Outgoing TCP Connections "Audit" Software?

Outgoing TCP Connections "Audit" Software?

Post by Louis Todd Heberle » Mon, 02 Oct 1995 04:00:00



Quote:> but I need some software that will allow us to monitor outgoing TCP/IP
> connections from our site to the world. Any assistance would be greatly
> appreciated.

Just a suggestion:  place a computer on the network next to your
router to the outside world, place tcpdump on it, and watch for
SYN packets (SYN-ACK might be better) where the client is inside
your network and the server is outside your network.  A simple
Perl script could produce some nice reports on such data.

Has anyone already written such scripts?

Todd

 
 
 

Outgoing TCP Connections "Audit" Software?

Post by Musas » Mon, 02 Oct 1995 04:00:00


>Just a suggestion:  place a computer on the network next to your
>router to the outside world, place tcpdump on it, and watch for
>SYN packets (SYN-ACK might be better) where the client is inside
>your network and the server is outside your network.  A simple
>Perl script could produce some nice reports on such data.
>Has anyone already written such scripts?

This script is pretty close to what you are looking for.  I use it to
monitor the network at work (Big Brother is watching :).  It doesn't
currently keep a database of connections, but that would be trivial to
add.

Musashi
<*---------------------------*> snip <*---------------------------*>
#!/usr/local/bin/perl
#
# Monitor all TCP/IP connections (that we care about)
#
# Dependencies which you need to change for
# your configuration include the tcpdump command
# and the spot marked XXX in HandleCMD which
# has my domain name wired in.
#
# Seth Robertson
# s...@ctr.columbia.edu
# Copyright (c) 1991
#
# Non-profit use allowed, for other (profit) uses, please contact the
# author
#
# Version 1.1
#
# Changes    #
#
# 08/03/95 jl   use a pager if dump will be more than a screen full.

########################################
# Commands accepted via stdin
# you may enter multiple commands
# separated by spaces or tabs
#
$HelpMessage = "\
clear   - Clear the screen\
dump    - List all connections seen since the last flush\
flush   - Forget about all connections (implies reset)\
help    - Print this message\
init    - Try to reinit everything to reset memory usage\
init-#  - Auto-init after every # seconds (default 3600, 0 for none)\
list    - List all current connections (since last reset)\
quit    - Exit the program\
reset   - Forget current connections\
size-#  - Change the size of the screen on # (execute reset after # lines)\
\n";

########################################
# The time until an auto-init
$InitTime = 3600;

########################################
# The default size of a screen
$ScreenSize = 23;

########################################
# The default pager to use
$Pager = '/bin/more';

########################################
# The tcpdump command
#
# The command I have here will show all packets
# going through my router (ethernet interface <foo>)
# which should list all packets destined for a
# foreign host
#
# I filter out all combinations of ports and
# hosts that don't want to see.  You could
# do the opposite and only list those ports
# you wanted to know about (telnet, login, etc)
#
$Command='tcpdump -l -q "(\
    (\
            not (port domain)\
        and not (port netbios-ns)\
        and not (port netbios-dgm)\
        and not (port netbios-ssn)\
    )\
    and\
    (\
        (\
                   (ip proto \tcp)\
               and not (port pop3)\
        )\
        or\
        (\
                   (ip proto \udp)\
        )\
    )\
)"';

########################################
# Handle events (packets) coming in
# from the tcpdump
sub HandleCMD
{
  $_ = <CMD>;             # Hopefully non-blocking

  # Split up the tcpdump line
  local ($time, $from, $junk, $to) = split(/[ \t\n]+/,$_);

  chop($to);                    # Get rid of trailing :

  ########################################
  # XXX - CTR Dependancy here
  #
  # Seperate the CTR side from everyone else.
  # The only reason we do this is because we don't
  # want to see every connection twice.
  #
  # This is the easiest way of doing this, but
  # if someone using this program does not
  # have a unique name, then you will have to
  # try both orientations of the $from and $to
  # addresses before you can determine that
  # you have not seen that connection before
  if ($from =~ /ctr\.your\.domain\.com/)
    {
      $CTR = $from;
      $Remote = $to;
    }
  else
    {
      $CTR = $to;
      $Remote = $from;
    }

  # Save the tcpdump output line for use with the dump or list command
  $List{"$CTR+$Remote"} = $_;

  # Check to see if we have seen it before
  if ($Connection{"$CTR+$Remote"} == 1)
    {
      # This connection is a ``current'' connection
      # so we discard
    }
  else
    {
      # This connection is either not current or we
      # have never seen it before.

      if ($Connection{"$CTR+$Remote"} != 2)
        {                       # We have never seen it before
          # Put it on the All Connections list
          push(@AllCon,"$CTR+$Remote");
        }

      # Mark it current
      $Connection{"$CTR+$Remote"} = 1;

      # Put it on the current connection list
      push(@CurCon,"$CTR+$Remote");

      print;                    # Print entire line

      if (++$line > $ScreenSize)
        {
          # We have gone over one screen-full.
          ++$screens;

          # Now clear the connection list and start over;
          print "\n----------------------------------------\n";
          &ResetConnection;
        }
    }

