StoneBlog.stonesoft.com

Finnish CERT (CERT-FI) recommends to pay special attention to certain address blocks.  They mention the DROP-list by the Spamhaus project as the most up-to-date list of malicious addresses.

It is always boring and time consuming to type long lists of addresses, so I made a quick-and-dirty script, which converts the DROP-list into StoneGate elements, and creates a group of them.  You can feed the DROP-list to this script, zip the result and import it into SMC.

Being an oldtimer, I wrote this with an ancient tool called awk, which you can find in most unix-based systems, including linux.  The most common variant is the GNU awk, gawk.  Someone would probably write this in 2 lines of Perl…

I provide this script as is, with no expressed or implied guarantees of any kind.  Use this at your own risk.  If you manage to break something with this, you have been warned and you assume full responsibility.  I have tested this on one system (Fedora Core 9) with one input, today’s DROP list from Spamhaus.org.

So, take a look at the code and decide yourself if you trust this.  Especially see the comment in the beginning.  Change the element naming convention to suit your needs and enjoy.

written by olli - 1,035 views \\ tags: DROP-list, script, Spamhaus

This post adds another bit to the series of articles about SMC interaction through batch scripts.

Today scenario is similar to the following.
Suppose you have an installed base composed of several StoneGate Engines (IPS, Firewalls) plus few 3rd party devices that you monitor thanks to new cool feature of SMC 5.0.

You would like to allow batch scripting monitoring of such devices to have data from SMC to populate other processes or software you might use.

Continue reading »

written by RoarinPenguin - 1,515 views \\ tags: batch interaction, script, sgElementStatus, SMC

Following the SMC scripting galore trend here’s another tool for you, hoping you find it useful.

The scenario is when you need to verify/validate from command line is a given policy has issues if installed on a particular engine (but naturally without installing it).

The command sgPolicyCheck.[bat|sh] can be issued with the following parameters and options.

Parameters:
host=<Mgtserver address> (default: 127.0.0.1)login=<loginname> (default: root)
pass=<password> (default: password)
cluster=<cluster name> (default: "")
policy=<policy name> (default: "")
all_clusters=<use all clusters> (default: false)

An example could be:

C:\Stonesoft\StoneGate\bin>sgPolicyCheck.bat host=192.168.1.101 login=root pass=mypass cluster=FW-5000 policy="verify-this-policy"
…and the output is similar to the one reported below:

Connect to Management Server: root@191.168.1.101
Validation of Firewall Policy verify-this-policy on Single Firewall FW-5000:

6 issues found.
  6 warnings found:
    2 Missing Definitions found.
      Rule @2.0
      Rule @3.0
    2 Unreachable Rules found.
      Rule @1006.0
      Rule @981.0
    2 NAT and Routing Definitions found.
      Rule @1274.5
      Rule @1157.0

As usual, Files area of StoneBlog Community contains the script for Windows and for Linux.

written by RoarinPenguin - 1,170 views \\ tags: batch interaction, script, SMC

Here we go with a second article to enable batch interaction with a StoneGate Management Center: this one is about publishing a ready made policy to a StoneGate Firewall/VPN Engine.

Scenario could be, for instance, that you receive an alert raising the DefCon level and you want to react by activating a more restrictive policy.

The script for you today is called sgUploadFw.[sh|bat] and the syntax is:

sgUploadFw.[bat|sh] [host=hostname] [login=loginname] [pass=password] cluster=clustername [cluster=otherclustername] policy=policyname

host ==> SMC host where you want this script to be executed.
login ==> login of an Administrator Profile, who has rights to operate on given elements
pass ==> password (yes, in cleartext. It’s up to you to decide about security level you want to implement )
cluster ==> could be a single node or a cluster of engines
policy ==> the name of the policy you want to upload

Example and output:

