OpenSnitch - GNU/Linux port of the Little Snitch application firewall

OpenSnitch is a GNU/Linux port of the Little Snitch application firewall.

Requirements
You'll need a GNU/Linux distribution with iptables, NFQUEUE and ftrace kernel support.

Install

sudo apt-get install build-essential python3-dev python3-setuptools libnetfilter-queue-dev python3-pyqt5 python3-gi python3-dbus python3-pyinotify
cd opensnitch
sudo python3 setup.py install

Run

sudo -HE opensnitchd
opensnitch-qt

Known Issues / Future Improvements
Before opening an issue, keep in mind that the current implementation is just an experiment to see the doability of the project, future improvements of OpenSnitch will include:
Split the project into opensnitchd, opensnitch-ui and opensnitch-ruleman:

• opensnitchd will be a (C++ ? TBD) daemon, running as root with the main logic. It'll fix this.
• opensnitch-ui python (?) UI running as normal user, getting the daemon messages. Will fix this.
• opensnitch-ruleman python (?) UI for rule editing.

How Does It Work
OpenSnitch is an application level firewall, meaning then while running, it will detect and alert the user for every outgoing connection applications he's running are creating. This can be extremely effective to detect and block unwanted connections on your system that might be caused by a security breach, causing data exfiltration to be much harder for an attacker. In order to do that, OpenSnitch relies on NFQUEUE, an iptables target/extension which allows an userland software to intercept IP packets and either ALLOW or DROP them, once started it'll install the following iptables rules:

OUTPUT -t mangle -m conntrack --ctstate NEW -j NFQUEUE --queue-num 0 --queue-bypass

This will use conntrack iptables extension to pass all newly created connection packets to NFQUEUE number 0 (the one OpenSnitch is listening on), and then:

INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass

This will also redirect DNS queries to OpenSnitch, allowing the software to perform and IP -> hostname resolution without performing active DNS queries itself.
Once a new connection is detected, the software relies on the ftrace kernel extension in order to track which PID (therefore which process) is creating the connection.
If ftrace is not available for your kernel, OpenSnitch will fallback using the /proc filesystem, even if this method will also work, it's vulnerable to application path manipulation as described in this issue, therefore it's highly suggested to run OpenSnitch on a ftrace enabled kernel.

Download OpenSnitch

Read More

DBShield - Database Firewall Written In Go

Protects your data by inspecting incoming queries from your application server and rejecting abnormal ones.

How it works?

For example, this is how web server normally interacts with database server:

By adding DBShield in front of database server we can protect it against abnormal queries. To detect abnormal queries we first run DBShield in learning mode. Learning mode lets any query pass but it records information about it (pattern, username, time and source) into the internal database.

After collecting enough patterns we can run DBShield in protect mode. Protect mode can distinguish abnormal query pattern, user and source and take action based on configurations.

Demo

For demo, we are using sqlmap(automatic SQL injection and database takeover tool) to exploit the SQL injection vulnerability at user.php

In the first scenario, the sqlmap successfully exploits the SQL injection when web application connected directly to the database(MySQL), In the second scenario, we modify the user.php so DBShield gets between the web application and database which will drop the injection attempt and make sqlmap fail.

Sample Outputs
CLI

$ go run main.go
2016/10/15 16:25:31 [INFO]  Config file: /etc/dbshield.yml
2016/10/15 16:25:31 [INFO]  Internal DB: /tmp/model/10.0.0.21_postgres.db
2016/10/15 16:25:31 [INFO]  Listening: 0.0.0.0:5000
2016/10/15 16:25:31 [INFO]  Backend: postgres (10.0.0.21:5432)
2016/10/15 16:25:31 [INFO]  Protect: true
2016/10/15 16:25:31 [INFO]  Web interface on https://127.0.0.1:8070/
2016/10/15 16:25:33 [INFO]  Connected from: 10.0.0.20:35910
2016/10/15 16:25:33 [INFO]  Connected to: 10.0.0.21:5432
2016/10/15 16:25:33 [INFO]  SSL connection
2016/10/15 16:25:34 [DEBUG] Client handshake done
2016/10/15 16:25:34 [DEBUG] Server handshake done
2016/10/15 16:25:34 [INFO]  User: postgres
2016/10/15 16:25:34 [INFO]  Database: test
2016/10/15 16:25:34 [INFO]  Query: SELECT * FROM stocks where id=-1 or 1=1
2016/10/15 16:25:34 [WARN]  Pattern not found: [53 55 51 52 55 52 50 53 55 51 53 49 115 116 111 99 107 115 53 55 51 53 50 105 100 54 49 52 53 53 55 51 55 57 53 55 52 48 52 53 55 51 55 57 54 49 53 55 51 55 57] (SELECT * FROM stocks where id=-1 or 1=1)
2016/10/15 16:25:34 [WARN]  Dropping connection

