Version: 2.10

Socket Control Security Feature

Support for API Protect was added to this rule in ARMR/2.9. Please see the API Protect Directives page in the ARMR documentation for information on how to configure this rule for API endpoint protection.

Overview

The socket rule begins with a socket and ends with an endsocket. It must contain the rule name as a parameter and this is an arbitrary string, hence it needs to be surrounded with double-quotes. The socket rule cannot contain duplicate statements, and multiple socket rules are allowed in the same ARMR application. The order of statements inside the socket rule does not matter.

Port ranges in Socket rules are only supported on ARMR/2.2 and above.

CIDR notation for IP address ranges in Socket Connect and Socket Accept rules are supported on ARMR/2.10 and above. CIDR notation is not supported for IP addresses in Socket Bind rules.

Given (Condition)

bind The bind takes the following key-value pairs as parameters: client and server. They can be used simultaneously within bind. The value for both client and server keys within bind is a quoted-string composed of the IP address of the local interface and the port separated by a colon. Wildcard for IPv4 addresses is specified by 0.0.0.0, and wildcard for port is specified by 0.The following are examples of bind conditions specifying wildcarded IPv4 addresses and wildcarded port;


bind	The `bind` takes the following key-value pairs as parameters: `client` and `server`. They can be used simultaneously within `bind`. The value for both `client` and `server` keys within `bind` is a quoted-string composed of the IP address of the local interface and the port separated by a colon. Wildcard for IPv4 addresses is specified by `0.0.0.0`, and wildcard for port is specified by `0`.The following are examples of `bind` conditions specifying wildcarded IPv4 addresses and wildcarded port;

bind(client: "0.0.0.0:0") bind(server: "0.0.0.0:0") bind(server: "0.0.0.0:0", client: "0.0.0.0:0") Specific IPv4 and/or port numbers may be specified, for example; bind(client: "127.0.0.1:80") bind(server: "127.0.0.1:0") bind(client: "0.0.0.0:80") Port ranges may be specified, for example; bind(client: "0.0.0.0:80-90") bind(server: "0.0.0.0:8080-8090") bind(server: "127.0.0.1:8080-8090")

| | connect | accept and connect require only a single parameter which is the IPv4 address and port for accepting connections from and to a remote address, respectively.Hostnames may also be used.Wildcard for IPv4 addresses is specified by 0.0.0.0, and wildcard for port is specified by 0.The following are examples of accept and connect conditions specifying wildcarded IPv4 addresses and wildcarded port;accept("0.0.0.0:0") connect("0.0.0.0:0")Specific IPv4 and/or port numbers may be specified, hostnames may also be specified.For example;accept("127.0.0.1:5001") accept("0.0.0.0:5001") accept("localhost:0") connect("127.0.0.1:8080") connect("127.0.0.1:0") connect("localhost:0")Port ranges may be specified, for example;accept("127.0.0.1:5000-5100") connect("0.0.0.0:8080-8100")CIDR notation for IP address ranges is supported on ARMR/2.10 and above. Valid CIDR notation format is an IPv4 IP addresss not containing any wildcard characters followed by /<bit mask>, where <bit mask> is an integer in the range 1 to 32 , for example;accept("10.10.20.30/32:5000") connect("123.1.2.3/16:8080")An invalid IP address with CIDR notation using wildcard character * would be 10.2.3.*/31 or 10.2.3.4/*A specific port, port range, or wildcarded port may be specified in conjunction with IP address ranges defined with CIDR notation, for example;``` connect("123.1.2.3/16:8080") connect("123.1.2.3/16:8080-8100") connect("123.1.2.3/16:0") accept("123.1.2.3/16:5000-5100")

| | accept | |

It is possible to create multiple ARMR socket rules with overlapping or overarching conditions. The agent handles this configuration by selecting only a single rule, and applies the action defined in it. The agent uses the following criteria for selection:

select the rule that contains a matching IP address and port, using a rule containing wildcards if no match is found
if multiple rules with CIDR notation match the IP address the most specific rule, i.e. that with the longest bit mask, takes precedence.
a rule defined with a specific exact IP or domain name match takes precedence over a rule defined with IP range using CIDR notation.
a rule defined with IP range using CIDR notation takes precedence over a matching rule with a wildcarded IP.
if more than one matching rule exists then priority is given based on the action, in the order allow, protect, detect

To avoid unexpected behavior, it is recommended to limit the number of rules that overlap when possible.

Then (Action)


protect	Block network connections to or from an IP address and port combination specified in the `socket` rule.If configured, a log message is generated with details of the event.
allow	Allow network connections to or from an IP address and port combination specified in the `socket` rule.If configured, a log message is generated with details of the event.
detect	Monitoring mode: the application behaves as normal. Network connections to or from an IP address and port combination specified in the `socket` rule are logged only.A log message must be specified with this action.

