ACL2CSV parser is a PERL script, which reads Cisco router, switch, and firewall (PIX, and ASA) configuration files that have been exported from the device in flat text format. It parses the ACLS and object groups (PIX and ASA only) and generates an easy to understand CSV file. This file can them be opened in Microsoft Excel or other spreadsheet software for easy viewing or additional analysis. The ACL2CSV tool expands all object groups and places them into the correct location as if the ACL did not use object groups. The object group expansion works for all object group types. The ACL2CSV parser is extremely fast and easy to use.
For instructions on the use of ACL2CSV, visit Cody’s personal blog at http://www.melcara.com and select the link for Cisco ACL2CSV parser. If PERL is not installed on your system, you will need to do so. PERL can be found at http://www.activestate.com or http://www.perl.com. Once PERL is installed no additional modules are needed. The script assumes PERL is installed at “/usr/bin/perl”, and only uses the “strict” and “Getopt::Std” modules. After the script is copied into a folder found in your system path, you should also modify the permissions to allow the script to be executable. On a Unix, Linux or Mac computer, this can be accomplished via the chmod command.
Once the script is executed and installed, you can run the script. The script requires a file name as an argument, so if you simply type ./acl2csv.pl you will receive the following message:
The command requires a File Name as a command line argument
acl2csv.pl c:\old_pix_config.txt
To check the version, add the “-v” or “v” as the command line argument.
ACL Parser for Cisco IOS, PIX & ASA
DEVELOPED AND OWNED BY Cody Dumont - NWN Security Testing Assessment and Response (STAR)
Licensed to Planet Earth.
I used some code for another tool of this type from James Bly AT mangeek.com
http://mangeek.com/portfolio/pixparser.html
Also Anthony
Version Number 0.04 - Dec 2010
"For Questions Please Contact Cody Dumont - CDumont@nwnit.com "
To run the script, use the following command:
/foo/bar/acl2csv.pl fw_config.txt
Once the script is finished, a completion message will be displayed. There should be no other messages. In the event you receive a PERL array or HASH error message, this means that Cody did not do enough testing. If you get such an error, follow the PERL debugging steps or contact Cody at CDumont@nwnit.com and he’ll be happy to fix the error.
The output of the script will look something like the following.
NAME,LINE,TYPE,FUNCTION,PROTOCOL,SOURCE NET,SOURCE_PORT,DEST NET,DEST PORT,TIME,INACTIVE,LOG,REMARK,ORIGINAL
test441,1,extended,permit,tcp,any,,any,eq 44 ,,,,,access-list test441 extended permit tcp any any eq 44
test442,1,extended,permit,tcp,any,eq 44,any,eq 44 ,,,,,access-list test442 extended permit tcp any eq 44 any eq 44
test443,1,extended,permit,tcp,any,eq 44,any, ,,,,,access-list test443 extended permit tcp any eq 44 any
The definitions of each field are listed below.
NAME – The name of the ACL
LINE – The line in sequential order of the ACL. Please note if the ACL uses Object-Groups, then each Object-Group will have the same index number. The idea is to provide the user with same output of the “show access-lists” command. Please note “REMARK” ACL entries are not counted in this test.
TYPE – This is the TYPE of ACL, the options are standard, extended, webtype.
FUNCTION – The “permit” or “deny” entry.
PROTOCOL – The Layer 3 protocol controlled by the ACL entry.
SOURCE NET – The source network and subnet mask. If the entry is a host, then “host” will be displayed. However if “255.255.255.255” is found in the ACL entry, then “255.255.255.255” will be displayed. The script does not check the validly of the mask, and the assumption is the config is a direct output from “show running-configuration” or “show startup-configuration”.
SOURCE_PORT – If a source port is defined, then the source port is displayed. If no source port is defined this field will be empty.
DEST NET – Same as the SOURCE NET, but the destination section of the ACL entry is displayed.
DEST PORT - Same as the SOURCE PORT part of the ACL, but the destination section of the ACL entry is displayed.
TIME – ACLs can be time sensitive using the “time-range” command. If a time-range is defined, the name of the “time-range” is displayed, however the details of the “time-range” are not displayed. This might be added in a future release.
INACTIVE – If an ACL entry is listed as “INACTIVE”, the entry is left in the configuration, but is not an active rule. Other parsing tools often ignore this, but if “YES” is found in this field then the ACL enter is not an active rule. If the field is empty then the ACL entry is an active rule.
LOG – If log settings are configured, the settings are displayed in this cell. Two examples are “interval 5” and “notifications”.
REMARK – The “REMARK” section is a little harder to deal with. The configuration files currently put the “REMARK” in an ACL entry just above the ACL entry the “REMARK” is connected to. So in the parsing of the ACL, the script will check to see if the preceding entry was a remark, if so this field will be filled with “REMARK” statement. However some ACL’s might have more than one line as a remark, the script will not detect this case. The script will only detect the “REMARK” in the preceding line only.
ORIGINAL – The original ACL entry unmodified. The “REMARK” ACL entries are not displayed.
When the script is finished, open the file using any spreadsheet application. Then you can create filters, freeze panes, etc. You could also import the newly created ACL file into a database.
This tool can save a network administrator, security professional or auditor a lot of time sorting through ACLs. We at NWN STAR hope the security community will find this tool useful and will enhance the overall security of your information system.
Posts
No comments:
Post a Comment