Web Interface

Installation
Get it

$ go get -u github.com/nim4/DBShield

Then you can see help using "-h" argument:

$ $GOPATH/bin/DBShield -h
DBShield 1.0.0-beta3
Usage of DBShield:
  -a get list of abnormal queries
  -c file
      config file (default "/etc/dbshield.yml")
  -h show help
  -k show parsed config and exit
  -l get list of captured patterns
  -version
      show version

and run it with your configuration, like:

$ $GOPATH/bin/DBShield -c config.yml

see sample configuration file

Supports:

Database	Protect	SSL
DB2
MariaDB
MySQL
Oracle
Postgres

Download DBShield

Read More

Stitch - Python Remote Administration Tool (RAT)

This is a cross platform python framework which allows you to build custom payloads for Windows, Mac OSX and Linux as well. You are able to select whether the payload binds to a specific IP and port, listens for a connection on a port, option to send an email of system info when the system boots, and option to start keylogger on boot. Payloads created can only run on the OS that they were created on.

Features

Cross Platform Support

• Command and file auto-completion
• Antivirus detection
• Able to turn off/on display monitors
• Hide/unhide files and directories
• View/edit the hosts file
• View all the systems environment variables
• Keylogger with options to view status, start, stop and dump the logs onto your host system
• View the location and other information of the target machine
• Execute custom python scripts which return whatever you print to screen
• Screenshots
• Virtual machine detection
• Download/Upload files to and from the target system
• Attempt to dump the systems password hashes
• Payloads' properties are "disguised" as other known programs

Windows Specific

• Display a user/password dialog box to obtain user password
• Dump passwords saved via Chrome
• Clear the System, Security, and Application logs
• Enable/Disable services such as RDP,UAC, and Windows Defender
• Edit the accessed, created, and modified properties of files
• Create a custom popup box
• View connected webcam and take snapshots
• View past connected wifi connections along with their passwords
• View information about drives connected
• View summary of registry values such as DEP

Mac OSX Specific

• Display a user/password dialog box to obtain user password
• Change the login text at the user's login screen
• Webcam snapshots

Mac OSX/Linux Specific

• SSH from the target machine into another host
• Run sudo commands
• Attempt to bruteforce the user's password using the passwords list found in Tools/
• Webcam snapshots? (untested on Linux)

Implemented Transports
All communication between the host and target is AES encrypted. Every Stitch program generates an AES key which is then put into all payloads. To access a payload the AES keys must match. To connect from a different system running Stitch you must add the key by using the showkey command from the original system and the addkey command on the new system.

Implemented Payload Installers
The "stitchgen" command gives the user the option to create NSIS installers on Windows and Makeself installers on posix machines. For Windows, the installer packages the payload and an elevation exe ,which prevents the firewall prompt and adds persistence, and places the payload on the system. For Mac OSX and Linux, the installer places the payload and attempts to add persistence. To create NSIS installers you must download and install NSIS.

Wiki

• Crash Course of Stitch

Requirements

• Python 2.7

For easy installation run the following command that corresponds to your OS:

# for Windows
pip install -r win_requirements.txt

# for Mac OSX
pip install -r osx_requirements.txt

# for Linux
pip install -r lnx_requirements.txt

• Pycrypto
• Requests
• Colorama
• PIL

Windows Specific

• Py2exe
• pywin32

Mac OSX Specific

• PyObjC

Mac OSX/Linux Specific

• PyInstaller
• pexpect

To Run

python main.py
or
./main.py

Motivation
My motivation behind this was to advance my knowledge of python, hacking, and just to see what I could accomplish. Was somewhat discouraged and almost abandoned this project when I found the amazing work done by n1nj4sec , but still decided to put this up since I had already come so far.

