Skip to content

Custom risk alerts

When rulesets are imported and when paths are analyzed, NP-View automatically runs a set of risk assessment plugins to check for rules and paths that do not respect best practices, or that could be flagged as risky. The following plugins are included by default:

  • AnyDestIP: Rule has 'any' destination network IP range
  • AnyDestPort: Rule has 'any' destination port range
  • AnyProtocol: Rule permits any protocol
  • AnySrcIP: Rule has 'any' source network IP range
  • AnytoAnyIP: Rule has 'any' source and 'any' destination network IP ranges
  • BigDestIP: Rule has destination network IP range that exceeds /24
  • ICMP: Permit rule references ICMP protocol
  • MSServices: Rule has destination services matching list of Microsoft Server Services
  • PathAnyProtocol: Path allows any protocol
  • PathBigDestRange: Path has destination network IP range that exceeds that of a /24
  • PathMultipleDestPorts: Path allows more than one destination port

Plugins are written in Python and their source code is available at the following path:

  • For Windows and Linux releases: `NPView/plugins/``
  • For Mac release: `NPView.app/Contents/Resources/Java/plugins/``

Plugins can be enabled or disabled through the Risk Alert Options dialog available in the Analysis menu. The list of plugins activated is saved across restarts and updates in the variable risk_plugin of the configuration file np-view.properties at the root of the NP-View folder.

Adding a New Plugin

The steps to add a new plugin called Test are the following:

  • Create a folder named pluginTest inside the plugins/rule folder (NPView/plugins/rule on Windows and Linux, and NPView.app/Contents/Resources/Java/plugins/rule on Mac)
  • Create two files inside the pluginTest folder, a plugin source code file named pluginTest.py, and a plugin declaration file named pluginTest.yapsy-plugin
  • Add the import line from yapsy.IPlugin import IPlugin at the top of the file pluginTest.py, and add a class pluginTest(IPlugin) with a method applyFilter(self.rule) that returns True (plugin triggered) or False (nothing to report)
  • Add a Yapsy plugin declaration header in the file pluginTest.yapsy-plugin that has a [Core] section with a Name and a Module name, and a [Documentation] section with an Author and a Description (example provided below)
  • Launch NP-View and check the box for the new plugin in the Risk Alert Options dialog under the Analysis menu.

Example of file pluginTest.py

from yapsy.IPlugin import IPlugin
class pluginTest(IPlugin):
    def applyFilter(self, rule):
         return True

The rule data structure is a Python dictionary that gives access to the following dictionary keys:

bindings["ingress"]: incoming binding interface
bindings["egress"]: outgoing binding interface
deviceName: name of the device in which the rule has been defined
aclName: the name of the access control list in which the rule is stored
ruleName: the name of the rule
type: the type of the rule
srcIP: array of source IPRanges
dstIP: array of destination IPRanges
encrypted: True or False
permit: True or False
lines: the configuration file line numbers in which the rule is defined
service: a dictionary with protocols as keys, and dstRange and srcRange as subkeys.

Example of file pluginTest.yapsy-plugin

[Core]
Name   = Test
Module = pluginTest

[Documentation]
Author = John Doe
Description = This is a test plugin

Plugins can also be created for path analysis results. The path data structure is a Python object that gives access to the following variables:

  • protocol: the protocol(s) allowed in the path
  • PathEndpoint: the source (key "type" equals to "begin") or destination (key "type" equals to "end") addresses and ports, defined using:
    • the IPRange key that has the subkeys "first" and "last" to defined the starting and ending IP addresses of the range
    • the PortRange key that has the subkeys "first" and "last" to defined the starting and ending port numbers of the range
  • PathPoint: an array of intermediary nodes traversed by the path. Each PathPoint has a key "id" that matches the internal node id value used by NP-View

For more information about Yapsy plugins, please visit http://yapsy.sourceforge.net/

For any question, please contact support@network-perception.com.