13. Loadable Module: Network Connections (IDM_net_conns.pm)

The IDM_netstat.pm module monitors all network connections — those which do not match a configured signature are logged:

13.1. Signature Configuration

All paths in this section are relative to <sids_root>.

Files:

    /etc/IDM_net_conns/expected.<platform>.netstat
    /etc/IDM_net_conns/expected.<platform>.lsof

    /etc/IDM_net_conns/expected.local.netstat
    /etc/IDM_net_conns/expected.local.lsof
The platform files should contain a set of signatures appropriate for a default installation of the platform/OS; the local files should include signatures for local modification and additions to the system. Signatures in the local pair of files take precedence — i.e., override those in the first — see examples below.

13.1.1. Example Signature Files

The format of these examples is explained in detail below. The format of the *.lsof files is the same as that for the *.netstat examples given here.

13.1.1.1. Example: expected.solaris_7.netstat

An extract from expected.solaris_7.netstat — Solaris 7 comes from the time of Telnet and FTP:

    # -- we're a telnet and ftp server :
    #  
    COUNTER:{TELNET_SV}    ***  CODE:{$c->{LOCAL_PORT} eq "telnet"}    ***  RETURN:{expected}
    COUNTER:{FTP_SV}       ***  CODE:{$c->{LOCAL_PORT} eq "ftp"}       ***  RETURN:{expected}
    COUNTER:{DTP_DATA_SV}  ***  CODE:{$c->{LOCAL_PORT} eq "ftp-data"}  ***  RETURN:{expected}


    # -- we're allowed to connect to ourself as localhost on unprivileged ports :
    #
    COUNTER:{__undef__}  ***  CODE:{($c->{LOCAL_HOST} eq "localhost") && ($c->{REMOTE_HOST} eq "localhost") && ($c->{LOCAL_PORT} > 1023) && ($c->{REMOTE_PORT} > 1023)}  ***  RETURN:{expected}
     

    # -- we expect users to run clients for telnet, ftp and http (non-proxied) :
    #
    COUNTER:{TELNET_CL}    ***  CODE:{($c->{REMOTE_PORT} eq "telnet") && ($c->{LOCAL_PORT} > 1023)}    ***  RETURN:{expected}
    COUNTER:{FTP_CL}       ***  CODE:{($c->{REMOTE_PORT} eq "ftp") && ($c->{LOCAL_PORT} > 1023)}       ***  RETURN:{expected}
    COUNTER:{FTP_DATA_CL}  ***  CODE:{($c->{REMOTE_PORT} eq "ftp-data") && ($c->{LOCAL_PORT} > 1023)}  ***  RETURN:{expected}
    COUNTER:{HTTP_CL_NOP}  ***  CODE:{($c->{REMOTE_PORT} eq "80") && ($c->{LOCAL_PORT} > 1023)}        ***  RETURN:{expected}
 

    # -- we expect high-numbered ports to be used :
    #
    COUNTER:{__undef__}  ***  CODE:{($c->{REMOTE_PORT} > 10000) && ($c->{LOCAL_PORT} > 10000)}  ***  RETURN:{expected}

13.1.1.2. Example: expected.local.netstat

An extract from expected.local.netstat — the Telnet and FTP signatures override those from expected.solaris_7.netstat, above:

    # -- we're an SSH server :
    #
    COUNTER:{SSH_SV}  ***  CODE:{$c->{LOCAL_PORT} == 22}  ***  RETURN:{expected}
    # -- no one should be using these, SSH-only now :
    #
    COUNTER:{__UNEX_TELNET__}    ***  CODE:{$c->{LOCAL_PORT} eq "telnet"}    ***  RETURN:{unexpected}
    COUNTER:{__UNEX_FTP__}       ***  CODE:{$c->{LOCAL_PORT} eq "ftp"}       ***  RETURN:{unexpected}
    COUNTER:{__UNEX_FTP_DATA__}  ***  CODE:{$c->{LOCAL_PORT} eq "ftp-data"}  ***  RETURN:{unexpected}

    # -- no one should be using X except tunnelled through SSH now :
    #
    COUNTER:{__undef__}  ***  CODE:{($c->{REMOTE_PORT} =~ m/^600[0-9]$/) && ($c->{LOCAL_PORT} > 1023)}  ***  RETURN:{unexpected}
     
    # -- we're ssh client :
    #
    COUNTER:{SSH_CL}  ***  CODE:{($c->{REMOTE_PORT} == 22) && ($c->{LOCAL_PORT} > 1023)}  ***  RETURN:{expected}

13.1.2. Signature Format and Processing

Each line has three components, each of the form KEY:{VALUE}. COUNTER gives the string used by IDM_net_conns to label conections of a particular configuration (the total number of each such is logged); CODE and RETURN are used by IDM_net_conns.pm in the following way:

    # -- foreach sig read from the config file :
    #
    foreach my $s (@$sigs) {
        my $string = 'if(' . $s->{CODE} . '){return "' . $s->{RETURN} . '"}';
        my $result = eval $string;

        # -- if connection matches sig :
        #
        if (($result eq "expected") || ($result eq "unexpected")) {
            return ($result, $s)
          }
      }
i.e., the second and third fields in the configuration file are actually Perl code which is slotted in and executed at run time.



...previousup (conts)next...



About this document:

Produced from the SGML: /home/isd/public_html/_cheesewire/_reml_grp/index.reml
On: 4/9/2006 at 17:35:44
Options: reml2 -i noindex -l long -o html -p multiple