Other open-source Python RATs for Reference

• vesche/basicRAT
• n1nj4sec/pupy

Screenshots

Download Stitch

Read More

Isowall - A mini-firewall that completely isolates a target device from the local network

This is a mini-firewall that completely isolates a target device from the local network. This is for allowing infected machines Internet access, but without endangering the local network.

Building

This project depends upon libpcap, and of course a C compiler.

On Debian, the following should work:

# apt-get install git gcc make libpcap-dev
# git clone https://github.com/robertdavidgraham/isowall
# cd isowall
# make

This will put the binary isowall in the local isowall/bin directory.

This should also work on Windows, Mac OS X, xBSD, and pretty much any operating system that supports libpcap.

Running

First, setup a machine with three network interfaces.

The first network interface (like eth0) will be configured as normal, with a TCP/IP stack, so that you can SSH to it.

The other two network interfaces should have no TCP/IP stack, no IP address, no anything. This is the most important configuration step, and the most common thing you'll get wrong. For example, the DHCP software on the box may be configured to automatically send out DHCP requests on these additional interfaces. You have to go fix that so nothing is bound to these interfaces.

To run, simply type:

# ./bin/isowall --internal eth1 --external eth2 -c xxxx.conf

where xxxx.conf contains your configuration, which is described below.

Configuration

The following shows a typical configuration file.

internal = eth1
internal.target.ip = 10.0.0.129
internal.target.mac = 02:60:8c:37:87:f3

external = eth2
external.router.ip = 10.0.0.1
external.router.mac = 66:55:44:33:22:11

allow = 0.0.0.0/0
block = 192.168.0.0/16
block = 10.0.0.0/8
block = 224.0.0.0-255.255.255.255

The target device we are isolating has the indicated IP and MAC address.

Only IPv4 and ARP packets are passed.

Outbound packets must have the following conditions:

• source MAC address equal to internal.target.mac
• destination MAC address equal to external.router.mac
• EtherType of 0x800 or 0x806
• source IPv4 address equal to internal.target.ip
• destination IPv4 address within an allow range, but not in a block range
• if an ARP packet, then the destination IPv4 address must equal that external.router.ip
• if an ARP packet, must be a "request"

Inbound packets must have the following conditions:

• destination MAC address equal to internal.target.mac
• source MAC address equal to external.router.mac
• EtherType of 0x800 or 0x806
• destination IPv4 address equal to internal.target.ip
• source IPv4 address within an allow range, but not in a block range
• if an ARP packet, then the source IPv4 address must equal that external.router.ip
• if an ARP packet, then must be a "reply"

Download Isowall

Read More

Webfwlog 1.01 - Web-Based Firewall Log Analysis and Reporting

Webfwlog is a flexible web-based firewall log analyzer and reporting tool. It supports standard system logs for linux, FreeBSD, OpenBSD, NetBSD, Solaris, Irix, OS X, etc. as well as Windows XP®. Supported log file formats are netfilter, ipfilter, ipfw, ipchains and Windows XP®. Webfwlog also supports logs saved in a database using the ULOG or NFLOG targets of the linux netfilter project, or any other database logs mapped with a view to the ulogd schema. Versions 1 and 2 of ulogd database schemas are supported.

Webfwlog fully supports IPv6 for database logs, and netfilter and ipfilter system logs.

With Webfwlog you can design reports to use on your logged data in whatever configuration you desire. Included are example reports as a starting point. You can sort a report with a single click, "drill-down" on the reports all the way to the packet level, and save your reports for later use. You can also create a link directly to any saved report.

PREREQUISITES

- A web server with PHP >= 4.1

- Log files in standard netfilter, ipfilter, ipfw, ipchains or Windows XP® format

      or database logs populated with the ULOG or NFLOG target of netfilter,

      or other database logs mapped with a view to ulogd version 1 or 2 schemas

- A MySQL or PostgreSQL database server:

      - MySQL >= 3.23.52 or any production release of 4.x or 5.x

            - MySQL >= 5 required for IPv6

      - PostgreSQL >= 7.1

            - PostgreSQL >= 7.4 required for IPv6

- Your favorite web browser.

