Juniper firewall syslog parser – Part 1

September 5th, 2009 by Damian 2 comments »

I was recently tasked with the job of locking down the rules on a new Juniper SSG firewall installation. Rather than just jumping in with a series of educated guesses followed by a ‘deny all’ rule, and potentially breaking chunks of the network. My preference is to implement a list of rules based on educated guesses followed by an ‘allow all’ rule that logs anything that hits it. Periodically throughout the next Days/Weeks/Months (circumstances dependent) the syslogs are evaluated and rules are added above the ‘allow all’ rule as necessary. Eventually, no legitimate traffic will be hitting the ‘allow all’ rule. At this time you can safely convert the ‘allow all’ to a ‘deny all’.

Note: Before I get flamed. I am referring to outbound traffic only and not to traffic coming from the internet or from any DMZ. Traffic coming from non-trusted sources should be restricted as much as possible at all times.

Sounds great in theory right? But anyone that has ever looked over firewall syslogs realises the sheer quantity of information is completely overwhelming and would take a team of very dedicated (and boring) individuals to retrieve the relevant information by hand. Software products exist to do this sort of work, but I saw an opportunity to further hone my coding ability. Perl is my weapon of choice for this script as it has fantastic Regex capabilities that can be used to pull out all the required information. From here we will dump it all into a database where it can be manipulated at will.

The primary focus when starting this project was getting the Regular Expressions (Regex) correctly functioning. The original plan was to create one Regex that could do all the work for me… but as you can see in a second, this created an unwieldy beast. The Regex below was my first attempt (and it wasn’t even complete).

1
m/^.+?\=(.+?)\sproto\=(\d+?).+?\=(.+?)\s.+?\=(\d+?).+?\=(\d+?).+?\=(\d+?).+?\=(\d+?).+?\=(\d+?).+?\=(\d+?).+?\=(\d+?).+?\=(\d+?).+?\=(\d+?).+?\=(\d+?).+?\=(\d+?).+?\=(\d+?).+?\=(\d+?).+?\=(\d+?).+?\=(\d+?)/;

Breaking this up into manageable chunks seemed like a much smarter way of going about it. The next code revision, while taking up more lines, takes on a much nicer to read form. The code below simply grabs the info and prints it to the screen. This is my debugging measure to ensure that everything is working correctly before moving onto the next phase. Database..

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
#!/usr/bin/perl
use strict;
use warnings;

open(SYSLOG,"20090903-syslog");

foreach my $line (<SYSLOG>)
{
chomp($line);

# Sep  3 15:05:23 172.16.1.250 FW: NetScreen device_id=FW  [Root]system-notification-00257(traffic): start_time="2009-09-03 15:11:58" duration=60
$line =~ m/((.+?\s+?){3})(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+?([A-Z]+?):.+?"(.+?)".+?\=(\d+?)\s(.*)/;    #Grab Device Name, Start Time and Duration
print "Date: $1\tDevice Name: $3 $4\tStart_Time: $5\tDuration: $6\t\n";

if ($7)        # Ensures valid syslog entry.
{
$line = $7;

# policy_id=1 service=Network Time proto=17 src zone=Trust dst zone=Untrust
$line =~ m/^.+?\=(\d+?).+?\=(.+?)\sproto\=(\d+?)\s.+?\=(.+?)\s.+?\=(.+?)\s(.*)/;    # Grabs PolicyID, Service, Protocol, Src_Zone and Dst_Zone.
print "\nPolicy_ID: $1\tService: $2\tProto: $3\tSrc_Zone: $4\t\tDst_Zone: $5\n";
$line = $6;

#action=Permit sent=98 rcvd=94 src=172.16.1.2 dst=200.200.200.200 src_port=123 dst_port=123
$line =~ m/^.+?\=(.+?)\s.+?\=(\d+?)\s.+?\=(\d+?)\s.+?\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s.+?\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s.+?\=(\d+?)\s.+?\=(\d+?)\s(.*)/; # Grabs Action, Sent, Rcvd, Src, Dst, Src_port and Dst_port
print "Action: $1\tSent: $2\tRcvd: $3\tSrc: $4\tDest: $5\tSrc_Port: $6\tDst_port: $7\n";
$line = $8;

