remediation is a Tools and utilities for remediation and incident-response handling.
JewelRunner is intended to quickly analyze tcp/ip traffic for a target host and create host-based firewall rules in support of micro segmentation activities. In its current form it will:
+ Parse pcap files and summarize tcp/ip traffic to and from a target IP;
+ Parse ipFilter (Solaris) log files and generate firewall rules; and
+ Parse ipSec (AIX) logs and generate firewall rules.
JewelRunner was built and tested with Python 2.7.x
Assumptions and Caveats
+ I have tried to include references wherever I borrowed from others. If I have missed someone, it was unintentional, lest I incur the wrath of the squirrel man.
+ In retrospect I should have done this in Bro-Script. This is on my list. I’d also like to try using scapy to create and deploy the rules in real time as packets are read.
+ This code is in-efficient. Several functions are repeated in each module. Future work includes plans for the creation of a utility module to consolidate these functions.
+ The higher port is always assumed to be the initiator of the connection. This may not always be the case.
+ JewelRunner will not create rules for high-port (>50000) to high-port traffic. However, it will report these flows in the output.
+ JewelRunner will not create rules for low-port (< 1023) to low-port traffic. However, it will report these flows in the output.
+ When an filter IP is specified, jewelRunner makes no assumptions about the source port (ie. > 1023) when creating the host-based firewall rules. Rules will be created using the source port specified in the log file. It is up to the user to generalize these rules later on.
+ JewelRunner assumes that any traffic it sees is allowed. Any rules should be ultimately adjudicated by the application and product teams.
+ JewelRunner is intended to support “proof-of-concept” activities for micro-segmentation. There are several Enterprise tools that will do this far more effectively at the enterprise level (12 ,13)
Use and Download:
git clone https://github.com/pjhartlieb/remediation && cd remediation
pip install -r requirements.txt
pip install dpkt
Parse pcap file and analyze traffic for target IP 10.10.10.1
./jewelRunner.py -f /path/to/file.pcap -io pcap -target 10.10.10.1
Parse pcap file and analyze traffic between target IP 10.10.10.1 and 10.10.10.2
./jewelRunner.py -f /path/to/file.pcap -io pcap -target 10.10.10.1 -filter 10.10.10.2
Parse ipFilter log for target IP 10.10.10.1 and create host-based firewall rule set
./jewelRunner.py -f /path/to/ipfilter.log -io ipfilter -target 10.10.10.1