CUC (6) CUCM (26) Jabber (6) Python (2) Routing (2) Solarwinds Orion NPM (4) switching (1) Video (6) voice (2)

Monday, 15 January 2018

Firepower IPS search for certain CVE

Sometimes you might need to know if your Firepower software protects against a certain, published vulnerability. In other words; does your Firepower box have the required rules to recognize the signatures of certain vulnerabilities?
First thing you need to do is find the CVE (common vulnerabilities and exposures) number
and write down the number for instance CVE-2017-5354
now go to your Firepower Virtual Defence Centre:

  1. Edit your Intrusion Policy
  2. Edit your Intrusion Policy and go to the Rules section.
  3. On the left side accordion panel select "Rule Content."
  4. Click Reference  (as per below)

5: Click CVE ID and enter the CVE code (do not include CVE-  !!)

Enter CVE ID and click OK.  For CVE-2017-5754 this could give the following output:

As you can see in the picture above, the Firepower engine, contains IPS rules to recognise the signature of CVE 2017-5475 (Meltdown)


Sunday, 17 December 2017

Directing traffic from your ASA to a Firepower module

I d like to do a little post on how to direct traffic to your firepower module, cos without directing traffic to it, really IPS and Malware analyses are no good, so you will need to give the firepower module something to work with, sort of the same as 'interesting traffic' on a crypto map.

Typically all traffic is directed to your firepower module, even if you want to do only IPS and Malware detection, keeping all your Access-list/policies on your ASA, in which case you simply dont create any acces-lists on your firepower module and leave all L3/L4 filtering to the tradition of the ASA

So first verify if your FP module is inserted, 

ASA-FW1# sh module

Mod  Card Type                                                                 Model              Serial No.
---- --------------------------------------------                      ------------------ -----------
   1 ASA 5516-X with FirePOWER services, 8GE, AC,             ASA5516            JADxyz
 sfr FirePOWER Services Software Module                            ASA5516            JADxyz

you will now need to install the software on it. I will not go into detail, so use

If you decide to deploy your firepower module inline, you will need to define what traffic you want to send to your firepower module you will need to put some configuration in place on the ASA. Typically all traffic is directed to the Firepower module. (match any in the confuguration example below). First the class map firepower matches all traffic and is then applied to the global policy map, in conjucntion with the sfr fail-open command bringing the firepower module inline.

class-map firepower
 match any
policy-map global_policy
 class firepower
  sfr fail-open

You can verify if the firepower module is receiving any traffic by going to the Firesight manager centre and analyse the connection events. 


Thursday, 23 November 2017

Juniper SRX basic troubleshoot commands

show security zones:

this will display the various 'zones' /logical interfaces together with their physical interfaces


SRX_FW1>>show interfaces terse

this will show you all the interfaces, their IP address and status

SRX-FW1>> show chassis routing-engine

shows uptime, serial number CPU util, temperature etc.


show security ipsec inactive-tunnels detail:

this will tell you when tunnels went down and come back up, also tells remote GW IP address

show security ipsec security-associations

this will tell you what encryption is used 

This command will also provide details on for instance the index of the SA. every SA has an inbound and outbound leg (indicated by the arrows left of the SA ID).

you can drill down into each sa by issuing: show security ipsec index <number>. This will tell you exactly what policy belongs to what sa.

show security ike security-associations details

This will show if a tunnel has any input and output.

show security ike active peer

displays IKE and remote IP addresses

Trouble shoot Traffic flows:

Traffic flows:

show security flow session source-prefix <ipaddr/32> destination-prefix <>
This will show you what TCP session are in progress or were attempted. A very usefull command if you want to find out, if traffic is actually hitting your firewall.

show security match-policies from-zone <name> to-zone <name2> source-ip <beh> destination-ip <blah>destination-port <jaja> protocol <meh>.

This command is extremely useful, it is pretty much a Junos CLI version of the ASA packet tracer, in that it will tell you how certain traffic gets treated by the Junos FW engine.

show security policies hit-count

This will show you an increasing hit count against your security policies
very very useful. if you generate traffic against a certain intended policy and your hit count stays at zero, you need to revise your policies potentially.

