOT!! Checkpoint FW-1 Policies built while on the bog!!\
\
...................................\
Mode or ACL Name: DBEDIT\
\
Policy to be created:\
WOOT\
\
Search Strings Used:\
10.0.0\
\
Pulling Logs\
...................................\
192284 log entries processed\
\
Objects needed to build the rules for traffic seen in the logs\
........................................................\
create host_plain Host_10.0.0.227\
modify network_objects Host_10.0.0.227 ipaddr 10.0.0.227\
update network_objects Host_10.0.0.227\
create host_plain Host_10.0.0.10\
modify network_objects Host_10.0.0.10 ipaddr 10.0.0.10\
update network_objects Host_10.0.0.10\
create udp_service udp_1798\
modify services udp_1798 protocol udp\
modify services udp_1798 port 1798\
modify services udp_1798 include_in_any true\
update services udp_1798\
create udp_service udp_43777\
modify services udp_43777 protocol udp\
modify services udp_43777 port 43777\
modify services udp_43777 include_in_any true\
update services udp_43777\
\
ACLs to permit the specified traffic from the logs:\
........................................................\
create policies_collection WOOT\
update policies_collections WOOT\
create firewall_policy ##WOOT\
modify fw_policies ##WOOT collection policies_collections:WOOT\
update fw_policies ##WOOT\
addelement fw_policies ##WOOT rule:1:src:'' network_objects:Host_10.0.0.121\
addelement fw_policies ##WOOT rule:1:dst:'' network_objects:Host_10.0.0.230\
addelement fw_policies ##WOOT rule:1:services:'' services:ftp\
update fw_policies ##WOOT\
addelement fw_policies ##WOOT rule:2:src:'' network_objects:Host_10.0.0.6\
addelement fw_policies ##WOOT rule:2:dst:'' network_objects:Host_10.0.0.181\
addelement fw_policies ##WOOT rule:2:services:'' services:https\
addelement fw_policies ##WOOT rule:2:services:'' services:snmp\
update fw_policies ##WOOT\
\
}