ACL Analisys fails when FQDN line is encountered

[sypher01]

Offending line (example) access-list data line 296 extended permit tcp host x.x.x.x fqdn some.fqdn.com (resolved) eq www 0xf824edb7

Could be because its treating parenthesis and expecting an hit count (INT) yet it finds none, so it crashes.

[PackeTsar]

Yes it definitely is. I can write a fix in for this no problem.

[sypher01]

Thanks!

We have an ASA with a few thousand lines, your tool is invaluable and exactly what we've been looking for!

This being said, a couple other strange things are happening, however i wouldn't know how to even begin reporting them here ...

[PackeTsar]

@sypher01 can you post an example of the error? I can't seem to reproduce the problem.

[bobthegamedevelopment]

Actually, this is what I was running into with issue #4 I posted.

access-list line <1> extended permit tcp host object

Etc.

I'm not great with Python, so I'm not sure how you're script is reading lines (if it is line by line, or by named line). But adding the following to the acl_hit_analysis does not help:

elif words[9] == "fqdn": pass

The error also references the object-group parser and I'm not sure why - however, I did notice this in remarks from the config, too. Maybe if the object or object-group name has "fqdn" in the name itself?

[bobthegamedevelopment]

I formatted that wrong, but the token should still be 9

access-list name line # extended permit tcp host host fqdn (resolved) eq https

[bobthegamedevelopment]

I was able to fix this by adding:

elif re.match("(resolved)|(unresolved)",word): return 0

to the get_hits function.

Elegant, probably not. Functional, I suppose.

[PackeTsar]

I will likely be fixing this in a 1.1.0 release.