#src-xlated ip=200.200.200.200 port=16221 dst-xlated ip=200.200.200.200 port=123 session_id=47889 reason=Close - AGE OUT
$line =~ m/^.+?\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s.+?\=(\d+?)\s.+?\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s.+?\=(\d+?)\s.+?(\d+?)\s.+?\=(.*)/; # Grabs Xlated src and dst ip's and ports, session id and reason
print "Xlate_src: $1\tXlate_src_port: $2\tXlate_dst: $3\tXlate_dst_port: $4\tSessionID: $5\tReason: $6\n";
}
}
close(SYSLOG);

I added a section of the syslog in comment form prior to each Regex so you can see what the program is currently working on.

Part 2 will see the move from screen print to database insertion as well as some more data manipulation to provide clear, concise rules to be added to the firewall rule set.

Check back soon to see Part 2 or add me to your RSS feed to be notified automatically.

I would love to hear comments from experienced coders on how they would have tackled this project.

Share

2 comments »

Posted in Coding, Firewalls

Tags:

Twitter… and the dangers within..

September 3rd, 2009 by Damian No comments »

Twitter has taken the social networking crowd by storm. Apparently originally used for friends to send small status notifications (tweets) to each other, it has now become a major avenue for businesses, internet marketers and bloggers alike drive traffic to their sites and goals. However Twitter also presents an interesting vector for malicious hackers to present Cross Site Scripting (XSS) attacks to their targets.

Recently a mate of mine was showing me an application (www.twitterfeed.com) that automatically tweets your blog feeds. He sent me to one of his many twitter feeds to show me how it works. Now I am not exactly what you would call a twitter fan and as a result I haven’t spent much time on the site. The first thing that struck me was that the page was completely full of short URL alias’s also known as TinyURL’s amongst other names (I’ll refer to them as TinyURL’s from here on in).

Naturally, my spidey senses started tingling….
Before we go on, let’s look at the information the attacker has on their potential target already;

  • The twitter feed is updated through a blog or forum of which the tweeter is probably the admin.
  • The admin has probably logged on recently and quite possibly has a current session key.
  • We can make the assumption that the admin is desensitized to seeing TinyURL’s and clicking them and/or doesn’t realise the dangers.

The stage is set…
The attacker has located an XSS vulnerability on the targets favourite blog/forum software application but what can he do with it? Well He might use this vulnerability to many things, including; Cookie stealing, targeted site defacement or he might call on his own malicious JavaScript.

Now he needs to create his malicious payload. Let’s say that the malicious hacker has setup a website that captures any cookies passed to it through a malicious JavaScript file called cookiestealer.js.

He creates a URL like the one below and uses it in a response tweet to the target. This is an attempt to coax the target into clicking through. As you can see, he takes advantage of the XSS vulnerability by calling the attackers nasty cookiestealer.js script from within the legitimate www.yoursite.com request.

http://www.yoursite.com/members.php?

So would you click this link?
You may or may not, but the chances are against the attacker at this stage.
So maybe he attempts to obfuscate it like this? ? Note: this URL is a live XSS example. Using this link will display an alert popup using code that was not coded into the website.

http://www.damiangrace.com/xss.php?xss=%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%22%54%77%69%74%74%65%72%20%69%73%20%44%61%6E%67%65%72%6F%75%73%21%21%21%20%57%65%20%63%6F%75%6C%64%20%68%61%76%65%20%6A%75%73%74%20%73%74%6F%6C%65%6E%20%79%6F%75%72%20%63%6F%6F%6B%69%65%73%20%61%6E%64%20%6D%6F%72%65%2E%20%4C%65%61%72%6E%20%6D%6F%72%65%20%61%74%20%68%74%74%70%3A%2F%2F%77%77%77%2E%64%61%6D%69%61%6E%67%72%61%63%65%2E%63%6F%6D%2F%22%29%3C%2F%73%63%72%69%70%74%3E

So the victim is much more likely to click on this link, right? However it still does look a little strange. But what if the attacker was to make it look exactly like a twitter link? Something like this maybe:

http://tinyurl.com/l3tjkv

Do you think they will click on it now? My guess is yes!

