Version: 2.8

Socket Control Security Feature

Overview

The socket rule begins with a socket and ends with an endsocket. It must contain the rule name as a parameter and this is an arbitrary string, hence it needs to be surrounded with double-quotes. The socket rule cannot contain duplicate statements, and multiple socket rules are allowed in the same ARMR application. The order of statements inside the socket rule does not matter.

Port ranges in Socket rules are only supported on ARMR version 2.2 and above.

Given (Condition)

bind The bind takes the following key-value pairs as parameters: client and server. They can be used simultaneously within bind. The value for both client and server keys within bind is a quoted-string composed of the IP address of the local interface and the port separated by a colon. Wildcard for IPv4 addresses is specified by 0.0.0.0, and wildcard for port is specified by 0.The following are examples of bind conditions specifying wildcarded IPv4 addresses and wildcarded port;


bind	The `bind` takes the following key-value pairs as parameters: `client` and `server`. They can be used simultaneously within `bind`. The value for both `client` and `server` keys within `bind` is a quoted-string composed of the IP address of the local interface and the port separated by a colon. Wildcard for IPv4 addresses is specified by `0.0.0.0`, and wildcard for port is specified by `0`.The following are examples of `bind` conditions specifying wildcarded IPv4 addresses and wildcarded port;

bind(client: "0.0.0.0:0") bind(server: "0.0.0.0:0") bind(server: "0.0.0.0:0", client: "0.0.0.0:0") Specific IPv4 and/or port numbers may be specified, for example; bind(client: "127.0.0.1:80") bind(server: "127.0.0.1:0") bind(client: "0.0.0.0:80") Port ranges may be specified, for example; bind(client: "0.0.0.0:80-90") bind(server: "0.0.0.0:8080-8090") bind(server: "127.0.0.1:8080-8090")

| | connect | accept and connect require only a single parameter which is the IPv4 address and port for accepting connections from and to a remote address, respectively.Hostnames may also be used.Wildcard for IPv4 addresses is specified by 0.0.0.0, and wildcard for port is specified by 0.The following are examples of accept and connect conditions specifying wildcarded IPv4 addresses and wildcarded port;accept("0.0.0.0:0") accept("localhost:0") connect("0.0.0.0:0") connect("localhost:0")Specific IPv4 and/or port numbers may be specified, hostnames may also be specified.For example;accept("127.0.0.1:5001") accept("0.0.0.0:5001") connect("127.0.0.1:8080") connect("127.0.0.1:0")Port ranges may be specified, for example;``` accept("127.0.0.1:5000-5100") connect("0.0.0.0:8080-8100")

| | accept | |

It is possible to create multiple ARMR socket rules with overlapping or overarching conditions. The agent handles this configuration by selecting only a single rule, and applies the action defined in it. The agent uses the following criteria for selection:

select the rule that contains a matching IP address and port, using a rule containing wildcards if no match is found
if more than one such matching rule exists then priority is given based on the action, in the order allow, protect, detect

To avoid unexpected behavior, it is recommended to limit the number of rules that overlap when possible.

Then (Action)


protect	Block network connections to or from an IP address and port combination specified in the `socket` rule.If configured, a log message is generated with details of the event.
allow	Allow network connections to or from an IP address and port combination specified in the `socket` rule.If configured, a log message is generated with details of the event.
detect	Monitoring mode: the application behaves as normal. Network connections to or from an IP address and port combination specified in the `socket` rule are logged only.A log message must be specified with this action.

As part of the action statement, the user may optionally specify the parameter stacktrace: "full”. When this parameter is specified, the stacktrace of the location of the attempted exploit is included in the security log entry.

