The IDM_netstat.pm module monitors all network connections — those which do not match a configured signature are logged:
Files:
/etc/IDM_net_conns/expected.<platform>.netstat
/etc/IDM_net_conns/expected.<platform>.lsof
/etc/IDM_net_conns/expected.local.netstat
/etc/IDM_net_conns/expected.local.lsof
The platform files should contain a set of signatures appropriate for
a default installation of the platform/OS; the local files should
include signatures for local modification and additions to the system.
Signatures in the local pair of files take precedence — i.e.,
override those in the first — see examples below.
The format of these examples is explained in detail below. The format of the *.lsof files is the same as that for the *.netstat examples given here.
An extract from expected.solaris_7.netstat — Solaris 7 comes from the time of Telnet and FTP:
# -- we're a telnet and ftp server :
#
COUNTER:{TELNET_SV} *** CODE:{$c->{LOCAL_PORT} eq "telnet"} *** RETURN:{expected}
COUNTER:{FTP_SV} *** CODE:{$c->{LOCAL_PORT} eq "ftp"} *** RETURN:{expected}
COUNTER:{DTP_DATA_SV} *** CODE:{$c->{LOCAL_PORT} eq "ftp-data"} *** RETURN:{expected}
# -- we're allowed to connect to ourself as localhost on unprivileged ports :
#
COUNTER:{__undef__} *** CODE:{($c->{LOCAL_HOST} eq "localhost") && ($c->{REMOTE_HOST} eq "localhost") && ($c->{LOCAL_PORT} > 1023) && ($c->{REMOTE_PORT} > 1023)} *** RETURN:{expected}
# -- we expect users to run clients for telnet, ftp and http (non-proxied) :
#
COUNTER:{TELNET_CL} *** CODE:{($c->{REMOTE_PORT} eq "telnet") && ($c->{LOCAL_PORT} > 1023)} *** RETURN:{expected}
COUNTER:{FTP_CL} *** CODE:{($c->{REMOTE_PORT} eq "ftp") && ($c->{LOCAL_PORT} > 1023)} *** RETURN:{expected}
COUNTER:{FTP_DATA_CL} *** CODE:{($c->{REMOTE_PORT} eq "ftp-data") && ($c->{LOCAL_PORT} > 1023)} *** RETURN:{expected}
COUNTER:{HTTP_CL_NOP} *** CODE:{($c->{REMOTE_PORT} eq "80") && ($c->{LOCAL_PORT} > 1023)} *** RETURN:{expected}
# -- we expect high-numbered ports to be used :
#
COUNTER:{__undef__} *** CODE:{($c->{REMOTE_PORT} > 10000) && ($c->{LOCAL_PORT} > 10000)} *** RETURN:{expected}
An extract from expected.local.netstat — the Telnet and FTP signatures override those from expected.solaris_7.netstat, above:
# -- we're an SSH server :
#
COUNTER:{SSH_SV} *** CODE:{$c->{LOCAL_PORT} == 22} *** RETURN:{expected}
# -- no one should be using these, SSH-only now :
#
COUNTER:{__UNEX_TELNET__} *** CODE:{$c->{LOCAL_PORT} eq "telnet"} *** RETURN:{unexpected}
COUNTER:{__UNEX_FTP__} *** CODE:{$c->{LOCAL_PORT} eq "ftp"} *** RETURN:{unexpected}
COUNTER:{__UNEX_FTP_DATA__} *** CODE:{$c->{LOCAL_PORT} eq "ftp-data"} *** RETURN:{unexpected}
# -- no one should be using X except tunnelled through SSH now :
#
COUNTER:{__undef__} *** CODE:{($c->{REMOTE_PORT} =~ m/^600[0-9]$/) && ($c->{LOCAL_PORT} > 1023)} *** RETURN:{unexpected}
# -- we're ssh client :
#
COUNTER:{SSH_CL} *** CODE:{($c->{REMOTE_PORT} == 22) && ($c->{LOCAL_PORT} > 1023)} *** RETURN:{expected}
Each line has three components, each of the form KEY:{VALUE}. COUNTER gives the string used by IDM_net_conns to label conections of a particular configuration (the total number of each such is logged); CODE and RETURN are used by IDM_net_conns.pm in the following way:
# -- foreach sig read from the config file :
#
foreach my $s (@$sigs) {
my $string = 'if(' . $s->{CODE} . '){return "' . $s->{RETURN} . '"}';
my $result = eval $string;
# -- if connection matches sig :
#
if (($result eq "expected") || ($result eq "unexpected")) {
return ($result, $s)
}
}
i.e., the second and third fields in the configuration file are actually
Perl code which is slotted in and executed at run time.
| ...previous | up (conts) | next... |