Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cisco ASA output of command "show access-list" is not properly parsed #1279

Closed
empusas opened this issue Jan 5, 2023 · 1 comment
Closed

Cisco ASA output of command "show access-list" is not properly parsed #1279

empusas opened this issue Jan 5, 2023 · 1 comment

Comments

@empusas
Copy link

empusas commented Jan 5, 2023

The output of the "show access-list" command is not properly parsed for a vASA Version 9.16(2)14.
The "alert-interval x" parameter of the first line is actually in the 2nd line with some tabs before.
This causes the template to fail

ISSUE TYPE
  • Template Issue with error and raw data
TEMPLATE USING
cisco_asa_show_access-list.textfsm

Value Required ACL_NAME (\S+)
Value ACL_TOT_ELEM (\d+)
Value ACL_NAME_HASH (0x\w+)
Value TYPE (standard|extended)
Value LINE_NUM (\d+)
Value REMARK (.+?)
Value ACTION (permit|deny)
Value PROTOCOL ([a-z]+)
Value SVC_OBJECT_GRP (\S+)
Value SVC_OBJECT (\S+)
Value SRC_INTFC (\S+)
Value SRC_OBJECT_GRP (\S+)
Value SRC_OBJECT (\S+)
Value SRC_HOST (\S+)
Value SRC_NETWORK (\d+\.\d+\.\d+\.\d+)
Value SRC_MASK (\d+\.\d+\.\d+\.\d+)
Value SRC_ANY (any[46]{0,1})
Value DST_INTFC (\S+)
Value DST_OBJECT_GRP (\S+)
Value DST_OBJECT (\S+)
Value DST_HOST (\S+)
Value DST_NETWORK (\d+\.\d+\.\d+\.\d+)
Value DST_MASK (\d+\.\d+\.\d+\.\d+)
Value DST_ANY (any[46]{0,1})
Value DST_PORT (\S+)
Value DST_PORT_GRP (\S+)
Value DST_PORT_OBJECT (\S+)
Value LOG_LEVEL ([a-z0-9]+)
Value LOG_INTERVAL (\d+)
Value STATE (inactive)
Value HIT_COUNT (\d+)
Value LINE_HASH (0x\w+)
Value ENTRY_PROTOCOL_ICMP (icmp)
Value ENTRY_PROTOCOL ([a-z\-]+)
Value ENTRY_SRC_FQDN (\S+)
Value ENTRY_SRC_RANGE_START (\d+\.\d+\.\d+\.\d+)
Value ENTRY_SRC_RANGE_END (\d+\.\d+\.\d+\.\d+)
Value ENTRY_SRC_HOST (\d+\.\d+\.\d+\.\d+)
Value ENTRY_SRC_NETWORK (\d+\.\d+\.\d+\.\d+)
Value ENTRY_SRC_MASK (\d+\.\d+\.\d+\.\d+)
Value ENTRY_SRC_ANY (any[46]{0,1})
Value ENTRY_SRC_FQDN_STATE (unresolved)
Value ENTRY_DST_FQDN (\S+)
Value ENTRY_DST_RANGE_START (\d+\.\d+\.\d+\.\d+)
Value ENTRY_DST_RANGE_END (\d+\.\d+\.\d+\.\d+)
Value ENTRY_DST_HOST (\S+)
Value ENTRY_DST_NETWORK (\d+\.\d+\.\d+\.\d+)
Value ENTRY_DST_MASK (\d+\.\d+\.\d+\.\d+)
Value ENTRY_DST_ANY (any[46]{0,1})
Value ENTRY_DST_FQDN_STATE (unresolved)
Value ENTRY_ICMP_TYPE (echo-reply|unreachable|echo|time-exceeded)
Value ENTRY_ICMP_CODE (\d+)
Value ENTRY_PORT ([a-z\-]+\s+\d+|[\w\-]+)
Value ENTRY_PORT_LESS_THAN ([a-z\-]+\s+\d+|\w+)
Value ENTRY_PORT_GREATER_THAN ([a-z\-]+\s+\d+|\w+)
Value ENTRY_PORT_RANGE_START ([a-z\-]+\s+\d+|\w+)
Value ENTRY_PORT_RANGE_END ([a-z\-]+\s+\d+|\w+)
Value ENTRY_HIT_COUNT (\d+)
Value ENTRY_STATE (inactive)
Value ENTRY_HASH (0x\w+)