Examples

Blocking client binds on all interfaces and all ports

app("Socket Client Bind Mod"):
requires(version: ARMR/2.8)
socket("Blocking client binds on all interfaces and all ports"):
bind(client: "0.0.0.0:0")
protect(message: "port binding blocked", severity: 8)
endsocket
endapp

Blocking server binds on all interfaces and all ports.

app("Socket Server Bind Mod"):
requires(version: ARMR/2.8)
socket("Blocking server binds on all interfaces and all ports"):
bind(server: "0.0.0.0:0")
protect(message: "port binding blocked", severity: 8)
endsocket
endapp

Blocking client connections on all ports.

app("Socket Connect Mod"):
requires(version: ARMR/2.8)
socket("Blocking client connections on all ports"):
connect("0.0.0.0:0")
protect(message: "connections blocked", severity: 8)
endsocket
endapp

Blocking server accepting connections on all interfaces and all ports.

app("Socket Accept Mod"):
requires(version: ARMR/2.8)
socket("Blocking server accepting connections on all interfaces and all ports"):
accept("0.0.0.0:0")
protect(message: "connections blocked", severity: 8)
endsocket
endapp

Blocking server accepting connections on a specific interface and specific port.

app("Socket Accept Mod"):
requires(version: ARMR/2.8)
socket("Blocking server accepting connections on IP 127.0.0.1 and specific port 5001"):
accept("127.0.0.1:5001")
protect(message: "connections blocked", severity: 8)
endsocket
endapp

Blocking server accepting connections on a specific interface, over a range of ports.

app("Socket Accept Mod"):
requires(version: ARMR/2.8)
socket("Blocking server accepting connections on IP 127.0.0.1 and port range 5000-5010"):
accept("127.0.0.1:5000-5010")
protect(message: "connections blocked", severity: 8)
endsocket
endapp

Blocking server accepting connections on a specific interface, over a range of ports.

app("Socket Accept Mod"):
requires(version: ARMR/2.8)
socket("Blocking server accepting connections on IP 127.0.0.1 and port range 5000-5010"):
accept("127.0.0.1:5000-5010")
protect(message: "connections blocked", severity: 8)
endsocket
endapp

Blocking client binds on all interfaces and all ports, but allowing them on a specific interface and specific port.

app("Socket Client Bind Mod Multiple Rules"):
requires(version: ARMR/2.8)

socket("Socket bind protect all"):
bind(client: "0.0.0.0:0")
protect(message: "Socket rule protect 0.0.0.0:0", severity: High)
endsocket

socket("Socket bind allow specific"):
bind(client: "127.0.0.1:5000")
allow(message: "Socket rule allow 127.0.0.1:5000", severity: Medium)
endsocket

endapp

Logging

A log entry similar to the following is generated by events resulting from the Socket Client Bind, the Socket Connect rule, and the Socket Accept rules below, respectively.

<10>1 2021-03-22T11:03:42.920Z userX_system java 5989 - - CEF:0|ARMR:Walter|Walter|2.8|Socket rule protect|Execute Rule|High|rt=Mar 22 2021 11:03:42.919 +0000 dvchost=jenkins-qa-slave-centos.aws.waratek.lan procid=5989 appVersion=1 ruleType=socket securityFeature=socket bind act=protect msg=Socket rule protect 127.0.0.1:0 localIpAddress=127.0.0.1 localPort=5001

<10>1 2021-03-22T11:05:20.332Z userX_system java 6442 - - CEF:0|ARMR:Walter|Walter|2.8|Socket rule protect|Execute Rule|High|rt=Mar 22 2021 11:05:20.331 +0000 dvchost=jenkins-qa-slave-centos.aws.waratek.lan procid=6442 appVersion=1 ruleType=socket securityFeature=socket connect act=protect msg=Socket rule protect 0.0.0.0:80 remoteIpAddress=74.125.193.105 remotePort=80

<10>1 2021-03-22T11:06:00.934Z userX_system java 6591 - - CEF:0|ARMR:Walter|Walter|2.8|Socket rule protect|Execute Rule|High|rt=Mar 22 2021 11:06:00.932 +0000 dvchost=jenkins-qa-slave-centos.aws.waratek.lan procid=6591 appVersion=1 ruleType=socket securityFeature=socket accept act=protect msg=Socket rule protect 127.0.0.1:0 remoteIpAddress=127.0.0.1 remotePort=5001

