NullSec OCamlParse

Security Policy Parser written in OCaml

Part of the NullSec offensive security toolkit
Discord: discord.gg/killers
Portal: bad-antics.github.io

Overview

OCamlParse is a type-safe security policy DSL parser and validator that processes firewall rules, validates configurations, and matches network packets against policies. Built with OCaml's algebraic data types, pattern matching, and functional composition.

OCaml Features Showcased

• Algebraic Data Types: Variants and records
• Pattern Matching: Exhaustive case analysis
• Option/Result Types: Safe error handling
• Modules: Encapsulated functionality
• Higher-Order Functions: Functional composition
• Type Inference: Concise, type-safe code
• Immutable Data: Referential transparency

Policy DSL Features

Feature	Syntax	Description
IP Range	SingleIP, CIDR, Range, AnyIP	IP address specifications
Port Spec	SinglePort, PortRange, PortList, AnyPort	Port matching
Protocol	TCP, UDP, ICMP, Any	Protocol filtering
Direction	Inbound, Outbound, Both	Traffic direction
Action	Allow, Deny, Log, Alert, Quarantine	Rule actions

Installation

# Clone
git clone https://github.com/bad-antics/nullsec-ocamlparse.git
cd nullsec-ocamlparse

# Build with OCaml
ocamlfind ocamlopt -o ocamlparse ocamlparse.ml

# Or with Dune
dune build

# Run directly
ocaml ocamlparse.ml

Usage

# Run demo mode
./ocamlparse

# Parse policy file
./ocamlparse -f policy.json

# Validate only
./ocamlparse --validate policy.json

# Test packet matching
./ocamlparse --test packets.json -f policy.json

Options

USAGE:
    ocamlparse [OPTIONS]

OPTIONS:
    -f, --file       Policy file to parse
    --validate       Validate policy only
    --test           Test packet matching
    --json           JSON output format
    -v, --verbose    Verbose output

Sample Output

╔══════════════════════════════════════════════════════════════════╗
║        NullSec OCamlParse - Security Policy Parser               ║
╚══════════════════════════════════════════════════════════════════╝

[Demo Mode]

Parsing and validating security policy...

✓ Policy is valid

═══════════════════════════════════════════════════════════════════
  Policy: Network Security Policy (v1.0.0)
  Default Action: DENY
  Rules: 7 (7 enabled)
═══════════════════════════════════════════════════════════════════

  [CRITICAL] Block Known C2 IPs
      ID:          NET-001
      Action:      DENY
      Status:      ENABLED
      MITRE:       T1071.001
      Conditions:  dst_ip=185.220.101.0/24, direction=OUTBOUND, protocol=TCP
      Description: Block outbound connections to known C2 infrastructure

  [HIGH] Block C2 Ports
      ID:          NET-002
      Action:      DENY
      Status:      ENABLED
      MITRE:       T1571
      Conditions:  dst_port=4444,5555,6666,31337, direction=OUTBOUND
      Description: Block connections to common C2 ports

  [LOW] Allow HTTPS
      ID:          NET-003
      Action:      ALLOW
      Status:      ENABLED
      MITRE:       N/A
      Conditions:  dst_port=443, protocol=TCP, direction=OUTBOUND
      Description: Allow outbound HTTPS traffic

═══════════════════════════════════════════════════════════════════

  Summary:
    Total Rules:  7
    Critical:     1
    High:         3
    Medium:       2
    Low:          1

Testing rule matching:

  192.168.1.100:54321 -> 185.220.101.45:443 (TCP): DENY [Block Known C2 IPs]
  192.168.1.100:55555 -> 8.8.8.8:4444 (TCP): DENY [Block C2 Ports]
  10.0.0.5:12345 -> 192.168.1.100:22 (TCP): LOG [Log SSH Connections]

═══════════════════════════════════════════════════════════════════

Code Highlights

Algebraic Data Types

type severity =
  | Critical
  | High
  | Medium
  | Low
  | Info

type ip_range =
  | SingleIP of string
  | CIDR of string * int
  | Range of string * string
  | AnyIP

type condition =
  | SourceIP of ip_range
  | DestIP of ip_range
  | SourcePort of port_spec
  | DestPort of port_spec
  | Protocol of protocol
  | Direction of direction
  | User of string
  | Process of string

