Version: 2.2

Socket Control Security Feature

Overview

The socket rule begins with a socket and ends with an endsocket. It must contain the rule name as a parameter and this is an arbitrary string, hence it needs to be surrounded with double-quotes. The socket rule cannot contain duplicate statements, and multiple socket rules are allowed in the same ARMR application. The order of statements inside the socket rule does not matter.

Port ranges in Socket rules are only supported on product version 19.2.0 onwards

Given (Condition)

bind The bind takes the following key-value pairs as parameters: client and server. They can be used simultaneously within bind. The value for both client and server keys within bind is a quoted-string composed of the IP address of the local interface and the port separated by a colon. Wildcard for IPv4 addresses is specified by 0.0.0.0, and wildcard for port is specified by 0.The following are examples of bind conditions specifying wildcarded IPv4 addresses and wildcarded port;


bind	The `bind` takes the following key-value pairs as parameters: `client` and `server`. They can be used simultaneously within `bind`. The value for both `client` and `server` keys within `bind` is a quoted-string composed of the IP address of the local interface and the port separated by a colon. Wildcard for IPv4 addresses is specified by `0.0.0.0`, and wildcard for port is specified by `0`.The following are examples of `bind` conditions specifying wildcarded IPv4 addresses and wildcarded port;

bind(client: "0.0.0.0:0") bind(server: "0.0.0.0:0") bind(server: "0.0.0.0:0", client: "0.0.0.0:0") Specific IPv4 and/or port numbers may be specified, for example; bind(client: "127.0.0.1:80") bind(server: "127.0.0.1:0") bind(client: "0.0.0.0:80") Port ranges may be specified, for example; bind(client: "0.0.0.0:80-90") bind(server: "0.0.0.0:8080-8090") bind(server: "127.0.0.1:8080-8090")

| | connect | accept and connect require only a single parameter which is the IPv4 address and port for accepting connections from and to a remote address, respectively.Wildcard for IPv4 addresses is specified by 0.0.0.0, and wildcard for port is specified by 0.The following are examples of accept and connect conditions specifying wildcarded IPv4 addresses and wildcarded port;accept("0.0.0.0:0") connect("0.0.0.0:0")Specific IPv4 and/or port numbers may be specified, for example;accept("127.0.0.1:5001") accept("0.0.0.0:5001") connect("127.0.0.1:8080") connect("127.0.0.1:0")Port ranges may be specified, for example;``` accept("127.0.0.1:5000-5100") connect("0.0.0.0:8080-8100")

`| | accept | |

Then (Action)

If an empty message is passed to an action. The action will use a pre-defined logging format for the message. An action may, optionally, specify a severity. The value of severity may be an integer in the range of 0-10(0 is the lowest level and 10 is the highest level) or one of Low, Medium, High or Very-High(case insensitive).

The default severity is unknown.


protect	The `protect` action can have an extra key-value pair `connection` other than `message` and `severity`.Valid values for the `connection` key is the constant `secure` or `upgrade-tls`.When a specific `protect` action acting on connections is enforced, the `accept` event must be declared, and only a wildcarded IP address and wildcarded port is valid.

protect(connection: secure, message: "sample message")

```|
| allow   | `allow` and `detect`do not take a `connection` parameter.                                                                                                                                                                                                                                                                                                                                                                    |
| detect  |                                                                                                                                                                                                                                                                                                                                                                                                                              |

## Logging

A log entry similar to the following is generated by events resulting from the Socket Client Bind, the Socket Connect rule, and the Socket Accept rules below, respectively.

`<10>1 2020-07-17T09:04:25.655+01:00 XPS-15-9570 java 19963 - - CEF:0|ARMR:Socket Server Bind Mod|Socket Server Bind Mod|2.2|Blocking server binds on all interfaces and all ports|Execute Rule|High|rt=Jul 17 2020 09:04:25.632 +0100 dvchost=XPS-15-9570 procid=19963 act=protect msg=port binding blocked dst=``127.0.0.1``:500`

`<10>1 2020-07-17T09:01:42.737+01:00 XPS-15-9570 java 19690 - - CEF:0|ARMR:Socket Connect Mod|Socket Connect Mod|2.2|Blocking client connections on all ports|Execute Rule|High|rt=Jul 17 2020 09:01:42.728 +0100 dvchost=XPS-15-9570 procid=19690 act=protect msg=connections blocked dst=127.0.0.1:5001`

`<10>1 2020-07-17T09:12:14.187+01:00 XPS-15-9570 java 20779 - - CEF:0|ARMR:Socket Accept Mod|Socket Accept Mod|2.2|Blocking server accepting connections on all interfaces and all ports|Execute Rule|High|rt=Jul 17 2020 09:12:14.180 +0100 dvchost=XPS-15-9570 procid=20779 act=protect msg=connections blocked dst=127.0.0.1:5001`

`<10>1 2020-09-10T09:55:51.729+01:00 XPS-15-9570 java 322 - - CEF:0|ARMR:Socket Accept Mod|Socket Accept Mod|2.2|Blocking server accepting connections on IP 127.0.0.1 and specific port 5001|Execute Rule|High|rt=Sep 10 2020 09:55:51.727 +0100 dvchost=XPS-15-9570 procid=322 act=protect msg=connections blocked dst=127.0.0.1:5001`

`<10>1 2020-09-10T10:03:33.492+01:00 XPS-15-9570 java 1119 - - CEF:0|ARMR:Socket Accept Mod|Socket Accept Mod|2.2|Blocking server accepting connections on IP 127.0.0.1 and port range 5000-5010|Execute Rule|High|rt=Sep 10 2020 10:03:33.490 +0100 dvchost=XPS-15-9570 procid=1119 act=protect msg=connections blocked dst=127.0.0.1:5001`

## Examples

Blocking client binds on all interfaces and all ports

app("Socket Client Bind Mod"): requires(version: ARMR/2.2) socket("Blocking client binds on all interfaces and all ports"): bind(client: "0.0.0.0:0") protect(message: "port binding blocked", severity: 8) endsocket endapp

Blocking server binds on all interfaces and all ports.

app("Socket Server Bind Mod"): requires(version: ARMR/2.2) socket("Blocking server binds on all interfaces and all ports"): bind(server: "0.0.0.0:0") protect(message: "port binding blocked", severity: 8) endsocket endapp

Blocking client connections on all ports.

app("Socket Connect Mod"): requires(version: ARMR/2.2) socket("Blocking client connections on all ports"): connect("0.0.0.0:0") protect(message: "connections blocked", severity: 8) endsocket endapp

Blocking server accepting connections on all interfaces and all ports.

app("Socket Accept Mod"): requires(version: ARMR/2.2) socket("Blocking server accepting connections on all interfaces and all ports"): accept("0.0.0.0:0") protect(message: "connections blocked", severity: 8) endsocket endapp

Blocking server accepting connections on a specific interface and specific port.

app("Socket Accept Mod"): requires(version: ARMR/2.2) socket("Blocking server accepting connections on IP 127.0.0.1 and specific port 5001"): accept("127.0.0.1:5001") protect(message: "connections blocked", severity: 8) endsocket endapp

Blocking server accepting connections on a specific interface, over a range of ports.

app("Socket Accept Mod"): requires(version: ARMR/2.2) socket("Blocking server accepting connections on IP 127.0.0.1 and port range 5000-5010"): accept("127.0.0.1:5000-5010") protect(message: "connections blocked", severity: 8) endsocket endapp

Overview​

Given (Condition)​

Then (Action)​

Overview

Given (Condition)

Then (Action)