- Removed bool apply_implicit_rule - Set default implicit_rule to EXPLICIT DENY - Added position to ACLs in laydown configs - Removed apply_implicit_rule from training configs
This commit is contained in:
SunilSamra
@@ -91,6 +91,7 @@
|
||||
destination: 192.168.1.2
|
||||
protocol: TCP
|
||||
port: 80
|
||||
position: 0
|
||||
- item_type: ACL_RULE
|
||||
id: '7'
|
||||
permission: ALLOW
|
||||
@@ -98,3 +99,4 @@
|
||||
destination: 192.168.1.1
|
||||
protocol: TCP
|
||||
port: 80
|
||||
position: 0
|
||||
|
||||
@@ -17,8 +17,6 @@ num_train_episodes: 1
|
||||
# Number of time_steps for training per episode
|
||||
num_train_steps: 5
|
||||
|
||||
# Choice whether to have an ALLOW or DENY implicit rule or not (TRUE or FALSE)
|
||||
apply_implicit_rule: True
|
||||
# Implicit ACL firewall rule at end of lists to be default action or no rule can be selected (ALLOW or DENY)
|
||||
implicit_acl_rule: DENY
|
||||
# Total number of ACL rules allowed in the environment
|
||||
|
||||
@@ -39,8 +39,6 @@ agent_load_file: C:\[Path]\[agent_saved_filename.zip]
|
||||
# Environment config values
|
||||
# The high value for the observation space
|
||||
observation_space_high_value: 1_000_000_000
|
||||
# Choice whether to have an ALLOW or DENY implicit rule or not (TRUE or FALSE)
|
||||
apply_implicit_rule: True
|
||||
# Implicit ACL firewall rule at end of lists to be default action or no rule can be selected (ALLOW or DENY)
|
||||
implicit_acl_rule: DENY
|
||||
# Reward values
|
||||
|
||||
@@ -37,10 +37,6 @@ load_agent: False
|
||||
# File path and file name of agent if you're loading one in
|
||||
agent_load_file: C:\[Path]\[agent_saved_filename.zip]
|
||||
|
||||
|
||||
|
||||
# Choice whether to have an ALLOW or DENY implicit rule or not (True or False)
|
||||
apply_implicit_rule: True
|
||||
# Implicit ACL firewall rule at end of lists to be default action or no rule can be selected (ALLOW or DENY)
|
||||
implicit_acl_rule: DENY
|
||||
# Total number of ACL rules allowed in the environment
|
||||
|
||||
@@ -47,7 +47,6 @@ agent_load_file: C:\[Path]\[agent_saved_filename.zip]
|
||||
observation_space_high_value: 1000000000
|
||||
|
||||
# Choice whether to have an ALLOW or DENY implicit rule or not (TRUE or FALSE)
|
||||
apply_implicit_rule: True
|
||||
implicit_acl_rule: DENY
|
||||
max_number_acl_rules: 10
|
||||
# Reward values
|
||||
|
||||
@@ -7,7 +7,7 @@ from primaite.acl.acl_rule import ACLRule
|
||||
|
||||
def test_acl_address_match_1():
|
||||
"""Test that matching IP addresses produce True."""
|
||||
acl = AccessControlList(True, "DENY", 10)
|
||||
acl = AccessControlList("DENY", 10)
|
||||
|
||||
rule = ACLRule("ALLOW", "192.168.1.1", "192.168.1.2", "TCP", "80")
|
||||
|
||||
@@ -16,7 +16,7 @@ def test_acl_address_match_1():
|
||||
|
||||
def test_acl_address_match_2():
|
||||
"""Test that mismatching IP addresses produce False."""
|
||||
acl = AccessControlList(True, "DENY", 10)
|
||||
acl = AccessControlList("DENY", 10)
|
||||
|
||||
rule = ACLRule("ALLOW", "192.168.1.1", "192.168.1.2", "TCP", "80")
|
||||
|
||||
@@ -25,7 +25,7 @@ def test_acl_address_match_2():
|
||||
|
||||
def test_acl_address_match_3():
|
||||
"""Test the ANY condition for source IP addresses produce True."""
|
||||
acl = AccessControlList(True, "DENY", 10)
|
||||
acl = AccessControlList("DENY", 10)
|
||||
|
||||
rule = ACLRule("ALLOW", "ANY", "192.168.1.2", "TCP", "80")
|
||||
|
||||
@@ -34,7 +34,7 @@ def test_acl_address_match_3():
|
||||
|
||||
def test_acl_address_match_4():
|
||||
"""Test the ANY condition for dest IP addresses produce True."""
