To launch the springbok project you need to have:
apt-get install python-gtk2 python-networkx python-matplotlib python-reportlab python-netaddr
pip install graphviz
python springbok.py
v0.6:
You can import your script configuration file or the output of the iptables-save command.
In order to import iptables configuration files, you must concatenate the output of the ifconfig command with your configuration file :
ifconfig | cat - my_iptables.conf > /tmp/out && mv /tmp/out my_iptables.conf
Start to import a configuration file File → Import configuration
.
You can select multiple files. For each file the tool will try to detect the equipment type.
Once the import finished, the tool launches the construction of ROBDD, which may decrease temporarily the performance of the tool. But don't worry, it won't block the software. In fact, the operation is launched in a thread.
You can open saved project File → Open project
.
Once again, the tool launches the construction of ROBDD.
You can save the state of the current project File → Save project
.
After importing files, the tool draws the network topology. You can interact with all elements. The elements can be moved and you can zoom in or out using your mouse scroll or the zoom bar at the bottom of the zone. The "Redraw" button redraws the topology. If you double click on an element a default action is launched.
Default action:
When you right click on a firewall a popup menu appears and you can:
Default action:
When you right click on a node a popup menu appear and you can:
Default action:
When you right click on an edge a popup menu appear and you can:
When you right click on the background a popup menu appear and you can:
Algorithms for detecting anomalies are based on the work of Al-Shaer and H. Hamed and the FIREMAN project.
Masked rules: The rule will not match any packets and action defined by the rule will never be taken.
Partially masked rules: The rule matches some packets that have already been matched.
You can launch the internal detection of a firewall by clicking on it Right click → Detect anomaly
.
The internal detection will take each ACL of the firewall individually and will check for anomalies between the rules. The 'Deep search' option enables you to have all blamed rules on an anomaly. However, this option will take too much time to perform.
You can launch the distributed detection of all firewalls by clicking on the menu Audit → Distributed detection
.
The distributed detection will construct rooted tree for each pair of network and will check for anomalies along the path. The 'Deep search' option enables you to have all blamed rules on an anomaly. However, this option will take too much time to perform.
You can seek for a path between two networks. To start a search:
Right click on a network → Itinerary from this place
Right click on a network → Itinerary to this place
Then a popup shows up and you can specify:
You can leave a field empty to not take it into account.
If paths are found, you will be able to select a path in the right lateral pane.
You can import a query file to launch multiple query requests Audit → Import query file
.
Each query must be separated with a single line of two hyphens.
The syntax is the following (if you don't want to specify a field just delete it):
protocol : protocol_value
ip-source : ip_value [optional_mask_value]
port-source : port_value
ip-destination : ip_value [optional_mask_value]
port-destination : port_value
You can export result of the following tabs Audit → Export result
:
The Springbox cli is a small script using springbok's module to export equipment ACL to an unified csv format.
python springbox_cli.py [OPTION]... [FILE]
Usage: ./springbox_cli.py [OPTION]... [FILE]
Parse firewall configuration files (Cisco Asa, JuniperNetscreen, Fortinet Forigate) and export parsed rules to csv format.
Create a folder tree of the configuration ACL (springbok_rulesXXXXXX)
-h, --help show this help
-n, --no-confirm no confirmation on the device detected
Example:
./springbox_cli.py -n cisco_example1.conf cisco_example2.conf