Windows XP® support provided via Cygwin.

Download Webfwlog 1.01

Read More

WAF-FLE v0.6.4 - OpenSource ModSecurity Console

WAF-FLE is a OpenSource ModSecurity Console, allows modsecurity admin to store, view and search events sent by sensors using a graphical dashboard to drill-down and find quickly the most relevant events. It is designed to be fast and flexible, while keeping a powerful and easy to use filter, with almost all fields clickable to use on filter.

The inicial resources required to run WAF-FLE are normaly low (check Deployment Guide in Documentation page). It is supported in virtual machines, and is supported in Linux and FreeBSD, but should run with other OS that support PHP and MySQL.

Features

• Central event console
• Support Modsecurity in “traditional” and “Anomaly Scoring”
• Brings mlog2waffle as a replacement to mlogc
• Receive events using mlog2waffle or mlogc
  • mlog2waffle: in real-time, following log tail, or batch scheduled in crontab
  • mlogc: in real-time, piped with ModSecurity log, in batch scheduled in crontab
• No sensor limit
• Drill down of events with filter
• Dashboard with recent events information
• Almost every event data and charts are “clickable” deepening the drill down filter
• Inverted filter (to filter for “all but this item”)
• Filter for network (in CIDR format, x.x.x.x/22)
• Original format (Raw) to event download
• Use Mysql as database
• Wizard to help configure log feed between ModSecurity sensors and WAF-FLE
• Open Source released under GPL v2

Changelog v0.6.4

• Support to rules and mod_security compiled by Atomic Turtle;
• Performance impact with high number of hostnames in database;
• Custom tag ID new number, to avoid conflict with already present tag;
• Better handling of “PCRE limits exceeded”;

Download WAF-FLE v0.6.4

Read More

ModSecurity v2.8.0 - Open Source Web Application Firewall

ModSecurity™is an open source, free web application firewall (WAF) Apache module. With over 70% of all attacks now carried out over the web application level, organizations need all the help they can get in making their systems secure.

Changelog v2.8.0

Bug fix

• Build issue: Now using autotools to identify if sys/utsname.h is present.
• Changed configure.ac version to 2.8

Changelog v2.8.0-rc1:

New features

• JSON Parser is no longer under tests. Now it is part of our mainline.
• Connection limits (SecConnReadStateLimit/SecConnWriteStateLimit) now support white and suspicious list.
• New variables: FULL_REQUEST and FULL_REQUEST_LENGTH were added, allowing the rules to access the full content of a request.
• ModSecurity status is now part of our mainline.
• New operator: @detectXSS was added. It makes usage of the newest libinjection XSS detection functionality.
• Append and prepend are now supported on nginx (Ref: #635);
• SecServerSignature is now available on nginx (Ref: #637);

