dissect.target.plugins.os.windows.firewall¶
Module Contents¶
Classes¶
Windows Firewall plugin. |
|
Windows Firewall Log |
Attributes¶
- dissect.target.plugins.os.windows.firewall.WindowsFirewallLogRecord¶
- class dissect.target.plugins.os.windows.firewall.WindowsFirewallPlugin(target: dissect.target.target.Target)¶
Bases:
dissect.target.plugin.PluginWindows Firewall plugin.
- __namespace__ = 'firewall'¶
Defines the plugin namespace.
- RULE_KEYS = ('HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Defaults\\FirewallPolicy\\FirewallRule...¶
- LOGGING_KEYS = ('HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Defaults\\FirewallPolicy\\PublicProfil...¶
- keys¶
- log_paths¶
- find_rule_keys() collections.abc.Iterator[dissect.target.helpers.regutil.RegistryKey]¶
- find_log_paths() collections.abc.Iterator[pathlib.Path]¶
- check_compatible() None¶
Perform a compatibility check with the target.
This function should return
Noneif the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise anUnsupportedPluginError.- Raises:
UnsupportedPluginError – If the plugin could not be loaded.
- rules() collections.abc.Iterator[dissect.target.helpers.record.DynamicDescriptor]¶
Return firewall rules saved in the Windows registry.
For a Windows operating system, the Firewall rules are stored in the
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRulesregistry key.References
Yields dynamic records with usually the following fields:
hostname (string): The target hostname. domain (string): The target domain. key (string): The rule key name. version (string): The version field of the rule. action (string): The action of the rule. active (boolean): Whether the rule is active. dir (string): The direction of the rule. protocol (string): The specified IANA protocol (UDP, TCP, etc). lport (string): The listening port or range of the rule. rport (string): The receiving port or range the rule. profile (string): The Profile field of the rule. app (string): The App field of the rule. svc (string): The Svc of the rule. name (string): The Name of the rule. desc (string): The Desc of the rule. embed_ctxt (string): The EmbedCtxt of the rule.
- logs() collections.abc.Iterator[WindowsFirewallLogRecord]¶
Parse Windows Firewall log files.
Currently parses
pfirewall*files insysvol\Windows\System32\LogFiles\Firewall\only. Does not yet parse dynamically set log locations e.g.netsh advfirewall set currentprofile logging filename.References
Yields Windows Firewall log records with the following fields:
ts (datetime): The timestamp of the log entry. hostname (string): The target hostname. domain (string): The target domain. action (string): Allow or Block. protocol (string): TCP, UDP or other IANA protocol value. src_ip (net.ipaddress): Source IP address. dst_ip (net.ipaddress): Destination IP address. src_port (varint): Source port number. dst_port (varint): Destination port number. size (filesize): Size in bytes of the packet(s). tcpflags (string): TCP header control flags. tcpsyn (string): TCP sequence number. tcpack (string): TCP acknowledgement number. tcpwin (string): TCP window size in bytes. icmptype (string): ICMP packet type. icmpcode (string): ICMP packet code. info (string): Additional information. path (string): Direction of the traffic, either SEND, RECEIVE, FORWARD or UNKNOWN. source (path): Source path of the record log line.
- class dissect.target.plugins.os.windows.firewall.LogConfig¶
Windows Firewall Log
pfirewall.logfile config parser.Fields can differ depending on configuration and version.
Example structure of a regular
pfirewall.logfile:#Version: 1.5 #Software: Microsoft Windows Firewall #Time Format: Local #Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path 2022-01-01 13:37:00 DROP UDP 1.2.3.4 5.6.7.8 1234 5678 1337 - - - - - - - RECEIVE
- raw: list[str]¶
- software: str | None = None¶
- time_format: str | None = None¶
- fields: list[str] | None = None¶
- __post_init__()¶