As part of the action statement, the user may optionally specify the parameter stacktrace: "full”. When this parameter is specified, the stacktrace of the location of the attempted exploit is included in the security log entry.

Examples

Blocking client binds on all interfaces and all ports

app("Socket Client Bind Mod"):
requires(version: ARMR/2.7)
socket("Blocking client binds on all interfaces and all ports"):
bind(client: "0.0.0.0:0")
protect(message: "port binding blocked", severity: 8)
endsocket
endapp

Blocking server binds on all interfaces and all ports.

app("Socket Server Bind Mod"):
requires(version: ARMR/2.7)
socket("Blocking server binds on all interfaces and all ports"):
bind(server: "0.0.0.0:0")
protect(message: "port binding blocked", severity: 8)
endsocket
endapp

Blocking client connections on all ports.

app("Socket Connect Mod"):
requires(version: ARMR/2.7)
socket("Blocking client connections on all ports"):
connect("0.0.0.0:0")
protect(message: "connections blocked", severity: 8)
endsocket
endapp

Blocking server accepting connections on all interfaces and all ports.

app("Socket Accept Mod"):
requires(version: ARMR/2.7)
socket("Blocking server accepting connections on all interfaces and all ports"):
accept("0.0.0.0:0")
protect(message: "connections blocked", severity: 8)
endsocket
endapp

Blocking server accepting connections on a specific interface and specific port.

app("Socket Accept Mod"):
requires(version: ARMR/2.7)
socket("Blocking server accepting connections on IP 127.0.0.1 and specific port 5001"):
accept("127.0.0.1:5001")
protect(message: "connections blocked", severity: 8)
endsocket
endapp

Blocking server accepting connections on a specific interface, over a range of ports.

app("Socket Accept Mod"):
requires(version: ARMR/2.7)
socket("Blocking server accepting connections on IP 127.0.0.1 and port range 5000-5010"):
accept("127.0.0.1:5000-5010")
protect(message: "connections blocked", severity: 8)
endsocket
endapp

Blocking client binds on all interfaces and all ports, but allowing them on a specific interface and specific port.

app("Socket Client Bind Mod Multiple Rules"):
requires(version: ARMR/2.7)

socket("Socket bind protect all"):
bind(client: "0.0.0.0:0")
protect(message: "Socket rule protect 0.0.0.0:0", severity: High)
endsocket

socket("Socket bind allow specific"):
bind(client: "127.0.0.1:5000")
allow(message: "Socket rule allow 127.0.0.1:5000", severity: Medium)
endsocket

endapp

Blocking client connections to IP address range defined using CIDR notation, on all ports.

app("Socket Connect Mod"):
requires(version: ARMR/2.10)
socket("Blocking client connection to IP address range on all ports"):
connect("10.20.20.30/24:0")
protect(message: "connections blocked", severity: 8)
endsocket
endapp

Blocking server accepting connections from IP address range defined using CIDR notation, over a range of ports.

app("Socket Accept Mod"):
requires(version: ARMR/2.10)
socket("Blocking server accepting connections from IP address range on port range 5000-5010"):
accept("10.20.20.30/28:5000-5010")
protect(message: "connections blocked", severity: 8)
endsocket
endapp

Logging

A log entry similar to the following is generated by events resulting from the Socket Client Bind, the Socket Connect rule, and the Socket Accept rules below, respectively.

<10>1 2021-03-22T11:03:42.920Z userX_system java 5989 - - CEF:0|ARMR:ARMR|ARMR|2.7|Socket rule protect|Execute Rule|High|rt=Mar 22 2021 11:03:42.919 +0000 dvchost=jenkins-qa-secondary-centos.aws.example.org procid=5989 appVersion=1 ruleType=socket securityFeature=socket bind act=protect msg=Socket rule protect 127.0.0.1:0 localIpAddress=127.0.0.1 localPort=5001

<10>1 2021-03-22T11:05:20.332Z userX_system java 6442 - - CEF:0|ARMR:ARMR|ARMR|2.7|Socket rule protect|Execute Rule|High|rt=Mar 22 2021 11:05:20.331 +0000 dvchost=jenkins-qa-secondary-centos.aws.example.org procid=6442 appVersion=1 ruleType=socket securityFeature=socket connect act=protect msg=Socket rule protect 0.0.0.0:80 remoteIpAddress=74.125.193.105 remotePort=80

<10>1 2021-03-22T11:06:00.934Z userX_system java 6591 - - CEF:0|ARMR:ARMR|ARMR|2.7|Socket rule protect|Execute Rule|High|rt=Mar 22 2021 11:06:00.932 +0000 dvchost=jenkins-qa-secondary-centos.aws.example.org procid=6591 appVersion=1 ruleType=socket securityFeature=socket accept act=protect msg=Socket rule protect 127.0.0.1:0 remoteIpAddress=127.0.0.1 remotePort=5001

