Socket Control Security Feature
Overview
The socket rule begins with a socket and ends with an endsocket. It must contain the rule name as a parameter and this is an arbitrary string, hence it needs to be surrounded with double-quotes. The socket rule cannot contain duplicate statements, and multiple socket rules are allowed in the same ARMR application. The order of statements inside the socket rule does not matter.
Port ranges in Socket rules are only supported on product version 19.2.0 onwards
Given (Condition)
| bind | The bind takes the following key-value pairs as parameters: client and server. They can be used simultaneously within bind. The value for both client and server keys within bind is a quoted-string composed of the IP address of the local interface and the port separated by a colon. Wildcard for IPv4 addresses is specified by 0.0.0.0, and wildcard for port is specified by 0.The following are examples of bind conditions specifying wildcarded IPv4 addresses and wildcarded port; |
bind(client: "0.0.0.0:0")
bind(server: "0.0.0.0:0")
bind(server: "0.0.0.0:0", client: "0.0.0.0:0")
Specific IPv4 and/or port numbers may be specified, for example;
bind(client: "127.0.0.1:80")
bind(server: "127.0.0.1:0")
bind(client: "0.0.0.0:80")
Port ranges may be specified, for example;
bind(client: "0.0.0.0:80-90")
bind(server: "0.0.0.0:8080-8090")
bind(server: "127.0.0.1:8080-8090")
|
| connect | accept and connect require only a single parameter which is the IPv4 address and port for accepting connections from and to a remote address, respectively.Wildcard for IPv4 addresses is specified by 0.0.0.0, and wildcard for port is specified by 0.The following are examples of accept and connect conditions specifying wildcarded IPv4 addresses and wildcarded port;accept("0.0.0.0:0") connect("0.0.0.0:0")Specific IPv4 and/or port numbers may be specified, for example;accept("127.0.0.1:5001") accept("0.0.0.0:5001") connect("127.0.0.1:8080") connect("127.0.0.1:0")Port ranges may be specified, for example;```
accept("127.0.0.1:5000-5100")
connect("0.0.0.0:8080-8100")
`| | accept | |
Then (Action)
If an empty message is passed to an action. The action will use a pre-defined logging format for the message. An action may, optionally, specify a severity. The value of severity may be an integer in the range of 0-10(0 is the lowest level and 10 is the highest level) or one of Low, Medium, High or Very-High(case insensitive).
The default severity is unknown.
| protect | The protect action can have an extra key-value pair connection other than message and severity. The valid values for the connection key is the constant secure or upgrade-tls.If configured, a log message is generated with details of the event.When a specific protect action acting on connections is enforced, the accept event must be declared, and only a wildcarded IP address and wildcarded port is valid. |
protect(connection: secure, message: "sample message")
|
| allow | This action do not take a connection parameter.If configured, a log message is generated with details of the event. |
| detect | This action do not take a connection parameter.If configured, a log message is generated with details of the event.A log message must be specified with this action. |
As part of the action statement, the user may optionally specify the parameter stacktrace: "full”. When this parameter is specified, the stacktrace of the location of the attempted exploit is included in the security log entry. The stacktrace: "full" action parameter is not a valid configuration if connection: secure or connection: upgrade-tls are specified.
Examples
Blocking client binds on all interfaces and all ports
app("Socket Client Bind Mod"):
requires(version: ARMR/2.3)
socket("Blocking client binds on all interfaces and all ports"):
bind(client: "0.0.0.0:0")
protect(message: "port binding blocked", severity: 8)
endsocket
endapp
Blocking server binds on all interfaces and all ports.
app("Socket Server Bind Mod"):
requires(version: ARMR/2.3)
socket("Blocking server binds on all interfaces and all ports"):
bind(server: "0.0.0.0:0")
protect(message: "port binding blocked", severity: 8)
endsocket
endapp
Blocking client connections on all ports.
app("Socket Connect Mod"):
requires(version: ARMR/2.3)
socket("Blocking client connections on all ports"):
connect("0.0.0.0:0")
protect(message: "connections blocked", severity: 8)
endsocket
endapp
Blocking server accepting connections on all interfaces and all ports.