|
||||
acl = AccessControlList(True, "DENY", 10)
|
||||
acl = AccessControlList("DENY", 10)
|
||||
|
||||
rule = ACLRule("ALLOW", "192.168.1.1", "ANY", "TCP", "80")
|
||||
|
||||
@@ -44,7 +44,7 @@ def test_acl_address_match_4():
|
||||
def test_check_acl_block_affirmative():
|
||||
"""Test the block function (affirmative)."""
|
||||
# Create the Access Control List
|
||||
acl = AccessControlList(True, "DENY", 10)
|
||||
acl = AccessControlList("DENY", 10)
|
||||
|
||||
# Create a rule
|
||||
acl_rule_permission = "ALLOW"
|
||||
@@ -62,14 +62,13 @@ def test_check_acl_block_affirmative():
|
||||
acl_rule_port,
|
||||
acl_position_in_list,
|
||||
)
|
||||
print(len(acl.acl), "len of acl list\n", acl.acl[0])
|
||||
assert acl.is_blocked("192.168.1.1", "192.168.1.2", "TCP", "80") == False
|
||||
|
||||
|
||||
def test_check_acl_block_negative():
|
||||
"""Test the block function (negative)."""
|
||||
# Create the Access Control List
|
||||
acl = AccessControlList(True, "DENY", 10)
|
||||
acl = AccessControlList("DENY", 10)
|
||||
|
||||
# Create a rule
|
||||
acl_rule_permission = "DENY"
|
||||
@@ -94,7 +93,7 @@ def test_check_acl_block_negative():
|
||||
def test_rule_hash():
|
||||
"""Test the rule hash."""
|
||||
# Create the Access Control List
|
||||
acl = AccessControlList(True, "DENY", 10)
|
||||
acl = AccessControlList("DENY", 10)
|
||||
|
||||
rule = ACLRule("DENY", "192.168.1.1", "192.168.1.2", "TCP", "80")
|
||||
hash_value_local = hash(rule)
|
||||
@@ -102,3 +101,65 @@ def test_rule_hash():
|
||||
hash_value_remote = acl.get_dictionary_hash("DENY", "192.168.1.1", "192.168.1.2", "TCP", "80")
|
||||
|
||||
assert hash_value_local == hash_value_remote
|
||||
|
||||
|
||||
def test_delete_rule():
|
||||
"""Adds 3 rules and deletes 1 rule and checks its deletion."""
|
||||
# Create the Access Control List
|
||||
acl = AccessControlList("ALLOW", 10)
|
||||
|
||||
# Create a first rule
|
||||
acl_rule_permission = "DENY"
|
||||
acl_rule_source = "192.168.1.1"
|
||||
acl_rule_destination = "192.168.1.2"
|
||||
acl_rule_protocol = "TCP"
|
||||
acl_rule_port = "80"
|
||||
acl_position_in_list = "0"
|
||||
|
||||
acl.add_rule(
|
||||
acl_rule_permission,
|
||||
acl_rule_source,
|
||||
acl_rule_destination,
|
||||
acl_rule_protocol,
|
||||
acl_rule_port,
|
||||
acl_position_in_list,
|
||||
)
|
||||
|
||||
# Create a second rule
|
||||
acl_rule_permission = "DENY"
|
||||
acl_rule_source = "20"
|
||||
acl_rule_destination = "30"
|
||||
acl_rule_protocol = "FTP"
|
||||
acl_rule_port = "21"
|
||||
acl_position_in_list = "2"
|
||||
|
||||
acl.add_rule(
|
||||
acl_rule_permission,
|
||||
acl_rule_source,
|
||||
acl_rule_destination,
|
||||
acl_rule_protocol,
|
||||
acl_rule_port,
|
||||
acl_position_in_list,
|
||||
)
|
||||
|
||||
# Create a third rule
|
||||
acl_rule_permission = "ALLOW"
|
||||
acl_rule_source = "192.168.1.3"
|
||||
acl_rule_destination = "192.168.1.1"
|
||||
acl_rule_protocol = "UDP"
|
||||
acl_rule_port = "60"
|
||||
acl_position_in_list = "4"
|
||||
|
||||
acl.add_rule(
|
||||
acl_rule_permission,
|
||||
acl_rule_source,
|
||||
acl_rule_destination,
|
||||
acl_rule_protocol,
|
||||
acl_rule_port,
|
||||
acl_position_in_list,
|
||||
)
|
||||
# Remove the second ACL rule added from the list
|
||||
acl.remove_rule("DENY", "20", "30", "FTP", "21")
|
||||
|
||||
assert len(acl.acl) == 10
|
||||
assert acl.acl[2] is None
|
||||
|
||||
Reference in New Issue
Block a user