Report network connections, and enrich with process information.
name: Linux.Network.NetstatEnriched
description: |
Report network connections, and enrich with process information.
type: CLIENT
precondition:
SELECT OS From info() where OS = 'linux'
parameters:
- name: IPRegex
description: "regex search over IP address fields."
default: "."
type: regex
- name: PortRegex
description: "regex search over port fields."
default: "."
type: regex
- name: ProcessNameRegex
description: "regex search over source process name"
default: "."
type: regex
- name: UsernameRegex
description: "regex search over source process user context"
default: "."
type: regex
- name: ConnectionStatusRegex
description: "regex search over connection status"
default: "LISTEN|ESTAB"
type: regex
- name: ProcessPathRegex
description: "regex search over source process path"
default: "."
type: regex
- name: CommandLineRegex
description: "regex search over source process commandline"
default: "."
type: regex
- name: CallChainRegex
description: "regex search over the process callchain"
default: "."
type: regex
sources:
- query: |
SELECT Laddr.IP AS Laddr,
Laddr.Port AS Lport,
Raddr.IP AS Raddr,
Raddr.Port AS Rport,
Pid,
Status,
process_tracker_get(id=Pid).Data AS ProcInfo,
join(array=process_tracker_callchain(id=Pid).Data.Name, sep=" -> ") AS CallChain,
process_tracker_tree(id=Pid) AS ChildrenTree
FROM connections()
WHERE Status =~ ConnectionStatusRegex
AND Raddr =~ IPRegex
AND ( Lport =~ PortRegex OR Rport =~ PortRegex )
AND ProcInfo.Name =~ ProcessNameRegex
AND ProcInfo.Username =~ UsernameRegex
AND ProcInfo.Exe =~ ProcessPathRegex
AND ProcInfo.CommandLine =~ CommandLineRegex
AND CallChain =~ CallChainRegex
column_types:
- name: ChildrenTree
type: tree