Using NCM to find botched NCM jobs.

leegillespie

We've farmed out some NCM work to contractors that have used it poorly.  So in order to find where we need to fix our firewalls I'd like to use regex to find a particular grouping.

I need to find any line in a firewall that has deny ip any any and then a permit statement on the next line.  Here is an example:

permit ip host 150.175.61.65 any

permit icmp any any

deny   ip any any log

permit tcp any host 193.142.211.22

permit tcp any host 193.142.211.21

permit tcp any host 193.142.211.18

Any suggestions on how to accomplish this is greatly appreciated.

jkrenzien

There are a couple ways to skin this cat. First Chris T has one that should work. The way i would handle it is :

     deny\s+ip any any log(\n|\r)\s*([^ip]|[^deny])

However there is a more exacting fix you may want to consider. If you have ACLs that shouldn't change or are standard through several devices I would create a rule just for that acl. Make it a regex rule and replace all line returns with (\n|\r)\s* I would also excape all of the periods and regex the spaces. For example.

     permit ip host 150.175.61.65 any

     permit icmp any any

     deny   ip any any log

would turn into

     permit\s+ip\s+host\s+150\.175\.61\.65\s+any(\n|\r)\s*permit\s+icmp\s+any\s+any(\n|\r)\s*deny\s+ip\s+any\s+any\s+log

This would allow you to create a remediation script for the ACL. It is a bit of work and I probably wouldn't do it for ACLs that are used on only one device unless there is a history of unapproved changes to it.