search

GoSecure / Cisco2Checkpoint

Tool that assists in migrating firewall rules from Cisco to Checkpoint. Will optimize rules for you (rationalization, reuse merging, etc.).
http://gosecure.net/2017/01/30/cisco2checkpoint-cisco-checkpoint-conversion-tool/
GNU General Public License v3.0
21 stars 11 forks source link

cisco asa: maybe critical bug with protocol #5

Closed mjardeli closed 7 years ago

mjardeli commented 7 years ago

Hi,

Am I missing anything here? config line with https is being recognized as http.

thanks in advance,

service_https.txt

martindube commented 7 years ago

Hi mjardeli,

Port 80 is added because of port-object eq www

From what I know, it is the desired behavior on IOS. Could it be a different behavior between IOS and ASA?

mjardeli commented 7 years ago

Hi martindube,

Did you test it on your environment?

For the config line: object-group service groupservice tcp port-object eq 443 port-object eq https port-object eq www service-object tcp eq https

Which have 4 protocols definitions 1 for http and 3 for https, app is recognizing https only with tcp eq 443. tcp port 80 ( http) should be recognized only for the third line, here follow the parse verifier:

CiscoServiceGroup(name=groupservice,desc=,nbMembers=4) CiscoServicePort(name=https,port=443,desc=HTTP protocol over TLS/SSL,alias=) CiscoServicePort(name=http,port=80,desc=Hypertext Transfer Protocol,alias=) CiscoServicePort(name=http,port=80,desc=Hypertext Transfer Protocol,alias=) CiscoServicePort(name=http,port=80,desc=Hypertext Transfer Protocol,alias=) Verify: <ASAObjGroupService # 0 'groupservice'>

Note it is recognizing as http for second and fourth lines.

I tried putting only one line "port-object eq https" and still recognizing as http instead of https.

regards,

martindube commented 7 years ago

I found it !

It was a bug in an enormous regular expression. http was before https in a list of port names so it was always matched first.

I pushed the change in master. Please git pull.

mjardeli commented 7 years ago

Cheers! This was my guess as well, definition of http before the https.

Please be aware this can happen with similar protocols like smtp and smtps etc. Or protocols that start with same protocol name, if the shortest one come first the second will not be matched. Suggestion list protocol names and sort them searching for similar one.

Are you using last version of ciscoconfparse? 1.2.47? Can I use last one or better to stick to the version you provide?

kind regards,

martindube commented 7 years ago

Good idea. I will work on it when I have more time.

For ciscoconfparse, we need to stick to the version I provide for now because the project is very sensitive to changes in the parsers. That being said, you can give it a try :)

Thanks again for submitting the issue.

mjardeli commented 7 years ago

Hi Mart,

Issue is happening at least for smtp/smtps(not so common protocol as http/https), but if someone else use it should be aware of this.

For config: object-group service groupservice tcp port-object eq smtps port-object eq 465

here follow the output:

CiscoServiceGroup(name=groupservice,desc=,nbMembers=2) CiscoServicePort(name=smtp,port=25,desc=Simple Mail Transfer Protocol,alias=) CiscoServicePort(name=SMTPS,port=465,desc=SSL protocol over SMTPS,alias=) Verify: <ASAObjGroupService # 0 'groupservice'>

cheers,

mjardeli commented 7 years ago

Hi Martin,

Please allow me to contribute, I am not a big python programmer but ...

I am not sure this is related to your program or ciscoconfparse, I found reference on both, maybe its the case to ask ciscoconfparse to update their side as well as those are critical.

I added smtps (tcp 465) to the PORT_DIC on config.py and protocol_values.py

I changed _PORT_NAMES order, for the following ports: ftp, ftp-data, ldap, ldaps and smtps for the same reason you found before.

_PORT_NAMES = r'aol|bgp|chargen|cifs|citrix-ica|cmd|ctiqbe|daytime'\ '|discard|domain|echo|exec|finger|tftp|ftp-data|ftp|gopher'\ '|h323|hostname|https|http|ident|imap4|irc|kerberos|klogin'\ '|kshell|ldaps|ldap|login|lotusnotes|lpd|netbios-ssn|nfs'\ '|nntp|ntp|pcanywhere-data|pim-auto-rp|pop2|pop3|pptp|rsh'\ '|rtsp|sip|smtps|smtp|sqlnet|ssh|sunrpc|tacacs|talk|telnet|uucp'\ '|whois|www|netbios-ns|netbios-dgm|netbios-ss|snmptrap|snmp'\ '|syslog|isakmp|bootps|bootpc|radius|\d+'

I tested here smtps and its translating to tcp 465 correctly after those changes I mentioned.

kind regards,

martindube commented 7 years ago

I updated the code with _PORT_NAMES and and PORT_DIC. I will push soon. Don't hesitate to send a pull request next time. It's a good way to save time and keep a tracking of what's changed.

Looking at ciscoconfparse code , I think that I should replace PROTO_DIC and PORT_DIC (from config.py) to ASA_IP_PROTOCOLS and ASA_TCP_PORTS. I just need to make sure that they are the same for IOS first.

Thanks,