Start
  ^access\-list\s+${ACL_NAME};\s+${ACL_TOT_ELEM}\s+elements;\s+name\s+hash:\s+${ACL_NAME_HASH}\s* -> Record
  ^access-list\s+${ACL_NAME}\s+line\s+${LINE_NUM}\s+remark\s+${REMARK}\s*$$ -> Record
  ^access\-list\s+${ACL_NAME}\s+line\s+${LINE_NUM}\s+${TYPE}\s+${ACTION}\s+(object\-group\s+${SVC_OBJECT_GRP}|object\s+${SVC_OBJECT}|${PROTOCOL})\s+(interface\s+${SRC_INTFC}|object\-group\s+${SRC_OBJECT_GRP}|object\s+${SRC_OBJECT}|host\s+${SRC_HOST}|${SRC_NETWORK}\s+${SRC_MASK}|${SRC_ANY})\s+(interface\s+${DST_INTFC}|object\-group\s+${DST_OBJECT_GRP}|object\s+${DST_OBJECT}|host\s+${DST_HOST}|${DST_NETWORK}\s+${DST_MASK}|${DST_ANY})\s+((eq\s+${DST_PORT}|object\-group\s+${DST_PORT_GRP}|object\s+${DST_PORT_OBJECT})\s+){0,1}(${ENTRY_ICMP_TYPE}(\s+${ENTRY_ICMP_CODE}){0,1}\s+){0,1}((log\s+(${LOG_LEVEL}\s+interval\s+${LOG_INTERVAL}|disable|default))\s+){0,1}(${STATE}\s+){0,1}\(hitcnt=${HIT_COUNT}\)\s+(\(inactive\)\s+){0,1}${LINE_HASH}\s* -> Record
  ^\s+access\-list\s+${ACL_NAME}\s+line\s+${LINE_NUM}\s+(standard|extended)\s+(permit|deny)\s+${ENTRY_PROTOCOL_ICMP}\s+(fqdn\s+${ENTRY_SRC_FQDN}|range\s+${ENTRY_SRC_RANGE_START}\s+${ENTRY_SRC_RANGE_END}|host\s+${ENTRY_SRC_HOST}|${ENTRY_SRC_NETWORK}\s+${ENTRY_SRC_MASK}|${ENTRY_SRC_ANY})\s+(\(${ENTRY_SRC_FQDN_STATE}\)\s+){0,1}(fqdn\s+${ENTRY_DST_FQDN}|range\s+${ENTRY_DST_RANGE_START}\s+${ENTRY_DST_RANGE_END}|host\s+${ENTRY_DST_HOST}|${ENTRY_DST_NETWORK}\s+${ENTRY_DST_MASK}|${ENTRY_DST_ANY})\s+(\(${ENTRY_DST_FQDN_STATE}\)\s+){0,1}(${ENTRY_ICMP_TYPE}(\s+${ENTRY_ICMP_CODE}){0,1}\s+){0,1}(log\s+(${LOG_LEVEL}\s+interval\s+${LOG_INTERVAL}|disable|default)\s+){0,1}(inactive){0,1}\s*(\(hitcnt=${ENTRY_HIT_COUNT}\)){0,1}\s*(\(${ENTRY_STATE}\)){0,1}\s+${ENTRY_HASH}\s* -> Record
  ^\s+access\-list\s+${ACL_NAME}\s+line\s+${LINE_NUM}\s+(standard|extended)\s+(permit|deny)\s+(${ENTRY_PROTOCOL}\s+){0,1}(fqdn\s+${ENTRY_SRC_FQDN}|range\s+${ENTRY_SRC_RANGE_START}\s+${ENTRY_SRC_RANGE_END}|host\s+${ENTRY_SRC_HOST}|${ENTRY_SRC_NETWORK}\s+${ENTRY_SRC_MASK}|${ENTRY_SRC_ANY})\s+(\(${ENTRY_SRC_FQDN_STATE}\)\s+){0,1}((fqdn\s+${ENTRY_DST_FQDN}|range\s+${ENTRY_DST_RANGE_START}\s+${ENTRY_DST_RANGE_END}|host\s+${ENTRY_DST_HOST}|${ENTRY_DST_NETWORK}\s+${ENTRY_DST_MASK}|${ENTRY_DST_ANY})\s+){0,1}(\(${ENTRY_DST_FQDN_STATE}\)\s+){0,1}((eq\s+${ENTRY_PORT}|lt\s+${ENTRY_PORT_LESS_THAN}|gt\s+${ENTRY_PORT_GREATER_THAN}|range\s+${ENTRY_PORT_RANGE_START}\s+${ENTRY_PORT_RANGE_END})\s+){0,1}(log\s+([a-z0-9]+\s+interval\s+\d+|disable|default)\s+){0,1}(inactive){0,1}\s*(\(hitcnt=${ENTRY_HIT_COUNT}\)){0,1}\s*(\(${ENTRY_STATE}\)){0,1}\s+${ENTRY_HASH}\s* -> Record
  ^access\-list\s+${ACL_NAME}\s+line\s+${LINE_NUM}\s+(standard|extended)\s+(permit|deny)\s+(fqdn\s+${ENTRY_SRC_FQDN}|range\s+${ENTRY_SRC_RANGE_START}\s+${ENTRY_SRC_RANGE_END}|host\s+${ENTRY_SRC_HOST}|${ENTRY_SRC_NETWORK}\s+${ENTRY_SRC_MASK}|${ENTRY_SRC_ANY})\s+\((hitcnt=${ENTRY_HIT_COUNT})\)\s+${ENTRY_HASH}\s* -> Record
  ^.* -> Error "Did not match any rules"