Pattern Matching

let severity_to_string = function
  | Critical -> "CRITICAL"
  | High -> "HIGH"
  | Medium -> "MEDIUM"
  | Low -> "LOW"
  | Info -> "INFO"

let condition_matches packet = function
  | SourceIP range -> ip_in_range packet.src_ip range
  | DestIP range -> ip_in_range packet.dst_ip range
  | SourcePort spec -> port_matches packet.src_port spec
  | DestPort spec -> port_matches packet.dst_port spec
  | Protocol p -> packet.proto = p || p = Any
  | Direction d -> packet.dir = d || d = Both
  | User u -> packet.user = Some u
  | Process p -> packet.process_name = Some p

Result Type for Error Handling

type 'a result =
  | Ok of 'a
  | Error of parse_error

let ( >>= ) opt f = match opt with
  | Ok x -> f x
  | Error e -> Error e

let ( let* ) = ( >>= )

(* Usage with monadic binding *)
let* parsed = parse_policy input in
let* validated = validate_policy parsed in
return validated

Module-based Organization

module Validator = struct
  let validate_ip_range = function
    | SingleIP ip -> (* ... *)
    | CIDR (ip, mask) -> (* ... *)
    | Range (start_ip, end_ip) -> (* ... *)
    | AnyIP -> Valid
end

module Matcher = struct
  let rule_matches packet rule =
    rule.enabled && List.for_all (condition_matches packet) rule.conditions
  
  let get_action policy packet =
    match find_matching_rules policy packet with
    | [] -> policy.default_action
    | rule :: _ -> rule.action
end

Architecture

┌────────────────────────────────────────────────────────────────┐
│                OCamlParse Architecture                         │
├────────────────────────────────────────────────────────────────┤
│                                                                │
│   ┌──────────────────┐                                        │
│   │  Policy Input    │  (JSON, YAML, DSL)                     │
│   │  (string)        │                                        │
│   └────────┬─────────┘                                        │
│            │                                                   │
│            ▼                                                   │
│   ┌──────────────────┐                                        │
│   │  Parser          │  Algebraic Data Types                  │
│   │  result type     │  Pattern Matching                      │
│   └────────┬─────────┘                                        │
│            │                                                   │
│            ▼                                                   │
│   ┌──────────────────────────────────────────────────┐        │
│   │           Validator Module                        │        │
│   │  ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │        │
│   │  │ IP Range    │ │ Port Spec   │ │ Rule        │ │        │
│   │  │ Validation  │ │ Validation  │ │ Validation  │ │        │
│   │  └─────────────┘ └─────────────┘ └─────────────┘ │        │
│   │            validation_result type                 │        │
│   └────────────────────────┬─────────────────────────┘        │
│                            │                                   │
│                            ▼                                   │
│   ┌──────────────────────────────────────────────────┐        │
│   │           Matcher Module                          │        │
│   │  ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │        │
│   │  │ condition_  │ │ rule_       │ │ get_        │ │        │
│   │  │ matches     │ │ matches     │ │ action      │ │        │
│   │  └─────────────┘ └─────────────┘ └─────────────┘ │        │
│   │            Exhaustive pattern matching            │        │
│   └────────────────────────┬─────────────────────────┘        │
│                            │                                   │
│                            ▼                                   │
│                   ┌──────────────────┐                        │
│                   │  Report Module   │                        │
│                   │  format_policy   │                        │
│                   └──────────────────┘                        │
│                                                                │
└────────────────────────────────────────────────────────────────┘

Why OCaml?

Requirement	OCaml Advantage
Correctness	Exhaustive pattern matching
Type Safety	Strong static typing
Parsing	Natural DSL representation
Performance	Native code compilation
Maintainability	Module system
Expressiveness	Algebraic data types

License

MIT License - See LICENSE for details.

Related Tools

• nullsec-flowtrace - Flow analyzer (Haskell)
• nullsec-fsharpsignal - Threat correlator (F#)
• nullsec-luashield - WAF rules engine (Lua)