- 论坛徽章:
- 1
|
#!/usr/bin/perl
#################################################
# Cisco PIX ACL Parser #
# written by: Brad Downey (brad@magic7s.com) #
# #
# Version .01 BETA #
# #
# This is licensed under the GPL #
# #
# #
# The purpose of this script is to read a #
# file with Cisco PIX ACL's listed and compare #
# it to user input of a source/destination #
# The script will print out the matching ACL #
# lines. This can help in troubleshooting #
# access through a Cisco PIX #
# #
# There is SOME debugs you can do. Just set #
# the line $DEBUG =0; to $DEBUG =1; and it will #
# dump a lot of data. #
# #
# Please if you have any suggestion or comments #
# e-mail me. #
# #
# Thanks and enjoy #
#################################################
use strict;
use vars qw($DEBUG $aclfile @org_config $proto $src_ip $src_port $dest_ip $dest_port $line
$acl_name $acl_proto $acl_src_ip $re_ipaddress $acl_src_mask $acl_dest_ip $acl_dest_mask
$acl_src_port $acl_dest_port $match $linenum);
$DEBUG = 0;
die "Usage: $0 acl_file proto src_ip src_port dest_ip dest_portn" unless (@ARGV == 6);
$aclfile = $ARGV[0];
$proto = $ARGV[1];
$src_ip = $ARGV[2];
$src_port = $ARGV[3];
$dest_ip = $ARGV[4];
$dest_port = $ARGV[5];
##################################
# Open file, save, and close file
##################################
open(CFG_FILE, $aclfile) or die "ERROR, Cannot open file. $!";
while () {
push @org_config, $_;
}
close (CFG_FILE) or die "ERROR, Cannot close file correctly. $!";
print "Dump of $aclfilenn", @org_config, "n" if $DEBUG;
$re_ipaddress = 'd{1,3}.d{1,3}.d{1,3}.d{1,3}';
$linenum = 0;
foreach $line (@org_config) {
$linenum++;
chomp $line;
$line =~ (m/^s*access-lists(S+)s(permit|deny)s(w+)s(hosts|)($re_ipaddress|any)s+($re_ipaddresss+|)(eqs(w+)|)(hosts|)($re_ipaddress|any)s+($re_ipaddresss|)(eqs(w+)|)$/);
$acl_name = $1;
$acl_proto = $3;
$acl_src_ip = $5;
$acl_src_mask = $6;
$acl_src_port = $8;
$acl_dest_ip = $10;
$acl_dest_mask = $11;
$acl_dest_port = $13;
print "nThe line is:n" if $DEBUG;
print $line,"n" if $DEBUG;
print "Name is $acl_namen" if $DEBUG;
print "Protocol is $acl_proton" if $DEBUG;
print "Source IP is $acl_src_ipn" if $DEBUG;
print "Source MASK is $acl_src_maskn" if $DEBUG;
print "Source port is $acl_src_portn" if $DEBUG;
print "Destionation IP is $acl_dest_ipn" if $DEBUG;
print "Destionation MASK is $acl_dest_maskn" if $DEBUG;
print "Destionation port is $acl_dest_portn" if $DEBUG;
$match = 1;
if (($proto ne $acl_proto) && ($acl_proto ne "ip")) {$match = 0; print "Proto NOT matchn" if $DEBUG;} else {print "Proto matchn" if $DEBUG;}
if (($src_ip ne $acl_src_ip) && ($acl_src_ip ne "any")) {$match = 0; print "Src ip NOT matchn" if $DEBUG;} else {print "Src ip matchn" if $DEBUG;}
if (($src_port ne $acl_src_port) && ($acl_src_port ne "")) {$match = 0; print "Src port NOT matchn" if $DEBUG;} else {print "Src port matchn" if $DEBUG;}
if (($dest_ip ne $acl_dest_ip) && ($acl_dest_ip ne "any")) {$match = 0; print "Dest ip NOT matchn" if $DEBUG;} else {print "Dest ip matchn" if $DEBUG;}
if (($dest_port ne $acl_dest_port) && ($acl_dest_port ne "")) {$match = 0; print "Dest port NOT matchn" if $DEBUG;} else {print "Dest port matchn" if $DEBUG;}
print "Found a match: (line $linenum)n$linen" if $match;
}
本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u/12/showart_162.html |
|