Nomenclature Predictably Misunderstood
Miss any of our Open RFC calls?Watch the recordings here! »

rswaf-icx-converter

0.6.2 • Public • Published

ICX Policy to Security Exception Configurations Migration Tool.

Part of RSCS WAF extras.

Build Status Dependencies npm version Licence

Introduction

This tool does its best to convert ICX Exceptions from i-Suite v5 into Security Exception Configurations (RSWAF v6).

Under the wood, it use RSWAF API (low level XML API) to read ICX Policies and create/update Security Exception Configurations.

Prerequisites

Nodejs

A Windows or Linux machine with nodejs > v10 installed (bundled with npm i.e node package manager). This machine is supposed to be able to speak with a RSWAF Management Console (v6).

RSWAF dedicated API User

Create a user with Create/Read/Update/Delete authorization for the API, then use it using --waf-src-user and --was-src-pw command line options (or environment variables). Because this tool currently use the low level XML API, not the JSON one, the API Token auth method is not usable.

Install

npm install rswaf-icx-converter -g

Usage

> rswaf-icx-converter --help
rswaf-icx-converter v0.5.4

Usage with RSWAF v6:
rswaf-icx-converter --waf-src-url=https://1.2.3.4:3001/ --waf-src-user=admin --waf-src-pw=mypassword

Options:
--waf-src-url                      IP Address of RSWAF API
--waf-src-user                     Administrator username
--waf-src-pw                       Administrator password
--waf-src-api-key                  RSWAF v6 API Key (not yet implemented)
--icx                              Only convert ICX matching pattern
--icx-file                         Use an XML dump file rather than using the Management Console (unit tests)
--skip-duplicate                   Skip duplicated rule
--duplicate-multiple-hostname      Duplicate rules having multiple hostname condition, default true
--duplicate-match-any              Duplicate rules using Match ANY operator, default true
--duplicate-match-all-legacy       Duplicate rules using Match All Legacy operator, default true
--convert-disable-rules            Convert disabled rules, default false
--dump-icx                         Dump ICX policy (use --icx to spot one ICX)
--security-exception-file            Dump XML content of converted security exception configuration
--verbose                          Be verbose
------------------------------------------------------------
Environnement variables
WAF_SRC_URL        URL for RSWAF Webservices Administration
WAF_SRC_API_KEY    RSWAF API Key (not yet implemented)
WAF_SRC_USER       i-Suite Administrator Username
WAF_SRC_PW         i-Suite Administrator Password
> rswaf-icx-converter --waf-src-url=https://X.X.X.X:3001/ --waf-src-user=api --waf-src-pw=MYPASSWORD --duplicate-multiple-hostname --duplicate-match-any --skip-duplicate --verbose

More debug on windows

> set DEBUG=*:*
> rswaf-icx-converter --waf-src-url=https://X.X.X.X:3001/ --waf-src-user=api --waf-src-pw=MYPASSWORD --duplicate-multiple-hostname --duplicate-match-any --skip-duplicate --verbose

More debug on linux

> DEBUG=*:* && rswaf-icx-converter --waf-src-url=https://X.X.X.X:3001/ --waf-src-user=api --waf-src-pw=MYPASSWORD --duplicate-multiple-hostname --duplicate-match-any --skip-duplicate --verbose

workflow.xml

A workflow.xml file is written in the current directory. You can open this file then copy paste it's content into an empty workflow. Then associate this workflow to a tunnel, then apply the tunnel. If no error after the apply, you can consider that security exception configurations have been validated by "mod_workflow_config" process.

WARNING

  • Every security exception configurations matching --icx string in their names (or all configurations if --icx option not used) are emptied each time you trigger this tool.

Notes

  • The tool do NOT take care about attack technics versioning (thanks v6) while converting, security exceptions will always use the latest pattern available.
  • The tool can NOT (yet) test PCRE regular expression because javascript don't have a native support, that's why there is no regular expression validation while converting.
  • The tool will make your rule begin_with patterName rather than is patterName (so exceptions will match in both Normal or Strict ICX policies)

ICX anomalies detected

  • detect duplicate hostname conditions in a "match all" rule, use --duplicate-multiple-hostname=false to disable
  • detect match any rules, use --duplicate-match-any=false to disable
  • detect match all LEGACY rules, use --duplicate-match-all-legacy=false to disable
  • detect duplicated rules, use --skip-duplicate=false to disable
  • fix bad regular expression * rather than .*

Run tests

npm test

Keywords

none

Install

npm i rswaf-icx-converter

DownloadsWeekly Downloads

12

Version

0.6.2

License

GPLv2

Unpacked Size

164 kB

Total Files

35

Last publish

Collaborators

  • avatar