Первая часть здесь https://habr.com/ru/articles/834874/
В первой части код работающий, но не очень читаемый, и трудный для восприятия. Сейчас улучшенный и удобочитаемый код, с комментариями.
После выполнения команды ‘show access-list’ в Cisco ASA получаем:
ciscoasa# show access-list access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list gl1; 7 elements; name hash: 0xe79499bb access-list gl1 line 1 extended permit tcp object-group og1 object-group og12 eq ssh (hitcnt=0) 0xf57a470f access-list gl1 line 1 extended permit tcp 10.0.3.0 255.255.255.0 host 10.0.0.3 eq ssh (hitcnt=0) 0x23c38b59 access-list gl1 line 1 extended permit tcp 10.0.3.0 255.255.255.0 10.0.0.0 255.255.255.0 eq ssh (hitcnt=0) 0x3bc77b3d access-list gl1 line 1 extended permit tcp 10.0.41.0 255.255.255.0 host 10.0.0.3 eq ssh (hitcnt=0) 0xed8dff32 access-list gl1 line 1 extended permit tcp 10.0.41.0 255.255.255.0 10.0.0.0 255.255.255.0 eq ssh (hitcnt=0) 0xcde224d1 access-list gl1 line 2 extended permit tcp host 10.0.0.3 host 100.100.100.1 eq www (hitcnt=0) 0xf80a10d6 access-list gl1 line 3 extended permit tcp object on1 object on2 eq ssh (hitcnt=0) 0x70f8adb4 access-list gl1 line 3 extended permit tcp host 10.0.0.3 10.0.0.0 255.255.255.0 eq ssh (hitcnt=0) 0x70f8adb4 access-list gl1 line 4 extended permit tcp object on1 host 100.100.100.1 eq www (hitcnt=0) 0x301bd0fd access-list gl1 line 4 extended permit tcp host 10.0.0.3 host 100.100.100.1 eq www (hitcnt=0) 0x301bd0fd access-list gl2; 23 elements; name hash: 0xec1e290 access-list gl2 line 1 extended permit tcp object-group og1 object-group og12 eq https (hitcnt=0) 0xd0d468b5 access-list gl2 line 1 extended permit tcp 10.0.3.0 255.255.255.0 host 10.0.0.3 eq https (hitcnt=0) 0xae19c8fe access-list gl2 line 1 extended permit tcp 10.0.3.0 255.255.255.0 10.0.0.0 255.255.255.0 eq https (hitcnt=0) 0x93b63bc0 access-list gl2 line 1 extended permit tcp 10.0.41.0 255.255.255.0 host 10.0.0.3 eq https (hitcnt=0) 0x07c7a712 access-list gl2 line 1 extended permit tcp 10.0.41.0 255.255.255.0 10.0.0.0 255.255.255.0 eq https (hitcnt=0) 0xa7ced8a9 access-list gl2 line 2 extended permit ip object-group og1 object-group og12 (hitcnt=0) 0x516db3da access-list gl2 line 2 extended permit ip 10.0.3.0 255.255.255.0 host 10.0.0.3 (hitcnt=0) 0x258b842a access-list gl2 line 2 extended permit ip 10.0.3.0 255.255.255.0 10.0.0.0 255.255.255.0 (hitcnt=0) 0xd82afa19 access-list gl2 line 2 extended permit ip 10.0.41.0 255.255.255.0 host 10.0.0.3 (hitcnt=0) 0x3d4864ae access-list gl2 line 2 extended permit ip 10.0.41.0 255.255.255.0 10.0.0.0 255.255.255.0 (hitcnt=0) 0xf4e436ba access-list gl2 line 3 extended permit tcp object on1 object on2 eq 121 (hitcnt=0) 0xac470d2c access-list gl2 line 3 extended permit tcp host 10.0.0.3 10.0.0.0 255.255.255.0 eq 121 (hitcnt=0) 0xac470d2c access-list gl2 line 4 extended permit tcp host 10.0.0.3 10.0.0.0 255.255.255.0 eq ssh (hitcnt=0) 0x5ce66931 access-list gl2 line 5 extended permit tcp object on4_16 object on4_8 eq https (hitcnt=0) 0xd1faa964 access-list gl2 line 5 extended permit tcp 10.0.0.0 255.255.0.0 10.0.0.0 255.0.0.0 eq https (hitcnt=0) 0xd1faa964 access-list gl2 line 6 extended