Improvements 

• Regression tests are not able to expect different values according to the platform;
• Visual C++ 12/10 runtime dependencies are now part of the IIS installer, no need to have it installed prior ModSecurity installation (Ref: #627);
• New script was added to the IIS versions to identify whenever there is a missing dependency (available through the Application Menu);
• Memory usage improvement: using correct memory pools according to the context (Ref: #618, #620,#619);
• Independent API call to free the connection allocations, independently from the request objects, improvements on Nginx performance, vide issue for more information (Ref: #620, #648);
• IIS installer is now using the correct 32/64bits folders to install;
• IIS Installer 32bits now refuses to install on 64bits environments;
• IIS: Using new WiX options to build the package in the correct architecture;
• While installing IIS version the installer will remove old ModSecurityIIS configuration or files before proceed with the installation, avoiding further errors;
• CRS from IIS version was upgraded to 2.2.9;
• IIS installer does not support repair anymore, in fact it was not working already and it is now disabled;
• ModSecurity now warns the user who tries to use “proxy” in IIS or Nginx. Proxy is Apache only;
• Remove warnings from the build process (Ref: #617);
• Apache configuration in regression tests was changed making it more platform independent;
• Reduced the amount of warnings during the compilation (Ref: #385a2828e87897bd611bd2a519727ef88dc6d632, #1e63e49db4a592d28e08a33fc60750c37a3886fe);
• Regression tests were refactored to be more Nginx friendly;
• Fixed some regression tests that were not being flexible to handle multiple platforms: (Ref #636);
  • Fixed config/00-load-modsec.t test case. Now it expects for Nginx loaded message as it does for Apache. (Ref: #643);
  • Fixed mixed/10-misc-directives.t. Now it does not expect for SecServerSignature on the logs, just in the headers as the Nginx does in silence;
  • Fixed tnf/10-tfn-cache.t, action/10-logging.t, config/10-misc-directives.t, config/10-request-directives.t, misc/00-multipart-parser.t , misc/10-tfn-cache.t, rule/20-exceptions.t, rule/00-basics.t, rule/10-xml.t;
  • Increased the timeout while reading the auditlog;
  • SecAuditLogType Concurrent was removed from the regression test case, not compatible with all ports yet;
  • Regression tests were speeded up, as the number of tests are growing it is impossible to have it slow;
  • Fixed regression tests scripts paths, to make it MacOS friendly;
  • Avoiding dead locks on Nginx regression tests by enforcing a timeout whenever a request appears to fail;
• Updates to fix errors found by Parfait static code analysis (Ref: #612);
• Cleaning up on the repository, by removing unused files;
• IIS installer now supports to perform the installation without register the DLL on the system. It means that the user can download our MSI installer as it was a tarball archive (Ref #629, #624);
• IIS now support 32bits and 64bits pools, both are registered on IIS (Ref #628).

Bug fix

• Correctly handling inet_pton in IIS version;
• Nginx was missing a terminator while the charset string was mounted (Ref: #148);
• Added mod_extract_forwarded.c to run before mod_security2.c (Ref: #594);
• Added missing environment variables to regression tests;
• Build system is now more flexible by looking at liblua at: /usr/local/lib;
• Fixed typo in README file.
• Removed the non standard compliant HTTP response status code 44 from modsecurity recommended file (Ref: #665);
• Fixed segmentation fault if it fails to write on the audit log (Ref: #668);
• Not rejecting a larger request with ProcessPartial. Regression tests were also added (Ref: #597);
• Fixed UF8 to unicode conversion. Regression tests were also added(Ref: #672);
• Avoiding segmentation fault by checking if a structure is null before access its members;
• Removed double charset-header that used happen due a hardcoded charset in Nginx implementation (Ref: #650);
• Now alerting the users that there is no memory to proceed loading the configuration instead of just die;
• If SecRuleEngine is set to Off and SecRequestBodyAccess On Nginx returns error 500. Standalone is now capable to identify whenever ModSecurity is enabled or disabled, independently of ModSecurity core (Ref: #645);
• Fixed missing headers on Nginx whenever SecResponseBodyAccess was set to On and happens to be a filter on phase equals or over 3. (Ref #634);
• IIS is now picking the correct version of AppCmd while uninstalling or installing ModSecurityISS. (Ref#632).

Download ModSecurity v2.8.0

Read More

[WAF-FLE v0.6.3] Web application firewall: fast log and event console

WAF-FLE is a OpenSource Console for ModSecurity, it allow the modsec admin to view and search events sent by mlogc (modsecurity event log handler).

Features:

• Central event console
• Support Modsecurity in “traditional” and “Anomaly Scoring”
• Able to receive events sent from mlogc (in real time or in batch using mlogc-batch-load.pl)
• No sensor number limit
• Dashboard with recent events information
• Drill down of events with filter
• Every (almost) data is “clickable” to drill down the filter
• Inverted filter (to filter for “all but this item”)
• Filter for network (in CIDR format, x.x.x.x/22)
• Raw event download
• Use Mysql as database
• Open Source released under GPL v2

Download WAF-FLE v0.6.3

Read More

[dotDefender] Web Application Security

dotDefender is the market-leading software Web Application Firewall (WAF). dotDefender boasts enterprise-class security, advanced integration capabilities, easy maintenance and low total cost of ownership (TCO).

dotDefender is the perfect choice for protecting your web site and web applications today.

Robust Security for Any Web Application

dotDefender protects any web site or web service on your server, and continues to as you update, change, and expand your code. The dotDefender WAF reduces the costs of code scanning, and enables you to focus on business, not web application security. dotDefender can handle .NET Security issues.