app("Socket Accept Mod"):
requires(version: ARMR/2.3)
socket("Blocking server accepting connections on all interfaces and all ports"):
accept("0.0.0.0:0")
protect(message: "connections blocked", severity: 8)
endsocket
endapp
Blocking server accepting connections on a specific interface and specific port.
app("Socket Accept Mod"):
requires(version: ARMR/2.3)
socket("Blocking server accepting connections on IP 127.0.0.1 and specific port 5001"):
accept("127.0.0.1:5001")
protect(message: "connections blocked", severity: 8)
endsocket
endapp
Blocking server accepting connections on a specific interface, over a range of ports.
app("Socket Accept Mod"):
requires(version: ARMR/2.3)
socket("Blocking server accepting connections on IP 127.0.0.1 and port range 5000-5010"):
accept("127.0.0.1:5000-5010")
protect(message: "connections blocked", severity: 8)
endsocket
endapp
Logging
A log entry similar to the following is generated by events resulting from the Socket Client Bind, the Socket Connect rule, and the Socket Accept rules below, respectively.
<10>1 2021-03-22T11:03:42.920Z userX_system java 5989 - - CEF:0|ARMR:Walter|Walter|2.3|Socket rule protect|Execute Rule|High|rt=Mar 22 2021 11:03:42.919 +0000 dvchost=jenkins-qa-slave-centos.aws.waratek.lan procid=5989 appVersion=1 act=protect msg=Socket rule protect 127.0.0.1:0 localIpAddress=127.0.0.1 localPort=5001
<10>1 2021-03-22T11:05:20.332Z userX_system java 6442 - - CEF:0|ARMR:Walter|Walter|2.3|Socket rule protect|Execute Rule|High|rt=Mar 22 2021 11:05:20.331 +0000 dvchost=jenkins-qa-slave-centos.aws.waratek.lan procid=6442 appVersion=1 act=protect msg=Socket rule protect 0.0.0.0:80 remoteIpAddress=74.125.193.105 remotePort=80
<10>1 2021-03-22T11:06:00.934Z userX_system java 6591 - - CEF:0|ARMR:Walter|Walter|2.3|Socket rule protect|Execute Rule|High|rt=Mar 22 2021 11:06:00.932 +0000 dvchost=jenkins-qa-slave-centos.aws.waratek.lan procid=6591 appVersion=1 act=protect msg=Socket rule protect 127.0.0.1:0 remoteIpAddress=127.0.0.1 remotePort=5001
Further Examples
Blocking server binds on all interfaces and all ports with stacktrace: "full" parameter.
app("Socket Server Bind Mod"):
requires(version: ARMR/2.3)
socket("Blocking server binds on all interfaces and all ports"):
bind(server: "0.0.0.0:0")
protect(message: "port binding blocked", severity: 8, stacktrace: "full")
endsocket
endapp
Logging
<10>1 2021-04-01T13:48:30.121+01:00 userX_system java 23223 - - CEF:0|ARMR:Socket Server Bind Mod|Socket Server Bind Mod|2.3|Blocking server binds on all interfaces and all ports|Execute Rule|High|rt=Apr 01 2021 13:48:30.119 +0100 dvchost=hostnameX procid=23223 appVersion=1 act=protect msg=port binding blocked stacktrace=java.net.ServerSocket.bind(ServerSocket.java)\nNetworkServerSocket.main(NetworkServerSocket.java:19) localIpAddress=127.0.0.1 localPort=5001
Blocking client connections on all ports with stacktrace: "full" parameter.
app("Socket Connect Mod"):
requires(version: ARMR/2.3)
socket("Blocking client connections on all ports"):
connect("0.0.0.0:0")
protect(message: "connections blocked", severity: 8, stacktrace: "full")
endsocket
endapp
Logging
<10>1 2021-04-01T13:58:10.562+01:00 userX_system java 23895 - - CEF:0|ARMR:Socket Connect Mod|Socket Connect Mod|2.3|Blocking client connections on all ports|Execute Rule|High|rt=Apr 01 2021 13:58:10.561 +0100 dvchost=hostnameX procid=23895 appVersion=1 act=protect msg=connections blocked stacktrace=java.net.Socket.connect(Socket.java)\nClientConnection.attemptServerConnection(ClientConnection.java:37)\nClientConnection.main(ClientConnection.java:24) remoteIpAddress=127.0.0.1 remotePort=5001