permit tcp object on4_16 object-group og5 eq https (hitcnt=0) 0x99c5cc7d access-list gl2 line 6 extended permit tcp 10.0.0.0 255.255.0.0 host 1.1.1.1 eq https (hitcnt=0) 0xe802825a access-list gl2 line 6 extended permit tcp 10.0.0.0 255.255.0.0 host 5.5.5.1 eq https (hitcnt=0) 0x80a1e5b3 access-list gl2 line 6 extended permit tcp 10.0.0.0 255.255.0.0 5.5.15.0 255.255.255.0 eq https (hitcnt=0) 0x25de07fd access-list gl2 line 7 extended permit tcp object on4_8 object-group og5 eq https (hitcnt=0) 0xcd171889 access-list gl2 line 7 extended permit tcp 10.0.0.0 255.0.0.0 host 1.1.1.1 eq https (hitcnt=0) 0x0cf8371e access-list gl2 line 7 extended permit tcp 10.0.0.0 255.0.0.0 host 5.5.5.1 eq https (hitcnt=0) 0xad10cac6 access-list gl2 line 7 extended permit tcp 10.0.0.0 255.0.0.0 5.5.15.0 255.255.255.0 eq https (hitcnt=0) 0xaeb148b6 access-list gl2 line 8 extended permit tcp any object on2 eq 121 (hitcnt=0) 0x6eb4423f access-list gl2 line 8 extended permit tcp any 10.0.0.0 255.255.255.0 eq 121 (hitcnt=0) 0x6eb4423f access-list gl2 line 9 extended permit tcp object on4_8 any eq https (hitcnt=0) 0xbb42911c access-list gl2 line 9 extended permit tcp 10.0.0.0 255.0.0.0 any eq https (hitcnt=0) 0xbb42911c access-list gl2 line 10 extended permit tcp any object-group og5 eq https (hitcnt=0) 0x61792dc7 access-list gl2 line 10 extended permit tcp any host 1.1.1.1 eq https (hitcnt=0) 0x7b4af33d access-list gl2 line 10 extended permit tcp any host 5.5.5.1 eq https (hitcnt=0) 0x4fa8c459 access-list gl2 line 10 extended permit tcp any 5.5.15.0 255.255.255.0 eq https (hitcnt=0) 0xd8987a26 access-list gl2 line 11 extended deny ip any any log informational interval 300 (hitcnt=0) 0x22c3cb18 ciscoasa# Затем Python преобразует аксес лист в файл CSV.
Он удаляет ведущие пробелы в строках с помощью функции line.lstrip().
Удаляет все ненужные строки со словами: «object», «remark», «#», «denied», «alert-interval».
Заменяет слово «any» на «0.0.0.0 0.0.0.0», также заменяет слово «host 1.1.1.1» на «1.1.1.1 255.255.255.255».
#!/usr/bin/python3 # usage " python asa_acl_to_csv_.py fw_name " it will open file fw_name.conf and convert to CSV file import csv, sys, re from sys import argv args = sys.argv # read command line arguments # Set the input and output file names input_file = args[1] + '.conf' # asa show access-list saved to file fw_name.conf output_file = args[1] + '.csv' # access-list to fw_name.csv" with open(input_file, 'r', encoding='utf-8') as file, open(output_file, "w", newline="") as out_file: writer = csv.writer(out_file) lines = file.readlines() for line in lines: # loop each line in input file stripped_line = line.lstrip() # Strip leading and trailing spaces in line if ("#" in stripped_line or "denied" in stripped_line or "alert-interval" in stripped_line): # Skip lines that contain "#" or "denied" or continue # move to the next line in file if ("elements" in stripped_line or "object" in stripped_line or "remark" in stripped_line): # Skip lines that contain "elements" or continue if stripped_line.strip() == "": # Skip empty lines continue stripped_line = re.sub(r' host ([\w.]