Linux.Network.Netstat.Watcher :: Velociraptor

Linux.Network.Netstat.Watcher

Collects a one-time snapshot of current non-LISTEN remote connections and a continuous diff stream of added/removed/changed connections. Loopback destinations are excluded by default (127.0.0.1 and ::1) via a configurable regex. The sampling interval (SampleIntervalSec) and the overall monitoring window (MonitorDurationSec) are fully parameterized. Each record includes process metadata via process_tracker_get


name: Linux.Network.Netstat.Watcher
type: CLIENT
author: Antonio Blescia (TheThMando)
description: >
    Collects a one-time snapshot of current non-LISTEN remote connections and a continuous diff stream of added/removed/changed connections. Loopback destinations are excluded by default (127.0.0.1 and ::1) via a configurable regex. 
    The sampling interval (SampleIntervalSec) and the overall monitoring window (MonitorDurationSec) are fully parameterized. Each record includes process metadata via process_tracker_get
implied_permissions:
  - IMPERSONATION
parameters:
  - name: SampleIntervalSec
    description: Sampling interval in seconds used by diff() while monitoring connections.
    type: int
    default: 60
  - name: MonitorDurationSec
    type: int
    description: Total monitoring window in seconds; the outer query stops after this duration.
    default: 600
  - name: ExcludeRemoteIPsRegex
    type: regex
    description: Regex of remote IPs to exclude (matched against Raddr.IP).
    default: '127.0.0.1|::1'

sources:
  - name: RemoteConnectionsSnapshot
    query: |
       SELECT timestamp(epoch=now()) AS now_utc,
              Pid,
              Status,
              FamilyString,
              Laddr,
              Raddr,
              process_tracker_get(id=Pid) AS ProcInfo
       FROM netstat()
       WHERE Status != "LISTEN"
        and NOT Raddr.IP =~ ExcludeRemoteIPsRegex


  - name: RemoteConnectionsDiffMonitor
    query: |
       SELECT *
       FROM query(query={
           SELECT timestamp(epoch=now()) AS now_utc,
                  Diff,
                  Timestamp,
                  Pid,
                  Status,
                  FamilyString,
                  Laddr,
                  Raddr,
                  process_tracker_get(id=Pid) AS ProcInfo
           FROM diff(query={
           SELECT Timestamp,
                  Pid,
                  Status,
                  FamilyString,
                  Laddr,
                  Raddr,
                  format(format="%d|%s|%s|%s:%d|%s:%d",
                         args=[Pid, L3, L4, Laddr.IP, Laddr.Port,
                           Raddr.IP, Raddr.Port]) AS DiffKey
           FROM netstat()
           WHERE Status != "LISTEN"
            and NOT Raddr.IP =~ ExcludeRemoteIPsRegex
         },
                     key="DiffKey",
                     period=SampleIntervalSec)
           WHERE Diff =~ "added|removed|changed"
         },
                  env=dict(SampleIntervalSec=SampleIntervalSec,
                           ExcludeRemoteIPsRegex=ExcludeRemoteIPsRegex),
                  timeout=MonitorDurationSec)