PCI DSS Compliance

dotDefender helps you achieve Compliance with the Payment Card Industry Data Security Standard (PCI DSS Compliance).

Robust Security for Any Web Application

dotDefender protects any web site or web service on your server, and continues to as you update, change, and expand your code. The dotDefender WAF reduces the costs of code scanning, and enables you to focus on business, not web application security. dotDefender can handle .NET Security issues.

PCI DSS Compliance

dotDefender helps you achieve Compliance with the Payment Card Industry Data Security Standard (PCI DSS Compliance).

Why Application Security?

If you thought that network security and other "traditional security measures" were enough - think again. Web Application Firewalls deal with security attacks aimed squarely at your website, and these attacks are on the rise. Read more on Web Application Firewalls and the dotDefender security solution. Able to handle .NET Security issues.

Download dotDefender

Read More

[Tunna Framework] Tool designed to bypass firewall restrictions on remote webservers

Tunna is a set of tools which will wrap and tunnel any TCP communication over HTTP. It can be used to bypass network restrictions in fully firewalled environments. The web application file must be uploaded on the remote server. It will be used to make a local connection with services running on the remote web server or any other server in the DMZ. The local application communicates with the webshell over the HTTP protocol. It also exposes a local port for the client application to connect to.

Since all external communication is done over HTTP it is possible to bypass the filtering rules and connect to any service behind the firewall using the webserver on the other end.

Tunna framework

Tunna framework comes witht he following functionality:

	Ruby client - proxy bind: Ruby client proxy to perform the tunnel to the remote web application and tunnel TCP traffic.
	Python client - proxy bind: Python client proxy to perform the tunnel to the remote web application and tunnel TCP traffic.
	Metasploit integration module, which allows transparent execution of metasploit payloads on the server
	ASP.NET remote script
	Java remote script
	PHP remote script

Download Tunna

Read More

[Sanewall 1.0.0] Making sense of firewalling

Sanewall is a firewall builder for Linux which uses an elegant language abstracted to just the right level. This makes it powerful as well as easy to use, audit, and understand. It allows you to create very readable configurations even for complex stateful firewalls.

Sanewall can be used for almost any firewall need, including:

• control of any number of internal/external/virtual interfaces
• control of any combination of routed traffic
• setting up DMZ routers and servers
• all kinds of NAT
• providing strong protection (flooding, spoofing, etc.)
• transparent caches
• source MAC verification
• blacklists, whitelists

The current experimental snapshotssupport IPv6. Sanewall abstracts the differences between IPv4 and IPv6, allowing you to define a common set of rules for both whilst permitting specific rules for each as you need.

Sanewall is a fork of FireHOL. The configuration language is identical, just see this FAQ for some variable name changes. For now the FireHOL website is still the best source of introductory information.

Sanewall is released under the GPLv2+open source licence.

Download Sanewall 1.0.0

Read More

[WAF-FLE] Web application firewall: fast log and event console

WAF-FLE is a OpenSource Console for ModSecurity, it allow the modsec admin to view and search events sent by mlogc (modsecurity event log handler).

Features:

• Central event console
• Support Modsecurity in “traditional” and “Anomaly Scoring”
• Able to receive events sent from mlogc (in real time or in batch using mlogc-batch-load.pl)
• No sensor number limit
• Dashboard with recent events information
• Drill down of events with filter
• Every (almost) data is “clickable” to drill down the filter
• Inverted filter (to filter for “all but this item”)
• Filter for network (in CIDR format, x.x.x.x/22)
• Raw event download
• Use Mysql as database
• Open Source released under GPL v2

Download WAF-FLE v0.6.0 (final)

Read More

[360-FAAR v0.4.1] Firewall Analysis Audit And Repair

360-FAAR (Firewall Analysis Audit and Repair) is an offline, command line, Perl firewall policy manipulation tool to filter, compare to logs, merge, translate and output firewall commands for new policies, in Checkpoint dbedit, Cisco ASA or ScreenOS commands, and its one file!

Changes: This release adds the 'mergelog' mode to merge binary log entries from one config with another and significantly updates the user interface. All configs can be loaded from the 'load' menu instead of specifying them on the command line. Added 'verbose' switches to 'print' and 'rr' modes so that screen output can be switched off, and all 'end.' key words have been changed to simply '.' to reduce the number of keystrokes needed. Entering '0' now adds all options and '.' chooses the default if available. The Netscreen output stage now uses a default zone if none are specified.

