|
NAMEapp-mismatch - SiLK plug-in to find services on unusual portsSYNOPSISrwfilter --plugin=app-mismatch.so ... DESCRIPTIONThe app-mismatch plug-in adds a partitioning rule to rwfilter (1) that helps to find services running on unusual port numbers.Specifically, when the app-mismatch plug-in is loaded into rwfilter(1), rwfilter adds a partitioning rule that passes a record when the record's application field (the applabel(1) value determined by yaf(1)) is set and the value does not match the value of either the source port or destination port. The plug-in causes rwfilter to write each record that meets any of these criteria to the location specified by the --fail-destination switch:
The remaining records are either TCP or UDP records where the application field is set and its value is different than that in the source and destination port. These records are written to the location specified by the --pass-destination switch. OPTIONSThe app-mismatch plug-in does not add any additional switches to rwfilter nor modify any field.EXAMPLESIn the following examples, the dollar sign ("$") represents the shell prompt. The text after the dollar sign represents the command line. Lines have been wrapped for improved readability, and the back slash ("\") is used to indicate a wrapped line.The app-mismatch.so plug-in must be explicitly loaded into rwfilter(1) using the --plugin switch. The plug-in becomes active once it is loaded and no additional switches are required. The following searches the SiLK Flow file data.rw for services that appear to be running on unusual or non-typical ports. To get a quick summary of the data, the output from rwfilter is piped into rwuniq(1): $ rwfilter --plugin=app-mismatch.so --print-stat --pass=- data.rw \ | rwuniq --fields=application,sPort,dPort | head Files 1. Read 24494. Pass 890. Fail 23604. appli|sPort|dPort| Records| 53|62579| 5355| 1| 53|55188| 5355| 1| 53|57807| 5355| 1| 53|54898| 5355| 1| 80| 1171| 591| 1| 53| 5355|50478| 1| 53|64981| 5355| 1| 139|52845| 445| 1| 53|52536| 5355| 1| As seen in the output of the --print-stat switch from rwfilter, the plug-in failed 23,604 records. Some of those records have protocols other than TCP and UDP, and some records have an application value of zero. Adding additional rwfilter invocations provides a way to get count for each: $ rwfilter --protocol=6,17 --print-stat --pass=- data.rw \ | rwfilter --application=1- --print-stat --pass=- - \ | rwfilter --plugin=app-mismatch.so --print-stat --pass=- - \ | rwuniq --fields=application,sPort,dPort --pager= | head Files 1. Read 24494. Pass 24420. Fail 74. Files 1. Read 24420. Pass 14228. Fail 10192. Files 1. Read 14228. Pass 890. Fail 13338. appli|sPort|dPort| Records| 53|62579| 5355| 1| 53|55188| 5355| 1| 53|57807| 5355| 1| 53|54898| 5355| 1| 80| 1171| 591| 1| 53| 5355|50478| 1| 53|64981| 5355| 1| 139|52845| 445| 1| 53|52536| 5355| 1| All but 74 records were either TCP or UDP. For the TCP and UDP records, 10,192 had an application label of 0. There were 13,338 records where the application label matched the port number. Change the final rwfilter invocation to use --fail-destination to see those records: $ rwfilter --protocol=6,17 --print-stat --pass=- data.rw \ | rwfilter --application=1- --print-stat --pass=- - \ | rwfilter --plugin=app-mismatch.so --print-stat --pass=- - \ | rwuniq --fields=application,sPort,dPort --pager= | head Files 1. Read 24494. Pass 24420. Fail 74. Files 1. Read 24420. Pass 14228. Fail 10192. Files 1. Read 14228. Pass 890. Fail 13338. appli|sPort|dPort| Records| 443| 443|53257| 1| 80|54123| 80| 2| 80|52322| 80| 1| 80|54749| 80| 1| 80| 80|52885| 3| 80| 80|54204| 1| 53| 53|55964| 1| 80|53497| 80| 1| 80|54122| 80| 2| ENVIRONMENT
FILES
SEE ALSOrwfilter(1), rwuniq(1), silk (7), yaf(1), applabel (1)
Visit the GSP FreeBSD Man Page Interface. |