This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Create a rule set from scratch based on wireshark capture

0

Hello I'm a new registered user to this site, but have already been using it from time to time when strange questions occured in the past :) So first, thank you for all the help already provided :)

I have been asked a strange question: some users are moving, and my management wonders why we couldn't capture network traffic on some user's computer during a day, and use all the data collected to produce a rule set that'll be pushed on the new firewall to come. Despite the fact that monitoring one user's network activity isn't really a good way to get all traffic, has someone ever done that? and do you know tools that could be of any help in this attempt?

Thank you very much!

asked 06 Sep '13, 01:14

go3th's gravatar image

go3th
1111
accept rate: 0%

One Answer:

0

some users are moving, and my management wonders why we couldn't capture network traffic on some user's computer during a day, and use all the data collected to produce a rule set that'll be pushed on the new firewall to come.

well, that does not sound like a very good idea. A firewall shall only allow what is absolutely necessary (principle of least privilege). If you capture the traffic of a single system and use the systems network activity as a base for the firewall rule set, security will go down the drain and honestly then you don't need a firewall at all. A router would be much cheaper ;-))

So, my answer to your question is three-fold.

  1. It is technically possible to create firewall rule sets from a pcap and I have done that in very certain and limited scenarios. See below.
  2. It would be much easier to use the current firewall logs and/or the current firewall rule set to create a policy for the new firewall, as that obviously reflects what the user is allowed to do through the current firewall and hopefully also reflects your security policy.
  3. From a security point of view it is not clever to use the traffic of a system as the base for a firewall rule set. Just remind you management on this: What happens if the user is not trustworthy. With the intended way to configure the new firewall, you could open a hole for that user to leak internal information (documents, price calculations, payroll info, etc.). The firewall would then be totally useless and should be replaced by a much cheaper router.

So, if you still want to use the capture file, here is how you could do it.

  • You need a very good understanding of the new firewall architecture and figure out how you can automatically create a rule set (including the network objects) for the new firewall. That works good for some products as they either offer a CLI or a text based configuration (Check Point, Juniper, Fortigate, iptables). For some products it may not work at all, because the configuration uses a proprietary format (binary, 'encrypted', etc.) and/or does not provide a CLI.
  • Then use tshark to list all conversations of that user (after you have captured the data):

tshark -nr input.pcap -q -z conv,udp
tshark -nr input.pcap -q -z conv,tcp

  • Take the output of tshark and create a meta policy (internal representation of the firewall rule set) with a script (perl, python, whatever).
  • Convert the meta poliy into something that your new firewall product understands and push it to the new firewall

I'm not aware of any product that will do it automatically for you. There may be open source projects, but I don't know one either.

Regards
Kurt

answered 06 Sep '13, 02:05

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 06 Sep '13, 02:12

Well, thank you very much. I just joined my new compagny, and that's one of the first thing they asked me to check. I was a bit suscipicious, but now, I won't hesitate to tell them that's it's a bad idea.

Thank you again!

(06 Sep '13, 04:42) go3th

good luck.

(09 Sep '13, 08:16) Kurt Knochner ♦