Now the user/admin clicks on the link and the attacker is automatically fed the target cookies and can now control the target website with the same permission levels.

Scary huh???

So now that you know about it… How can you stop being a victim?

  1. Well, don’t go clicking on TinyURL’s all willy-nilly.
  2. Utilize the ‘preview’ features of the TinyURL sites. Example: http://tinyurl.com/preview.php?enable=1
  3. Log out of sites that require sign-on when you are finished (Closing the browser does not have the same effect).
  4. Don’t allow the browser to auto-login to sites.
  5. Upgrade to a Modern Internet Explorer version that supports XSS prevention or use Firefox with the NoScript add-on installed.

Have you experienced any strange events after clicking on a twitter link before?

Share

No comments »

Posted in Cross Site Scripting (XSS)

Tags:

To Perl or to Python? That is the question…

August 18th, 2009 by Damian 2 comments »

Perl has been my programming language of choice for quite some time now. I haven’t put enough time into it be be a very good programmer, but I have been slowly making progress. Lately however, I find myself considering using python instead.

So why did I choose Perl in the first place?

I was steered into Perl by a very knowledgeable mate of mine who has always been there to help me nut out some of my teething problems along the way. Syntax wise there are a few things that I really like about Perl. Things like variables, hashes and arrays  are always prefixed with a ‘$’, ‘%’, and @ symbols respectively and blocks of code are encapsulated in curly brackets. This makes my simple code much easier to read. Unfortunately the same syntax joy can cause syntax heartache too. Perl can be a real nightmare to read, especially after going back to your code after a month or two.

Then why Python?

Python is meant to be a lot easier to code with. Sometimes I find myself fighting with a piece of Perl for hours and getting no-where. I am hoping that Python might help me with this problem (at least a little bit :) ). The research I have been doing shows that a majority of Perl users that take the time to learn Python end up using Python as their preferred language. Then if you look at the number of large organizations that are using Python, handy tools such as Scapy and the speed of which Python is taking off in popularity and the choice seems fairly clear.

I will miss my curly bracket bounding and pretty variables, but hopefully the feeling of this shortfall will be short lived. Perl will always have a soft spot in my heart so I don’t think I will ever be able to leave it entirely.

I have the O’Reilly book ‘Learning Python‘ by Mark Lutz and have whipped through the first 4 chapters… so far so good.Although we still haven’t gotten to actually coding anything yet :S

I’ll keep you posted

Share

2 comments »

Posted in Coding

Where’s the time go???

August 15th, 2009 by Damian 2 comments »

First post on my new self titled blog and it may be quite some time before the next…

I knew I was going to be under the pump when I signed up to do my CISSP and the Offensive Security OSCP both within a three month period. What I didn’t know was how much of my time and effort was going to be involved in completing both.

Sitting here trying to unwind from a three hour amateur coding spree while pondering the past, present and future it really sunk in that I have been studying for three weeks already. Time flies when you’re having fun right? My achievements for the past three weeks include completing 2 of the 10 CISSP domains and 3 of 16 OSCP modules. While I am quite happy with what I have achieved as I have been working my butt off, I have only completing three modules in almost three weeks with another 13 to complete in 5. My uber math skillz tell me that at this current pace I might run overtime… It’s my lack of coding experience is to blame. Code that should have taken me 10 mins has been talking me sometimes an hour or more. Many nights have been spent doing nothing but coding. The beauty of it is I have wanted to dedicate a lot more time to my coding, and now I have no choice. While I don’t believe I am anything close to being a good coder, I am strangely enough starting to see signs of real code shining through and even a touch of real functionality :D .

The next two modules look quite easy. I think I will be able to knock them both over tomorrow. This will get me back on track. Now I just have to find time to read another CISSP domain :D .

Share

2 comments »

Posted in CISSP, General, Offensive Security Certified Professional (OSCP)

Tags: