JewelRunner is intended to quickly analyze tcp/ip traffic for a target host and create host-based firewall rules in support of micro segmentation activities. In its current form it will:
- Parse pcap files and summarize tcp/ip traffic to and from a target IP;
- Parse ipFilter (Solaris) log files and generate firewall rules; and
- Parse ipSec (AIX) logs and generate firewall rules.
- JewelRunner was built and tested with Python 2.7.14+
The set-up is relatively simple. The required modules may be installed using the command below
pip install -r /path/to/requirements.txt
Parse pcap file and analyze traffic for target IP 10.10.10.1
./jewelRunner.py -f /path/to/file.pcap -io pcap -target 10.10.10.1
Parse pcap file and analyze traffic between target IP 10.10.10.1 and 10.10.10.2
./jewelRunner.py -f /path/to/file.pcap -io pcap -target 10.10.10.1 -filter 10.10.10.2
Parse ipFilter log for target IP 10.10.10.1 and create host-based firewall rule set
./jewelRunner.py -f /path/to/ipfilter.log -io ipfilter -target 10.10.10.1
Parse ipFilter log for target IP 10.10.10.1, isolate entries for 10.10.10.2 and create host-based firewall rule set
./jewelRunner.py -f /path/to/ipfilter.log -io ipfilter -target 10.10.10.1 -filter 10.10.10.2
Parse ipSec log for target IP 10.10.10.1 and create host-based firewall rule set
./jewelRunner.py -f /path/to/ipsec.log -io ipsec -target 10.10.10.1
Parse ipSec log for target IP 10.10.10.1, isolate entries for 10.10.10.2 and create host-based firewall rule set
./jewelRunner.py -f /path/to/ipsec.log -io ipsec -target 10.10.10.1 -filter 10.10.10.2
[-] ASSUMPTIONS and CAVEATS
- I have tried to include references wherever I borrowed from others. If I have missed someone, it was unintentional, lest I incur the wrath of the squirrel man.
- In retrospect I should have done this in Bro-Script. This is on my list. I'd also like to try using scapy to create and deploy the rules in real time as packets are read.
- This code is in-efficient. Several functions are repeated in each module. Future work includes plans for the creation of a utility module to consolidate these functions.
- The higher port is always assumed to be the initiator of the connection. This may not always be the case.
- JewelRunner will not create rules for high-port (>50000) to high-port traffic. However, it will report these flows in the output.
- JewelRunner will not create rules for low-port (< 1023) to low-port traffic. However, it will report these flows in the output.
- When an filter IP is specified, jewelRunner makes no assumptions about the source port (ie. > 1023) when creating the host-based firewall rules. Rules will be created using the source port specified in the log file. It is up to the user to generalize these rules later on.
- JewelRunner assumes that any traffic it sees is allowed. Any rules should be ultimately adjudicated by the application and product teams.
- JewelRunner is intended to support "proof-of-concept" activities for micro-segmentation. There are several Enterprise tools that will do this far more effectively at the enterprise level (12 ,13).
[-] FUTURE WORK
- Add support for iptables
- Give user the choice to create specific flavor of firewall rules using pcap contents
- Filter out passive ftp traffic
- Parse ipv6
- Handle broadcast traffic
- Add option for file output
- Add feature that will make recommendations to consolidate rules from single IPs to VLANs
- Add ephemeral cmd line switch to clean up ports
- Remove redundancies. Create module for utility functions.
Adopted from original scripts created by:
brifordwylie @ https://github.com/brifordwylie
RemiDesgrange @ https://github.com/RemiDesgrange
saylenty @ https://github.com/saylenty