Further Examples

Blocking server binds on all interfaces and all ports with stacktrace: "full" parameter.

app("Socket Server Bind Mod"):
requires(version: ARMR/2.8)
socket("Blocking server binds on all interfaces and all ports"):
bind(server: "0.0.0.0:0")
protect(message: "port binding blocked", severity: 8, stacktrace: "full")
endsocket
endapp

Logging

<10>1 2021-04-01T13:48:30.121+01:00 userX_system java 23223 - - CEF:0|ARMR:Socket Server Bind Mod|Socket Server Bind Mod|2.8|Blocking server binds on all interfaces and all ports|Execute Rule|High|rt=Apr 01 2021 13:48:30.119 +0100 dvchost=hostnameX procid=23223 appVersion=1 ruleType=socket securityFeature=socket serverbind act=protect msg=port binding blocked stacktrace=java.net.ServerSocket.bind(ServerSocket.java)\nNetworkServerSocket.main(NetworkServerSocket.java:19) localIpAddress=127.0.0.1 localPort=5001

Blocking client connections on all ports with stacktrace: "full" parameter.

app("Socket Connect Mod"):
requires(version: ARMR/2.8)
socket("Blocking client connections on all ports"):
connect("0.0.0.0:0")
protect(message: "connections blocked", severity: 8, stacktrace: "full")
endsocket
endapp

Logging

<10>1 2021-04-01T13:58:10.562+01:00 userX_system java 23895 - - CEF:0|ARMR:Socket Connect Mod|Socket Connect Mod|2.8|Blocking client connections on all ports|Execute Rule|High|rt=Apr 01 2021 13:58:10.561 +0100 dvchost=hostnameX procid=23895 appVersion=1 ruleType=socket securityFeature=socket connect act=protect msg=connections blocked stacktrace=java.net.Socket.connect(Socket.java)\nClientConnection.attemptServerConnection(ClientConnection.java:37)\nClientConnection.main(ClientConnection.java:24) remoteIpAddress=127.0.0.1 remotePort=5001

Blocking client connections on all ports with “localhost“ parameter.

app("Socket Connect Mod"):
requires(version: ARMR/2.8)
socket("connect to localhost"):
connect("localhost:0")
protect(message: "coonections blocked", severity: High)
endsocket
endapp

Logging

<10>1 2021-04-01T13:58:10.562+01:00 userX_system java 23895 - - CEF:0|ARMR:Socket Connect Mod|Socket Connect Mod|2.8|Blocking client connections on all ports|Execute Rule|High|rt=Apr 01 2021 13:58:10.561 +0100 dvchost=hostnameX procid=23895 appVersion=1 ruleType=socket securityFeature=socket connect act=protect msg=connections blocked stacktrace=java.net.Socket.connect(Socket.java)\nClientConnection.attemptServerConnection(ClientConnection.java:37)\nClientConnection.main(ClientConnection.java:24) remoteIpAddress=127.0.0.1 remotePort=5001

Blocking server accepting connections with “localhost“ parameter.

app("Socket Accept Mod"):
requires(version: ARMR/2.8)
socket("blocking server accepting connections"):
accept("localhost:0")
protect(message: "connections blocked", severity: 8)
endsocket
endapp

Logging

<10>1 2021-03-22T11:06:00.934Z userX_system java 6591 - - CEF:0|ARMR:Walter|Walter|2.8|Socket rule protect|Execute Rule|High|rt=Mar 22 2021 11:06:00.932 +0000 dvchost=jenkins-qa-slave-centos.aws.waratek.lan procid=6591 appVersion=1 ruleType=socket securityFeature=socket accept act=protect msg=Socket rule protect 127.0.0.1:0 remoteIpAddress=127.0.0.1 remotePort=5001

Overview​

Given (Condition)​

Then (Action)​

Examples​

Logging​

Further Examples​

Logging​

Logging​

Logging​

Logging​

Overview

Given (Condition)

Then (Action)

Examples

Logging

Further Examples

Logging

Logging

Logging

Logging