-SRX-FW1> show configuration system syslog

this will tell you what the names of the log files are, for instance:

file traffic {
    any any;
    archive files 100;
file block_traffic {
    any any;

monitor traffic matching "net" no-resolve brief

monitor traffic matching "net" no-resolve detail

show traffic log

SRX-FW1> show log traffic | ?
Possible completions:
  count                Count occurrences
  display              Show additional kinds of information
  except               Show only text that does not match a pattern
  find                 Search for first occurrence of pattern
  hold                 Hold text without exiting the --More-- prompt
  last                 Display end of output only
  match                Show only text that matches a pattern
  no-more              Don't paginate output
  refresh              Refresh a continuous display of the command
  request              Make system-level requests
  resolve              Resolve IP addresses
  save                 Save output text to file
  trim                 Trim specified number of columns from start of line

so if you want to search for an ip address go (for instance issue:

SRX-FW1> show log traffic | find

still to read:

Monday, 21 August 2017

using SNMP to monitor class maps / interface policies as well as some solarwinds

Sometimes it is just plain useful to  get some insight into the traffic classes that you use on some police map of, yes, some interface. Many organisation will have some sort of net flow tool deployed in their network, but that does not really give you any details on bit rates and drop rates that take place on an interface, in times of congestion. Sure Cisco prime can quantify QoS, but using snmp pollers is much cheaper.  The trick is to find the right OID to poll. So let me get stuck right into it.


From your Cisco device's, CLI issue the following:

EXECUTE:           show snmp mib ifmib ifindex

GigabitEthernet0/1.100: Ifindex = 14
GigabitEthernet0/1: Ifindex = 3
GigabitEthernet0/1.10: Ifindex = 20
GigabitEthernet0/1.9: Ifindex = 19
Backplane-GigabitEthernet0/3: Ifindex = 4
GigabitEthernet0/1.7: Ifindex = 17
Async0/0/3: Ifindex = 9
Async0/0/1: Ifindex = 7
GigabitEthernet0/1.5: Ifindex = 15
GigabitEthernet0/1.3: Ifindex = 13
Loopback0: Ifindex = 10
Embedded-Service-Engine0/0: Ifindex = 1
Null0: Ifindex = 5
GigabitEthernet0/0: Ifindex = 2    <-------this is the interface we are interested in
GigabitEthernet0/1.11: Ifindex = 11
GigabitEthernet0/1.8: Ifindex = 18
GigabitEthernet0/1.6: Ifindex = 16
Async0/0/2: Ifindex = 8
Async0/0/0: Ifindex = 6
GigabitEthernet0/1.2: Ifindex = 12


Get the cbQosIfIndex (OID for the ifindex you retrieved in Step 1 (ifindex=2 in this case).

EXECUTE: snmp walk: <>


. = INTEGER: 2
. = INTEGER: 11
. = INTEGER: 12
. = INTEGER: 13
. = INTEGER: 14
. = INTEGER: 15
. = INTEGER: 16
. = INTEGER: 17
. = INTEGER: 18
. = INTEGER: 19
. = INTEGER: 20

The cbQosPolicyIndex (OID value returned, in this example, is 34

This means that, on interface Gi0/0 (Integer=2)  the cbQosPolicyIndex  = 34


Use the MIB Object cbQosCMName ( to get the names of class-maps configured on the router.

Now, query the Class map configuration as follows:

snmp walk:  <.>

. = STRING: "class-default"
. = STRING: "cm-prec-2-out"
. = STRING: "cm-prec-3-out"
. = STRING: "cm-prec-1-out"
. = STRING: "cm-prec-4-5-out"
. = STRING: "cm-prec-2-in"
. = STRING: "cm-prec-3-in"
. = STRING: "cm-prec-4-in"
. = STRING: "cm-prec-1-in"

Suppose, we are interested in the QosConfig of "cm-prec-4-5-out". Make a note of the highlighted value 12472097, which is cbQosConfigIndex.


Use cbQosConfigIndex to get the cbQosPolicyIndex ( and cbQosObjectsIndex ( for individual class-maps.


In order to get the Object Identifier (OID), search for the cbQosConfigIndex value obtained in Step 3 (12472097) in the output below:

EXECUTE: snmp walk: <>


. = GAUGE32: 14151856
. = GAUGE32: 10273235
. = GAUGE32: 5239858
. = GAUGE32: 12472097    <_----cm-prec-4-5-out
. = GAUGE32: 11175747
. = GAUGE32: 855826
. = GAUGE32: 1594
. = GAUGE32: 13688019
.  = GAUGE32: 1593
. = GAUGE32: 8774209
. = GAUGE32: 12112579
. = GAUGE32: 1594
. = GAUGE32: 9357059
. = GAUGE32: 10583344
. = GAUGE32: 1593
. = GAUGE32: 5252402
. = GAUGE32: 14230322
. = GAUGE32: 2482753
. = GAUGE32: 5276466
. = GAUGE32: 1434177 <--cm-prec-2-out
. = GAUGE32: 14812867
. = GAUGE32: 1298848
. = GAUGE32: 15444834
. = GAUGE32: 6784962

in the output above  The highlighted values are: cbQosConfigIndex (12472097), cbQosPolicyIndex (34), and cbQosObjectsIndex (2196705).


