Eric Partington

Exporting and comparing rules from log and packet decoders

Blog Post created by Eric Partington Employee on Aug 9, 2016

Ever wondered if there was an easier method to compare or export all the application, correlation and network rules from your log and packet decoders to see if they were all deployed the same or to keep as an archive ?

 

Using the magical REST interface, that can be achieved with a python script which is included here.  The script takes as input a csv of the devices to read from that include the ip or hostname, the username and password as well as a device type and friendly name to use in the output.  Script is designed to be run from the SA server and will reach out to the decoders and log decoders defined in the csv as long as firewall ports in your environment allow access.

 

you can pipe the output to a file to capture the results and archive or split into individual csv files for comparison or archival or just use the md5 of each of the outputs to compare and see if they are the same.

 

I have a number of folders on my SA server for different scripts this one lives in rsa-rule-dump

 

depending if the python environment variable is set for you

[UPDATE 2016-08-12]

Added and moved output around to get the hash, line count and any warnings about rules that are order dependent to each section.

 

 

python rsa-rules-dump.py devices-rsa.csv

 

 [94m################################################################## [0m
 [94m# Checking for 200 http status codes - which are good [0m
 [94m# application rules http status code = 200 [0m
 [94m# network rules http status code = 200 [0m
 [94m# correlation rules http status code = 200 [0m
 [94m################################################################## [0m
 [95m# http://ldecoder1:50102 decoder
 [0m
#HASH-RULE-APPLICATION,http://ldecoder1:50102,3bb54113e830814a2c979b49ffe71f41
#CONTENT-RULE-APPLICATION
name=encryption:success rule="ec.theme='encryption' && ec.outcome='Success'" alert=alert.id order=1 type=application uuid=01d6dcde-c6c1-4e9f-a7e5-009c06f2a19a pushFrom="ldecoder1.cancirc.ca Log Decoder"
name=nw05415 rule="reference.id='7045' && service.name begins 'wce','psexe','pwdump','cachedump','gsecdump'" alert=alert.id order=2 type=application uuid=5ac784a4-7af4-4f43-afba-bbd46a7de516
name=nw30060 rule="reference.id='528','540','4624' && logon.type='3' && process='NtLmSsp' && user.dst!='ANONYMOUS LOGON' && NOT(user.dst ends '$')" alert=alert.id order=3 type=application uuid=96dd09e0-3413-4c74-9bda-f4532f1ecf39
name=threatstream rule=alert\='threatstream' alert=threat.source order=4 type=application pushFrom="ldecoder1.cancirc.ca Log Decoder"
name=nw110150 rule="alias.host ends '.box.com', '.boxcloud.com', '.box.net', '.dropbox.com', '.dropboxstatic.c
om', 'github.com', '.icloud.com'" alert=alert.id order=5 type=application uuid=f26f78fc-f172-4352-94ef-37e9995de746 pushFrom="ldecoder1.cancirc.ca Log Decod

 

 

# HASH-RULE-APPLICATION,http://pdecoder:50104,cfed6704667382464b1ba6f21cd0579b
# COUNT-RULE-APPLICATION,http://pdecoder:50104,496
 [91m# !!WARNING: Check that dependent alerts are above these rules: ['nw110055', 'nw20055']
name=nw110055 rule="alert.id = 'nw12525' && size > 5242880 && streams =2 && ip.src = 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 && ip.dst != 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16" alert=alert.id order=32 type=application
name=nw20055 rule="alert.id = 'nw02550','nw02520', 'nw02560','nw02555' && filetype begins 'fp_'" alert=alert.id order=49 type=application uuid=4f98a661-4b7c-4126-8149-acfda64ac677

Outcomes