:py:mod:`dissect.target.plugins.os.windows.firewall`
====================================================

.. py:module:: dissect.target.plugins.os.windows.firewall




Module Contents
---------------

Classes
~~~~~~~

.. autoapisummary::

   dissect.target.plugins.os.windows.firewall.WindowsFirewallPlugin
   dissect.target.plugins.os.windows.firewall.LogConfig




Attributes
~~~~~~~~~~

.. autoapisummary::

   dissect.target.plugins.os.windows.firewall.WindowsFirewallLogRecord


.. py:data:: WindowsFirewallLogRecord

.. py:class:: WindowsFirewallPlugin(target: dissect.target.target.Target)

   Bases: :py:obj:`dissect.target.plugin.Plugin`


   Windows Firewall plugin.


   .. py:attribute:: __namespace__
      :value: 'firewall'


      Defines the plugin namespace.


   .. py:attribute:: RULE_KEYS
      :value: ('HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Defaults\\FirewallPolicy\\FirewallRule...



   .. py:attribute:: LOGGING_KEYS
      :value: ('HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Defaults\\FirewallPolicy\\PublicProfil...



   .. py:attribute:: keys


   .. py:attribute:: log_paths


   .. py:method:: find_rule_keys() -> collections.abc.Iterator[dissect.target.helpers.regutil.RegistryKey]


   .. py:method:: find_log_paths() -> collections.abc.Iterator[pathlib.Path]


   .. py:method:: check_compatible() -> None

      Perform a compatibility check with the target.

      This function should return ``None`` if the plugin is compatible with the current target (``self.target``).
      For example, check if a certain file exists. Otherwise it should raise an
      :class:`UnsupportedPluginError`.

      :raises UnsupportedPluginError: If the plugin could not be loaded.



   .. py:method:: rules() -> collections.abc.Iterator[dissect.target.helpers.record.DynamicDescriptor]

      Return firewall rules saved in the Windows registry.

      For a Windows operating system, the Firewall rules are stored in the
      ``HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules`` registry key.

      .. rubric:: References

      - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpfas/2efe0b76-7b4a-41ff-9050-1023f8196d16

      Yields dynamic records with usually the following fields:

      .. code-block:: text

          hostname (string): The target hostname.
          domain (string): The target domain.
          key (string): The rule key name.
          version (string): The version field of the rule.
          action (string): The action of the rule.
          active (boolean): Whether the rule is active.
          dir (string): The direction of the rule.
          protocol (string): The specified IANA protocol (UDP, TCP, etc).
          lport (string): The listening port or range of the rule.
          rport (string): The receiving port or range the rule.
          profile (string): The Profile field of the rule.
          app (string): The App field of the rule.
          svc (string): The Svc of the rule.
          name (string): The Name of the rule.
          desc (string): The Desc of the rule.
          embed_ctxt (string): The EmbedCtxt of the rule.



   .. py:method:: logs() -> collections.abc.Iterator[WindowsFirewallLogRecord]

      Parse Windows Firewall log files.

      Currently parses ``pfirewall*`` files in ``sysvol\Windows\System32\LogFiles\Firewall\`` only.
      Does not yet parse dynamically set log locations e.g. ``netsh advfirewall set currentprofile logging filename``.

      .. rubric:: References

      - https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-logging

      Yields Windows Firewall log records with the following fields:

      .. code-block:: text

          ts (datetime): The timestamp of the log entry.
          hostname (string): The target hostname.
          domain (string): The target domain.
          action (string): Allow or Block.
          protocol (string): TCP, UDP or other IANA protocol value.
          src_ip (net.ipaddress): Source IP address.
          dst_ip (net.ipaddress): Destination IP address.
          src_port (varint): Source port number.
          dst_port (varint): Destination port number.
          size (filesize): Size in bytes of the packet(s).
          tcpflags (string): TCP header control flags.
          tcpsyn (string): TCP sequence number.
          tcpack (string): TCP acknowledgement number.
          tcpwin (string): TCP window size in bytes.
          icmptype (string): ICMP packet type.
          icmpcode (string): ICMP packet code.
          info (string): Additional information.
          path (string): Direction of the traffic, either SEND, RECEIVE, FORWARD or UNKNOWN.
          source (path): Source path of the record log line.



.. py:class:: LogConfig

   Windows Firewall Log ``pfirewall.log`` file config parser.

   Fields can differ depending on configuration and version.

   Example structure of a regular ``pfirewall.log`` file:

   .. code-block::

       #Version: 1.5
       #Software: Microsoft Windows Firewall
       #Time Format: Local
       #Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path

       2022-01-01 13:37:00 DROP UDP 1.2.3.4 5.6.7.8 1234 5678 1337 - - - - - - - RECEIVE


   .. py:attribute:: raw
      :type:  list[str]


   .. py:attribute:: version
      :type:  float | None
      :value: None



   .. py:attribute:: software
      :type:  str | None
      :value: None



   .. py:attribute:: time_format
      :type:  str | None
      :value: None



   .. py:attribute:: fields
      :type:  list[str] | None
      :value: None



   .. py:method:: __post_init__()