Read Policy and Logs for:

Checkpoint FW1 (in odumper.csv / logexport format),

Netscreen ScreenOS (in get config / syslog format),

Cisco ASA (show run / syslog format),

360-FAAR uses both inclusive and exclusive CIDR and text filters, permitting you to split large policies into smaller ones for virutalisation at the same time as removing unused connectivity.

360-FAAR supports, policy to log association, object translation, rulebase reordering and simplification, rule moves and duplicate matching automatically. Allowing you to seamlessly move rules to where you need them.

Download 360-FAAR Firewall Analysis Audit And Repair 0.4.1

Read More

[360-FAAR] Firewall Analysis Audit And Repair 0.3.6

360-FAAR (Firewall Analysis Audit and Repair) is an offline, command line, Perl firewall policy manipulation tool to filter, compare to logs, merge, translate and output firewall commands for new policies, in Checkpoint dbedit, Cisco ASA or ScreenOS commands, and its one file!

Read Policy and Logs for:

Checkpoint FW1 (in odumper.csv / logexport format),
Netscreen ScreenOS (in get config / syslog format),
Cisco ASA (show run / syslog format),

360-FAAR uses both inclusive and exclusive CIDR and text filters, permitting you to split large policies into smaller ones for virutalisation at the same time as removing unused connectivity.

360-FAAR supports, policy to log association, object translation, rulebase reordering and simplification, rule moves and duplicate matching automatically. Allowing you to seamlessly move rules to where you need them.

TRY: 'print' mode. One command, and spreadsheet for your audit needs!

Features

• WRITTEN IN SIMPLE Perl - NEEDS ONLY STANDARD MODULES - IS ONE FILE
• .
• Easy to Edit Menu Driven Text Interface
• Capable of manipulating tens of thousands of rules, objects and groups
• Handles infinitely deep groups
• Capable of CIDR filtering connectivity in/out of policy rulebases.
• Capable of merging rulebases.
• Identifies existing connectivity in rulebases and policies
• Automatically performs cleanup if a log file is provided.
• Keeps DR connecitvity via any text or IP tag
• Encryption rules can be added during policy moves to remove the "merge from" rules for traffic that would be encrypted by the time it reached the firewall on which the "merge to" policy is to be installed - sounds complicated but its not in practice - apropriate ike and esp rules should be added manually
• Runs consistency checks on its own objects and rule definitions
• Extendable via a simple elsif in the user interaction loop section.
• .
• EASY TO EXECUTE:
• ./360-faar.pl <FW CONFIG TYPE> <log> <config> <nats> <FW CONFIG TYPE> <log> <config> <nats> <FW CONFIG TYPE> <log> <config> <nats>
• .
• CONFIG TYPES: - cisco soon!
• od = logexported logs, object dumper format config, fwdoc format nat rules csv
• ns = syslog format logs, screenos6 format config, nats are included in policy but not processed fuly yet, fwdoc format nats can be used though
• cs = cisco asa syslog file, cisco ASA format config, - not ready yet
• .
• OUTPUT TYPES:
• od = output an odumper/ofiller format config to file, and print the dbedit for the rulebase creation to screen
• ns = outputs netscreen screenos6 objects and policies (requires a netscreen config or zone info)
• cs = cisco asa format config - not ready yet
• .
• By default 360-FAAR accepts exactly 3 configs on the command line.
• Make an empty file called "fake" and and use this as the file name, for log config and nats if you want to process less than 3 configs at once.
• Log file headders in fw1 logexported logs are found automatically so many files can be cated together
• .
• FUTHER PROCESSING AND MANUAL EDITING:
• Output odumper/ofiller format files and make them more readable (watchout for spaces in names) using the numberrules helper script
• Edit these csv's in Openoffice or Excell using any of the object or group definitions from the three loaded configs.
• You can then use this file as a template to translate to many different firewalls using the 'bldobjs' mode

DOWNLOAD 360-FAAR Firewall Analysis Audit And Repair 0.3.6

Screens

Read More