netutils icon indicating copy to clipboard operation
netutils copied to clipboard
verified publisher icon networktocode

Cisco ASA Banner Parsing Issue

Open kisahae opened this issue 1 year ago • 1 comments

Environment

  • Python version: 3.11.1
  • netutils version: 1.9

Expected Behavior

Banner as children probably should not be parsed like banner login or banner motd.

Observed Behavior

Example config: We have a snippet code like this group-policy Grs-POLICY attributes   banner value xxx   banner value xxxxx   dns-server value x.x.x.x x.x.x.x This raises an error message raise ValueError("There was an error parsing your banner, the end of the banner could not be found")

Steps to Reproduce

from netutils.config.parser import ASAConfigParser, ConfigLine config = ''' group-policy Grs-POLICY attributes banner value xxx banner value xxxxx dns-server value x.x.x.x x.x.x.x''' config_tree = ASAConfigParser(str(config)) print(config_tree)

NB: Our temporary solution is to remove the lstrip() from def is_banner_start(self, line: str) in parser.py file. We are still not sure if this can affect other device platform. Perhaps opening the issue and discussing it together is a better option. Have a nice day everyone!

kisahae avatar Jul 26 '24 07:07 kisahae

Can you show the actual config on the asa, e.g. not what you put in your Python shell, but the actual show run of the device?

itdependsnetworks avatar Jul 26 '24 15:07 itdependsnetworks

The config is similar to what is shown in the issue description.

In the issue I am facing, there is no top level banner config, like banner motd or banner login, just this implementation of the banner

group-policy Grs-POLICY attributes
 banner value xxx
 banner value xxxxx
 dns-server value x.x.x.x x.x.x.x

It seems that when a banner message is multiline, and implemented like so, you would write the banner as

group-policy Grs-POLICY attributes
 banner value banner message line 1
 banner value banner message line 2

Please let me know if there is any other information I can provide to assist

huacchob avatar Oct 30 '24 19:10 huacchob

@jmcgill298 can you help?

itdependsnetworks avatar Dec 12 '24 20:12 itdependsnetworks

ya, someone else asked me about a similar situation, and my suggestion was to update the code to only look for banner at the root level. I don't believe the banner config issues are the same in any of the nested banners, but I'm not certain on that.

jmcgill298 avatar Dec 12 '24 20:12 jmcgill298

Seems like we want banner_start = ["banner motd", "banner exec", "banner login", "banner asdm"] in the ciscoAsa parser class

Then these nested banners banner value under a policy wont be treated as a banner at all.

jeffkala avatar Dec 12 '24 20:12 jeffkala

I think just universally moving the check for banner configs so it only looks at the root level is probably better. I'm not sure what all banner xyz options there are (I do remember coming across some that I did not expect before)

jmcgill298 avatar Dec 12 '24 21:12 jmcgill298

ya, someone else asked me about a similar situation, and my suggestion was to update the code to only look for banner at the root level. I don't believe the banner config issues are the same in any of the nested banners, but I'm not certain on that.

We also do the same. We assume that there is no banner configuration starts with the whitespace. So the word "banner" as child config would not be treated as the real banner configuration. In this case, it is just treated as a usual config. I would like to contribute if removing the "lstrip" (as I suggested before) can fix the issue and doesn't affect other platform types.

Edit: The solution has been added to v1.11.0. Thank you everyone. Waiting for the latest version to be merged😄

kisahae avatar Dec 18 '24 10:12 kisahae