Now let us pull some relevant information of the router; let find out how much traffic is in in the pm-prec-4-5--out

Router # show policy-map interface GigabitEthernet0/0

EXECUTE: snmp walk <>  
. = GAUGE32: 0
all policy map classes:
. = GAUGE32: 0                    <-----4-5 out
. = GAUGE32: 119000                <-------------default  bps
. = GAUGE32: 0                     <-----1 out
. = GAUGE32: 163000
. = GAUGE32: 3000                <----3 out
. = GAUGE32: 29000               <-----2 out

Time to get into some practicalities. Once you have obtained the 3 values:
cbQosConfigIndex (12472097) 
cbQosPolicyIndex (34)
cbQosObjectsIndex (2196705)
To poll data from the Policy-map 
(in correlation with QosObjectsType=classmap)

Use the base: , many options are available:
+-- -R-- Counter   cbQosCMPrePolicyPktOverflow(1)
+-- -R-- Counter   cbQosCMPrePolicyPkt(2)
+-- -R-- Counter64 cbQosCMPrePolicyPkt64(3)
+-- -R-- Counter   cbQosCMPrePolicyByteOverflow(4)
+-- -R-- Counter   cbQosCMPrePolicyByte(5)
+-- -R-- Counter64 cbQosCMPrePolicyByte64(6)
+-- -R-- Gauge     cbQosCMPrePolicyBitRate(7)
+-- -R-- Counter   cbQosCMPostPolicyByteOverflow(8)
+-- -R-- Counter   cbQosCMPostPolicyByte(9)
+-- -R-- Counter64 cbQosCMPostPolicyByte64(10)
+-- -R-- Gauge     cbQosCMPostPolicyBitRate(11)
+-- -R-- Counter   cbQosCMDropPktOverflow(12)
+-- -R-- Counter   cbQosCMDropPkt(13)
+-- -R-- Counter64 cbQosCMDropPkt64(14)
+-- -R-- Counter   cbQosCMDropByteOverflow(15)
+-- -R-- Counter   cbQosCMDropByte(16)
+-- -R-- Counter64 cbQosCMDropByte64(17)
+-- -R-- Gauge     cbQosCMDropBitRate(18)
+-- -R-- Counter   cbQosCMNoBufDropPktOverflow(19)
-- -R-- Counter   cbQosCMNoBufDropPkt(20)
-- -R-- Counter64 cbQosCMNoBufDropPkt64(21)

For example, cbQosCMPostPolicyBitRate  (, 
polls the bit rate of the traffic after QoS policy execution, 
derived from 11 in the table above, so drop rate would be:

Solarwinds configuration.
Solarwinds NPM has the ability to poll certain OIDs through customized pollers.
Go to universal device pollers:

As you can see we are polling, to find the post policy bit rate. The oid will actually return a table will the traffic rates for all class maps on all applied interfaces.
The post policy bit rate poller can be summarised as per above. Now lets have a closer look in solarwinds npm at a device that we have assigned the poller to:

Picture above shows the dfjbit rate for a class map prec-4-5-out (yes exactly the same name as when querying earlier on in this post). essentially the graph above depicts
in the graph above, go to EDIT:
<As can be seen above only 18.1136785 is graphed, which is cm-prec-4-5-out.
if you wanted to graph more class maps: = STRING: "cm-prec-3-out" = GAUGE32: 2482753
you could tick for instance: 18.11057649, in the devicepoller graph above, for cm-prec-3-out to be graphed source:

Thursday, 27 July 2017

Raspberry pi Cron jobs

There really isn't much raspi specific about cron jobs but I started looking into how cron jobs work when I was trying to run a python script automatically. cron jobs can be very useful when wanting to execute looping python scripts, because the cronjob will restart your script for instance after your raspi has lost power and reboots.

Cron, is essentially a daemon, that starts up at boot.

On the raspi (and most CentOs/Linux distro's), the location of crontabs file is:   


The crontab file is where you define all the executions that need to take place and at what time.