+)', r' \1 255.255.255.255', stripped_line) # replace 'host 1.1.1.1' with '1.1.1.1 255.255.255.255' stripped_line = stripped_line.replace( ' any ', ' 0.0.0.0 0.0.0.0 ') # replace 'any' with '0.0.0.0 0.0.0.0' stripped_line = stripped_line.replace( ' any ', ' 0.0.0.0 0.0.0.0 ') nwords = stripped_line.split() # convert line to list if nwords[6] == 'ip': nwords.insert(11, 'eq') nwords.insert(12, 'ip') # add 'ip' as a protocol after destination prefix print(nwords) writer.writerow([nwords[1],nwords[3],nwords[5],nwords[7],nwords[8],nwords[9],nwords[10],nwords[11],nwords[12]]) # write a line in output CSV file и получаем CSV файл:
gl1,1,permit,10.0.3.0,255.255.255.0,10.0.0.3,255.255.255.255,eq,ssh gl1,1,permit,10.0.3.0,255.255.255.0,10.0.0.0,255.255.255.0,eq,ssh gl1,1,permit,10.0.41.0,255.255.255.0,10.0.0.3,255.255.255.255,eq,ssh gl1,1,permit,10.0.41.0,255.255.255.0,10.0.0.0,255.255.255.0,eq,ssh gl1,2,permit,10.0.0.3,255.255.255.255,100.100.100.1,255.255.255.255,eq,www gl1,3,permit,10.0.0.3,255.255.255.255,10.0.0.0,255.255.255.0,eq,ssh gl1,4,permit,10.0.0.3,255.255.255.255,100.100.100.1,255.255.255.255,eq,www gl2,1,permit,10.0.3.0,255.255.255.0,10.0.0.3,255.255.255.255,eq,https gl2,1,permit,10.0.3.0,255.255.255.0,10.0.0.0,255.255.255.0,eq,https gl2,1,permit,10.0.41.0,255.255.255.0,10.0.0.3,255.255.255.255,eq,https gl2,1,permit,10.0.41.0,255.255.255.0,10.0.0.0,255.255.255.0,eq,https gl2,2,permit,10.0.3.0,255.255.255.0,10.0.0.3,255.255.255.255,eq,ip gl2,2,permit,10.0.3.0,255.255.255.0,10.0.0.0,255.255.255.0,eq,ip gl2,2,permit,10.0.41.0,255.255.255.0,10.0.0.3,255.255.255.255,eq,ip gl2,2,permit,10.0.41.0,255.255.255.0,10.0.0.0,255.255.255.0,eq,ip gl2,3,permit,10.0.0.3,255.255.255.255,10.0.0.0,255.255.255.0,eq,121 gl2,4,permit,10.0.0.3,255.255.255.255,10.0.0.0,255.255.255.0,eq,ssh gl2,5,permit,10.0.0.0,255.255.0.0,10.0.0.0,255.0.0.0,eq,https gl2,6,permit,10.0.0.0,255.255.0.0,1.1.1.1,255.255.255.255,eq,https gl2,6,permit,10.0.0.0,255.255.0.0,5.5.5.1,255.255.255.255,eq,https gl2,6,permit,10.0.0.0,255.255.0.0,5.5.15.0,255.255.255.0,eq,https gl2,7,permit,10.0.0.0,255.0.0.0,1.1.1.1,255.255.255.255,eq,https gl2,7,permit,10.0.0.0,255.0.0.0,5.5.5.1,255.255.255.255,eq,https gl2,7,permit,10.0.0.0,255.0.0.0,5.5.15.0,255.255.255.0,eq,https gl2,8,permit,0.0.0.0,0.0.0.0,10.0.0.0,255.255.255.0,eq,121 gl2,9,permit,10.0.0.0,255.0.0.0,0.0.0.0,0.0.0.0,eq,https gl2,10,permit,0.0.0.0,0.0.0.0,1.1.1.1,255.255.255.255,eq,https gl2,10,permit,0.0.0.0,0.0.0.0,5.5.5.1,255.255.255.255,eq,https gl2,10,permit,0.0.0.0,0.0.0.0,5.5.15.0,255.255.255.0,eq,https gl2,11,deny,0.0.0.0,0.0.0.0,0.0.0.0,0.0.0.0,eq,ip В Cisco ASA невозможно создать повторяющиеся строки в аксес листе, но можно создать несколько объектов с одним и тем же IP-адресом, и можно создать несколько дублированных строк в аксес листе, используя разные объекты. Внутри CSV-файла можно отсортировать строки по нужным полям и легко найти повторяющиеся строки.
А почему не использовать textFSM ? Там совсем другой вывод, не подходящий для данной задачи.
А почему не использовать pyats/genie. Там нет парсера для этой команды.
Любые комментарии и вопросы приветствуются.
ссылка на оригинал статьи https://habr.com/ru/articles/838428/
Добавить комментарий