C:\Stonesoft\StoneGate\bin>sgUploadFw.bat host=192.168.1.101 login=root pass=mypassword cluster=”FW-5000″ policy=”DefCon 1″
Finding cluster(s)
Found FW-5000
Found policy: DefCon 1
Accepted a compatible cluster: FW-5000
Starting upload
Waiting 900 seconds…

Contacting nodes of FW-5000
Connection ok on firewall FW-5000
Preparing configuration for FW-5000
Policy snapshot started
Policy snapshot created.
Uploading configuration on FW-5000
New configuration generated for firewall FW-5000
New configuration uploaded to firewall FW-5000
Rule @1279.6 has Source NAT translated to ipaddresses that corresponds to an int
erface address
Applying configuration on FW-5000
New configuration activated on firewall FW-5000
Checking connectivity on FW-5000
Contact with firewall FW-5000 confirmed
Policy installation successful for FW-5000

upload finished

To download the script for Windows click here, while the version for Linux is available here.

Both scripts will remain available in StoneBlog Community, Files area.

written by RoarinPenguin - 1,228 views \\ tags: batch interaction, script, SMC, upload policy

Thinking about oxymoron? Nope… this is first of a series of posts to show how it is possible to interact within a batch script with SMC, to automate tasks.

Scripts linked to this posts will remain available in StoneBlog Community under StoneFiles repository for free download.

Useless to remind that these are unsupported scripts, although I’ve tested them up to latest release and they work nicely

First script I’d like to share is about automating some commands to StoneGate Firewall/VPN or IPS Engine.

Continue reading »

written by RoarinPenguin - 1,364 views \\ tags: automation, script, SMC

It is common for distributed organizations to have multiple engines in different locations as main gateways for protecting the perimeter of the local network.

Sometimes the firewall sees information that are unrelated specifically to network security; still, these information could be very useful to be centrally collected.

This post shows how it is possible to use StoneGate Central Log Processing to collect this information centrally.

Continue reading »

written by RoarinPenguin - 2,873 views \\ tags: information retrieval, log, script

This post is shedding some light on two kinda hidden binaries in StoneGate directory, since they can be very useful for automation operation like the one I described in a previous post.

The tools are named sgImport.[bat|sh] and sgExport.[bat|sh].

Both located in <StoneGate_install_dir>/bin/, they can be used to export and import elements from StoneGate (hence their name ).

The nice feature is that they both work with zipped XML files, allowing some very fast object manipulation in StoneGate for different purposes, like:

• quick definition of large number of similar objects (e.g. Network Elements, Firewalls and IPS Engines)
• interaction with external processes like Web Forms, other scripts, applications
• modification of existing elements without accessing the GUI

The usage guidelines can be obtained by issuing the script with –h parameter and this is an example with sgExport.sh on a Linux box:

StoneGate Management Center (4.3.5 [7944])
Copyright 2000-2009 Stonesoft Corp. All rights reserved.
http://www.stonesoft.com
STONEGATE IMPORT/EXPORT

XML Export command syntax:
[-h|--help] [-host <ipaddress>] [-login <login>]
[-password <password>] [-file <resultFilePath>]
[-type <all|nw|ips|sv|rb|al>] [-recursion]
-h | –help: displays the help message,
-host <ipaddress>: specifies the ip address of the Management Server (by default: localhost),
-login <login>: specifies the login of an SMC Administrator,
-password <password>: specifies the password of the SMC Administrator,
-file <resultFilePath>: specifies the zip result file path,
-type <all|nw|ips|sv|rb|al|vpn>: exports all: All Elements; nw: Network Elements; ips: IPS Elements;
sv: Services; rb: Security Policies; al: Alerts; vpn: VPN Elements,
-recursion: activates the recursive export (also referenced objects are exported).
-system: export also system elements.

As you might know, XML files can be quite complex depending how the software they are used with is structured.