Further Examples

Blocking server binds on all interfaces and all ports with stacktrace: "full" parameter.

app("Socket Server Bind Mod"):
requires(version: ARMR/2.7)
socket("Blocking server binds on all interfaces and all ports"):
bind(server: "0.0.0.0:0")
protect(message: "port binding blocked", severity: 8, stacktrace: "full")
endsocket
endapp

Logging

<10>1 2021-04-01T13:48:30.121+01:00 userX_system java 23223 - - CEF:0|ARMR:ARMR|ARMR|2.7|Blocking server binds on all interfaces and all ports|Execute Rule|High|rt=Apr 01 2021 13:48:30.119 +0100 dvchost=hostnameX procid=23223 appVersion=1 ruleType=socket securityFeature=socket serverbind act=protect msg=port binding blocked stacktrace=java.net.ServerSocket.bind(ServerSocket.java)\nNetworkServerSocket.main(NetworkServerSocket.java:19) localIpAddress=127.0.0.1 localPort=5001

Blocking client connections on all ports with stacktrace: "full" parameter.

app("Socket Connect Mod"):
requires(version: ARMR/2.7)
socket("Blocking client connections on all ports"):
connect("0.0.0.0:0")
protect(message: "connections blocked", severity: 8, stacktrace: "full")
endsocket
endapp

Logging

<10>1 2021-04-01T13:58:10.562+01:00 userX_system java 23895 - - CEF:0|ARMR:ARMR|ARMR|2.7|Blocking client connections on all ports|Execute Rule|High|rt=Apr 01 2021 13:58:10.561 +0100 dvchost=hostnameX procid=23895 appVersion=1 ruleType=socket securityFeature=socket connect act=protect msg=connections blocked stacktrace=java.net.Socket.connect(Socket.java)\nClientConnection.attemptServerConnection(ClientConnection.java:37)\nClientConnection.main(ClientConnection.java:24) remoteIpAddress=127.0.0.1 remotePort=5001

Blocking client connections on all ports with “localhost“ parameter.

app("Socket Connect Mod"):
requires(version: ARMR/2.7)
socket("connect to localhost"):
connect("localhost:0")
protect(message: "coonections blocked", severity: High)
endsocket
endapp

Logging

<10>1 2021-04-01T13:58:10.562+01:00 userX_system java 23895 - - CEF:0|ARMR:ARMR|ARMR|2.7|Blocking client connections on all ports|Execute Rule|High|rt=Apr 01 2021 13:58:10.561 +0100 dvchost=hostnameX procid=23895 appVersion=1 ruleType=socket securityFeature=socket connect act=protect msg=connections blocked stacktrace=java.net.Socket.connect(Socket.java)\nClientConnection.attemptServerConnection(ClientConnection.java:37)\nClientConnection.main(ClientConnection.java:24) remoteIpAddress=127.0.0.1 remotePort=5001

Blocking server accepting connections with “localhost“ parameter.

app("Socket Accept Mod"):
requires(version: ARMR/2.7)
socket("blocking server accepting connections"):
accept("localhost:0")
protect(message: "connections blocked", severity: 8)
endsocket
endapp

Logging

<10>1 2021-03-22T11:06:00.934Z userX_system java 6591 - - CEF:0|ARMR:ARMR|ARMR|2.7|Socket rule protect|Execute Rule|High|rt=Mar 22 2021 11:06:00.932 +0000 dvchost=jenkins-qa-secondary-centos.aws.example.org procid=6591 appVersion=1 ruleType=socket securityFeature=socket accept act=protect msg=Socket rule protect 127.0.0.1:0 remoteIpAddress=127.0.0.1 remotePort=5001

Logging On/Off Example

In the following example, logging is switched ON in the protect rule by the inclusion of the protect action message attribute. As the message attribute is defined as an empty string (""), a default message will be included in the security event msg extension. The allow rule allows client binds on a specific IP and port. Logging is switched OFF in the allow rule by the omission of the action message attribute.

app("Socket Client Bind Mods"):
requires(version: ARMR/2.7)
socket("Socket bind protect all. Logging ON"):
bind(client: "0.0.0.0:0")
protect(message: "", severity: High)
endsocket
socket("Socket bind allow specific. Logging OFF"):
bind(client: "127.0.0.1:5000")
allow(severity: Medium)
endsocket
endapp

Overview​

Given (Condition)​

Then (Action)​

Examples​

Logging​

Further Examples​

Logging​

Logging​

Logging​

Logging​

Logging On/Off Example​

Overview

Given (Condition)

Then (Action)

Examples

Logging

Further Examples

Logging

Logging

Logging

Logging

Logging On/Off Example