The crontab syntax is as per below

A crontab file has five fields for specifying day , date and time followed by the command to be run at that interval.


crontab -e    Edit crontab file, or create one if it doesn’t already exist.
crontab -l    crontab list of cronjobs , display crontab file contents.
crontab -r    Remove your crontab file.
crontab -v    Display the last time you edited your crontab file. (This option is                        Only available on a few systems.)

so to start editing use crontab -e which will open the unedited crontab in Nano, add executions and then CONTROL+O to save, then exit 

For example:

The command line below in a crontab file deletes all files in a temp folder at 18:30 every day:

30     18     *     *     *         rm /home/trespasser/tmp/*

If you wanted to log the execution of the above crontab execution, point it to create a log file as per below:

30     18     *     *     *         rm /home/trespasser/tmp/* > /home/trespasser/cronlogs/clean_tmp_dir.log


You can edit crontab to execute a certain line at a certain interval, say every 5 minutes; all the time. In order to do that, and let me keep the previous python script execution as our example:

*/5 * * * * sudo python3 /home/pi/pythonscripts/ > /home/pi/pythonscripts/cronlog.log

Here, the line is executed every 5 minutes, disregarding time of day.

You might want to run a python script in the back ground to run in a certain frequency. Now you could loop the script itself, but that would mean you would need to constantly have a session open to the raspi or start it up manually each time it lost power or got recycled, unless you run it with no hangup (I will discuss this in a separate post).

Of course none of this is any good if the cron daemon is not running. To verify if it is:

pi@raspberrypi:/var/log$ service cron status

cron is running.

Now what you have to remember, is that the HOME directory from which crontab works is /home.  This means if you want to run a script for instance from any other directory then /home so one of its subdirectories for instance, it is wise to do a cd line in crontab first to move to the directory from which to execute the script.

Now, before you rely on your crontab's execution, it is good to mock up the command line that you added to the crontab file from the command prompt to see if you did not make any syntax mistakes.

Multiple command lines to do the same execution, in general, is not a good idea as multiple lines do no reference each other. For example:

a crontab with:

01 15 * * * cd /home/pi/pythonscripts
01  15 * * *sudo python3 > /home/pi/pythonscripts/cronlog.log)

would not work as the first line, containing cd /home/pi/pythonscript does not actuall effect the excecution of the second crontab line. So it is better to merge these two commands (lines) into one crontab statement, merging them with &&

cd /home/pi/pythonscripts && sudo python3 > /home/pi/pythonscripts/cronlog.lo

alternatively point the execution of your python script, to its absolute path, as per below:

sudo python3 /home/pi/pythonscripts/ > /home/pi/pythonscripts/cronlog.lo

One thing you have to make sure of is that your machine has the correct time and timezone, and the raspberry pi, you might need to run raspi-config (internalization options). 

If you want to trouble shoot the execution of Crontab, possibly because i, writes it's execution result to syslog, which can be found at : 


for example:

ul 28 16:19:01 raspberrypi /usr/sbin/cron[1935]: (pi) RELOAD (crontabs/pi)
Jul 28 16:25:01 raspberrypi /USR/SBIN/CRON[2697]: (pi) CMD (cd /home/pi/pythonscripts )
Jul 28 16:25:01 raspberrypi /USR/SBIN/CRON[2698]: (pi) CMD (sudo python3 > /home/pi/pythonscripts/cronlog.log)

Jul 28 16:25:02 raspberrypi /USR/SBIN/CRON[2695]: (CRON) info (No MTA installed, discarding output)

checking your syslog, will also confirm the time your line in the crontab was executed.

Namaste! Folks

Monday, 10 July 2017

Python object indexing and slicing; lists, strings and tuples.

Wonder where this is leading to, anyway. Let's kick off.

Because lists are sequences, indexing and slicing work the same way for lists as they do for strings (which are essentially a definition of ordered collections of characters, so accessible by position). The key to slicing and indexing is the offset. Python starts at 0 and ends at on less than the length of the string or list. This is important, because the latest character in a string or object in a list is not addressable. You can also use negative offsets, think of this as counting backward from the end. The picture below shows how offsets can be used.

Consider the following string and let's pull the first and last character of that string:

>>> S="flyffy bunny"
>>> S[0],S[-1]
('f', 'y')

and slicing (extracting a section):

>>> S[-5:-1]           #negative offset slicing, count from right
>>> S[0:3]

another example:

>>> S[1:-1]
'lyffy bunn'

>>> S[0:-1]

'flyffy bunn'

or just apply it straight:

>>> 'flyffy bunny'[1:3]


>>> 'flyffy bunny'[slice(1,30)]
'lyffy bunny'

Now consider the following list, containing 3 objects:

>>> L = ['spam', 'Spam', 'SPAM!']

>>> L[2]                #offset starts at 0, which is the object on the left 


>>> L[2]                  #Negative; count offset from the right
>>> L[1:]                 # Slicing fetches sections (1st offset from left)

['Spam', 'SPAM!']

Slices can be used to extract columns of data, and to prefix or remove leading and trailing text.