To maintain an operational consistency, if you wish to use such feature I’m recommending to act as follows:

1. locate/define in StoneGate configuration an object of the type you’re interested in
2. use GUI export element tool or sgExport to export the zipped XML file
3. manipulate the exported XML file depending on usage
4. recreate the zipped XML file and use sgImport or GUI menu to reimport it in StoneGate

Using the procedure above, you ensure consistency and correctness of the item imported.

Since power is nothing without control StoneGate import process will however validate the file while importing it and will return an error in case it’s missing anything.

Stay tuned, as I’ll publish soon example of practical usage of this very handy StoneGate feature.

written by RoarinPenguin - 1,338 views \\ tags: export, import, script, sgExport, sgImport, xml

Want to share with you a quick yet powerful way to create objects in StoneGate, taking advantage of flexibility of bundled commands to export and import elements.

For a test I was doing few days ago, I had the need of creating quickly a quite big number of objects. Done that, I needed to reference them in an alias to manage efficiently a rulebase that could be published to many different firewalls simultaneously, changing value of the element depending on which firewall it is installed on (that is, the beautiful power of StoneGate Aliases).

Here’s what I’ve done (on a Linux based SMC).

Continue reading »

written by RoarinPenguin - 1,732 views \\ tags: alias, configuration, multiple elements, script, xml

Let’s combine the power of Deep Inspection, Alert Escalation/Script response and the following perl script to achieve a housemade yet powerful and flexible way to perform the so-called post-admission NAC.

The idea is that IPS monitors in inline or port mirroring mode a network segment. When finding true positives, it raises an alert to Log Server.

Alert is then evaluated against the Alert Escalation Policy and a reaction is triggered.

One of the possible reactions is a script executed by the Log Server that will send SNMP instructions to the switch where the evil machine is connected to put the physical network port in shutdown.

The script below has been tested with HP Procurve switch but should be applicable with any switches understanding SNMP.

#!/usr/bin/perl

use Net::SNMP;

use Sys::Syslog;

my $ip=$ARGV[9];

my $mac=$ARGV[10];

my $realarp,$session,$error,@bytes,$oid,$int_id,$int_name;

my $hostname=’172.23.11.63′;

my $community=’public’;

my $int_oid=’.1.3.6.1.2.1.2.2.1.7′;

my $mac_oid=’.1.3.6.1.2.1.17.4.3.1.2′;

my $iname_oid=’.1.3.6.1.2.1.31.1.1.1.1′;

openlog(“Blocker”, ‘ndelay,pid’, ‘local0′);

syslog(‘info’,'Got Ip address %s and Mac address %s’,$ip,$mac);

($session,$error) = Net::SNMP->session(Hostname => $hostname, Community => $community);

syslog(‘warning’,'DIED: Snmp session error-> %s’, $error) unless ($session);

die “session error: $error” unless ($session);

@bytes=split(/\:/,$mac);

$realarp=sprintf(“%d.%d.%d.%d.%d.%d”,hex($bytes[0]),hex($bytes[1]),hex($bytes[2]),hex($bytes[3]),hex($bytes[4]),hex($bytes[5]));

$oid=”$mac_oid.$realarp”;

$result = $session->get_request(“$oid”);

syslog(‘warning’,'DIED: Snmp session error-> %s’, $error) unless (defined $result);

die “request error: “.$session->error unless (defined $result);

$int_id=$result->{$oid};

$oid=”$iname_oid.$int_id”;

$result = $session->get_request(“$oid”);

$int_name=$result->{$oid};

syslog(‘info’,'Successfully found %s on interface %s (id %s)’, $mac, $int_name, $int_id);

$oid=”$int_oid.$int_id”;

$result = $session->set_request(

-varbindlist => [$oid, INTEGER, 2]

);

syslog(‘crit’,'Blocked interface %s on %s’, $int_name, $hostname);

$session->close;

closelog();

Did you test this with other devices?
Please help the community by posting your experience here using comments!

written by RoarinPenguin - 1,528 views \\ tags: Alert Escalation, IPS, NAC, network access control, post-admission, script