EOF
SAMPLE COMMAND OUTPUT
vASA-test# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list global-acl-testfw; 189 elements; name hash: 0xc434329c
access-list global-acl-testfw line 1 remark ms CH404453959
access-list global-acl-testfw line 2 extended permit object-group PSD_remedy_DB object-group Testbox object-group CP_remedy_DB log informational interval 300 (hitcnt=0) 0x8aaa38f9
SUMMARY
STEPS TO REPRODUCE
from ntc_templates.parse import parse_output
import json

access_list1 = '''
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list global-acl-testfw; 189 elements; name hash: 0xc434329c
access-list global-acl-testfw line 1 remark ms CH404453959
access-list global-acl-testfw line 2 extended permit object-group PSD_remedy_DB object-group Testbox object-group CP_remedy_DB log informational interval 300 (hitcnt=0) 0x8aaa38f9
'''
object_parsed = parse_output(platform="cisco_asa", command="show access-list", data=access_list1)
print(json.dumps(object_parsed, indent=4))
EXPECTED RESULTS

All ACL details properly parsed

ACTUAL RESULTS

Throws Error:

raise TextFSMError('Error: %s. Rule Line: %s. Input Line: %s.'
textfsm.parser.TextFSMError: Error: "Did not match any rules". Rule Line: 69. Input Line: .
@SaschaSchwarzK SaschaSchwarzK mentioned this issue Apr 11, 2023
Merged
@mjbear
Copy link
Contributor

mjbear commented Jul 29, 2024

@jmcgill298
This was the 4th of 4 issues mentioned in PR #1351 so it can be resolved.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@empusas @jmcgill298 @mjbear