}

########################################
# Reset the connection list (forget
# which connections are current)
#
# Typically, this happens every screen-full
# so you can tell which connections are
# active
sub ResetConnection
{
  foreach $conn (@CurCon)
    {                   # Reset so it will print again
      $Connection{$conn} = 2;
    }

  # Get rid of the Current Connections list
  $#CurCon = -1;

  $line = 0;                    # Reset the current linecount

}

########################################
# Handle user commands
#
# See the beginning for the list of user commands
sub HandleUser
{
  chop($cmd = <>);                        # Hopefully non-blocking

  # Handle each command given
  foreach $_ (split(/[ \t\n]+/,$cmd))
    {
      if ($_ eq 'clear')
        {                       # Clear the screen
          system("clear");
        }
      elsif ($_ eq 'dump')
        {                       # Print all connections seen

        # pipe the output through a pager if it is more than one screen
          if ($screens > 0)
            {
              open( PAGER, "| $Pager" );
              foreach $conn (@AllCon)
                {
                  print PAGER $List{$conn};
                }
              close( PAGER );
            }
          else
            {
              foreach $conn (@AllCon)
                {
                  print $List{$conn};
                }
            }
        }
      elsif ($_ eq 'flush')
        {
          foreach $conn (@AllCon)
            {                   # Reset each connection
              $Connection{$conn} = 3;
            }

          # Get rid of the All Connections list
          $#AllCon = -1;

          # (Flush implies reset)
          # Get rid of the Current Connections list
          $#CurCon = -1;

          $line = 0;            # Reset the current linecount
          $screens = 0;         # Reset screen counter
        }
      elsif ($_ eq 'help')
        {                       # List commands
          print $HelpMessage;
        }
      elsif ($_ eq 'init')
        {                       # Schedule an initialization
          $itimer = -1;
        }
      elsif ($_ =~ /^init-[0-9]+$/)
        {                       # New auto-init time
          $InitTime = $_;
          $InitTime =~ s/^init-([0-9]+)$/$1/;
        }
      elsif ($_ eq 'list')
        {                       # Print all connections seen
          foreach $conn (@CurCon)
            {                   # Print all current connections
              print $List{$conn};
            }
        }
      elsif ($_ eq 'quit')
        {                       # Duhh
          exit 0;
        }
      elsif ($_ eq 'reset')
        {                       # Reset the current connection list
          &ResetConnection;
        }
      elsif ($_ =~ /^size-[0-9]+$/)
        {                       # New screen size
          $ScreenSize = $_;
          $ScreenSize =~ s/^size-([0-9]+)$/$1/;
        }
      else
        {
          print STDERR "Unknown command (Try help)\n";
        }
    }

}

########################################
# Main Program Loop routine
#
# We only exit this if we want to try for a init to reduce memory (or
# the user enters quit)
sub MPL
{
  local($rin,$win,$ein,%List,%Connection,@AllCon,@CurCon,$line,$screens,$itimer,$stime);

  $stime=time;

  # Set up for the select() command
  $rin = $win = $ein = '';
  vec($rin, fileno(STDIN), 1) = 1;
  vec($rin, fileno(CMD), 1) = 1;

  $line=0;
  $screens=0;

  ########################################
  # Main program loop
  while ($nfound = select($rout=$rin, $wout=$win, $eout=$ein, undef))
    {
      # Stuff from the tcpdump
      if (vec($rout, fileno(CMD), 1))
        {
          &HandleCMD;
        }
      # Commands from the user
      if (vec($rout, fileno(STDIN), 1))
        {
          &HandleUser;
        }

      ($itimer < 0) && last;
      ($InitTime && ($itimer = time - $stime) > $InitTime) && last;
    }
  print "Reinitializing ($itimer)\n";

}

########################################
# Main()

# clear the screen
system("clear");

# Start the tcpdump running
open(CMD,"$Command|");

while (1)
{
  &MPL;

}

#%List %Connection @AllCon @CurCon $line $itimer
#EOF#
<*---------------------------*> snip <*---------------------------*>
--
      /          "Meddle not in the affairs of dragons, for             \
 *}=={*}>======-  thou art crunchy and go well with ketchup."  -======<{*}=={*
      \                     dra...@cc.gatech.edu                        /
    Musashi          - - -=- Finger for PGP key -=- - -             Musashi

 
 
 

Outgoing TCP Connections "Audit" Software?

Post by Colin Campbe » Fri, 06 Oct 1995 04:00:00


Have you looked at snoop? You can vary the verbosity from ip addresses only
to the full packet contents. Try `man snoop', since it's bundled. Must be run
as root though (required to put ethernt interface into promiscuous mode).

Colin

: I am a fledging Solaris 2.4 sysadmin. My boss wants me to setup a mechanism to
: audit outgoing TCP/IP connections. I know TCPWRAPPER will monitor incoming
: connections (prevent connections from certain domains and write to a logfile),
: but I need some software that will allow us to monitor outgoing TCP/IP
: connections from our site to the world. Any assistance would be greatly
: appreciated.

:       Regards,
:           Jon Stokes
:           Hughes STX (SETT Programm Office)