This project analyzes permitted traffic from a user's firewall using a Python script. The script uses Dijkstra's algorithm to find the shortest paths in a network graph and outputs the paths with various details, including port/service names and path coloring based on specific criteria.
- Network Graph Construction: The script builds a network graph from a CSV file containing firewall traffic data.
- Dijkstra's Algorithm: Finds the shortest paths from a start IP or subnet to an end IP or subnet.
- Port Parsing: Converts known sub-1024 ports to their respective service names or formats them as
TCP:<port>. - Path Coloring: Highlights paths based on criteria such as the shortest path (
byFastest) or specific weights (byWeight). - Detailed Path Output: Includes information such as the source, destination, link color, link text (port/service name), weight, node count, and value.
The input CSV file should have the following columns:
src_ip: Source IP addressdest_ip: Destination IP addressdest_port: Destination portdest_port_weight: Weight of the destination port
The script can be run with the following command:
python find_route.py <delete_flag> <input_csv> <start_ip_or_subnet> <end_ip_or_subnet> [<pathColoring>] [<parsePort>]
- `delete_flag`: Set to `1` to delete the input CSV file after processing.
- `input_csv`: Path to the input CSV file.
- `start_ip_or_subnet`: Start IP address or subnet.
- `end_ip_or_subnet`: End IP address or subnet.
- `pathColoring` (optional): Set to `byFastest` or `byWeight` for different path coloring criteria.
- `parsePort` (optional): Set to `1` to parse ports into service names, otherwise ports are formatted as `TCP:<port>`.
### Example Command
python find_route.py 0 traffic_data.csv 10.0.0.0/24 10.0.0.4 byFastest 1To integrate this script with Splunk, you can use the | map command to trigger the Python script based on search results.
- Save Permitted Traffic Data to CSV
In Splunk, use the following search query to save permitted traffic data to a CSV file:
index=firewall_logs action=permitted | table src_ip dest_ip dest_port dest_port_weight | outputcsv traffic_data.csv
- Trigger the Python Script
Use the | map command to trigger the Python script with the necessary arguments:
| map search="| script python find_route.py 0 $SPLUNK_HOME/var/run/splunk/csv/traffic_data.csv 10.0.0.0/24 10.0.0.4 byFastest 1"
Remember that the | outputcsv outputs only to the Splunk directory $SPLUNK_HOME/var/run/splunk/csv. This directory cannot be changed.
Include three screenshots of a dashboard showing how the data can be presented. This can include visualizations of the network graph, path details, and any relevant metrics.
All jumphost routes between Subnet A and Subnet B, outlying routes which are single jumphost needed
Zoomed in view of the diagram
When only single jumphost is filtered, the jumps can be seen better. Here well-known ports are favourized in red
- find_route.py: The main script for analyzing firewall traffic and finding routes.
- README.md: Documentation for the project.
This project is licensed under the MIT License. See the LICENSE file for details.
Contributions are welcome! Please read the CONTRIBUTING file for guidelines on contributing to this project.
By following the steps and utilizing the provided script, you can effectively analyze and visualize network traffic paths based on firewall logs in Splunk.