In short:

• S[1:3] fetches items at offsets 1 up to but not including 3.
• S[1:] fetches items at offset 1 through the end (the sequence length).
• S[:3] fetches items at offset 0 up to but not including 3.
• S[:−1] fetches items at offset 0 up to but not including the last item.
• S[:] fetches items at offsets 0 through the end—making a top-level copy of S.

Extended slicing:

As of python 2.3, splice expressions allow  a third, optional index:  the step/stride.  

>>> S="123456789012345567890"
>>> S[0:10:2]


This extended slice, takes characters between offset 0 and 10 by steps of 2, so 1 3 5 7 and 9

You can also use a negative stride.

Wednesday, 7 June 2017

Play queue announcements and recordings using Unity Connection

I haven't posted anything on Unity Connection for a while. What has happened so far?  Another joker's in the White House, crude has gone up and London is in a shit state of affairs.  Back to unity connection.  This post is about how to play a recorded message before a call gets handed over to a queue, hunt group or reception console.


For example, let's say you have a queue for an IT service desk and in the event of a large outage you want to play out a message notifying users of a large scale outage "we are currently suffering issues with users connecting to the internet in the Kansas City area and are working to resolve this", before the call is handed over to the queues. Or maybe you want to play out a welcome message before handing a call over to a reception console "welcome to Dead meat Inc. All our meat is guaranteed 100% dead before it lands on your plate". anyway the scenarios are endless, but you can see what I am getting at.

Nuts and bolts

These pre-recorded messages,  are nothing more than recorded greetings in a call handler, it is that simple. So let us get started.

1. Create the call handler CTI route points. For this particular exercise, you need two CTI route points.I will explain later, why you need two and not one.  So the way to do this is to add a CTI RP in CUCM and do a call forward all to your voicemail pilot point.For this example I will use 900617 and 18 for the two call handlers.
2. Add the first call handler, I have called it IT outage notifications and assigned it extension 900617:

Fig 1

3. Go to CUCX and add the first forwarding rule to point the first CTI RP to the correct Call handler, point it to the call handler called "IT outage notification", made in the previous step:

  1. Fig. 2 

Make sure you set it to "go directly to greeting" (see above). This will make the call hitting the handler, go straight to the recorded message/greeting.

Also add the call forwarding condition:


(forwarding station=900617 which is the extension of the CTI RP).

At this stage you should be able to dial into 900617 and the Standard greeting should be played. So test this first before you proceed. If you get an announcement along the lines of "from a touch tone telephone dial any extension...blah blah", your call is not getting through to your call handler and you might be missing your forwarding rule.

4. Set the greetings in your call handler.

This is where you are actually going to define what message will be played when someone calls into your queue and what happens to the caller once the message has been played.  Go back to your call handler, called IT outage Notification (or whatever you have called it) and go to Greetings. 
Let's use the scenario where you want to use a welcome meeting all the time and then go to reception.  So this means, in your 900618 call handler, the standard greeting would need to always play.  Below is a picture of what this welcome message/standard greeting, needs to look like:

Fig. 4 

So you will need to record the standard greeting and personalize it. Don't allow caller input during the meetings and after the greeting send it to a second call handler (IT outage notification after greeting handler) and attempt transfer. I mentioned in the beginning that we needed two call handlers to play a recording before transferring the call and the reason for this is greeting "transfer rules".

There is some contradicting information on what is applied first, the playing of greetings or the application of transfer rules. And to be honest, I have had both set up work, but I prefer to use a second call handler that does not play any greetings, but only attempts the transfer to the reception or queue or wherever it needs to transfer to.  So below is a screenshot of my transfer rules for the first call handler, and is actually a combination of direct transfers and sending the call to a second call handler for transfer.

Fig. 5

The standard greeting on transfers to 33570, once the standard greeting has been played (see figure 4) , this could be your reception.  In the example above (Fig 5) the alternate greeting is sent to 900618, the second call handler.

5. set up a second call handler with a transfer rule

Now set up a second call handler in the same way as your first call handler that contains the welcome message/standard greeting

This second call handler invokes the standard greeting when receiving a call:

Fig. 6

The standard greeting of the second call handler plays nothing (by setting Callers hear Nothing, see fig. 6), it just invokes the standard greeting transfer rule, and transfer the call to 33670, as per Fig. 7

Fig. 7

if you wanted to record the greetings, it is probably easiest to use the greeting administrator, unless moving around wav files is your cuppa tea. The greeting administrator also allows you to easily turn on and off an alternative greeting on one of your call handlers. You can turn the alternate greeting on and off in case you have an extraordinary notification you want to play to your callers, before connecting the call to the queue.

I have done a separate post on how to set up greeting administrator in a separate post.