Filter Connection

Connection filter

Description

Detect new connection from received data

--data--> |connection filter| --check if exist--> |redis|

If doesn't exist : |connection filter| --add data--> |redis|

Filter Code

0x636E7370

Dependencies

no special dependencies

Darwin configuration

Example of darwin configuration for this filter :

{
    "connection_1": {
        "exec_path": "/path/to/darwin/build/darwin_connection",
        "config_file":"/path/to/connection.conf",
        "output": "LOG",
        "next_filter": "",
        "nb_thread": 1,
        "log_level": "DEBUG",
        "cache_size": 0
    }
}

Config file

redis_socket_path : the redis' socket path
redis_expire (optional) : if set, will expire a given data after n seconds
init_data_path (optional) : in case you want to add initial data, the file must be formatted like that:

"<net_src_ip>;<net_dst_ip>;<net_dst_port>;<ip_proto>"
"<net_src_ip>;<net_dst_ip>;<net_dst_port>;<ip_proto>"
...

See body section to see exactly which data is expected

alert_redis_list_name (optional) : the key under which the filter will stock the raised alerts in the redis
alert_redis_channel_name (optional) : the redis channel in which the raised alerts will be publish
log_file_path (optional) : the path in which the filter will write it's results

Example:

{
  "redis_socket_path": "/var/sockets/redis/redis.sock",
  "init_data_path": "/path/to/init_data_file.txt",
  "redis_expire": 300,
  "alert_redis_list_name": "darwin_alerts",
  "alert_redis_channel_name": "darwin.alerts",
  "log_file_path": "/var/log/darwin/alerts.log"
}

Body

[ 
      ["<net_src_ip>","<net_dst_ip>","<net_dst_port>","<ip_proto>"], 
      [...] 
]

Where ip_proto need to represent either udp (6), tcp (17), icmp(1). If it's icmp, no need for the field net_dst_port.

Example

Here is an example of a body:

[     
       ["10.20.255.22", "10.20.255.22", "2831", "6"],
       ["10.1.68.72", "10.1.68.72", "1375", "6"],
       ["10.0.12.101", "10.0.12.101", "2584", "6"],
       ["10.3.36.92", "10.3.36.92", "2802", "6"],
       ["10.12.69.123", "10.12.69.123", "1669", "17"],
       ["172.17.10.12", "172.17.10.12", "1"],
]

Results

Certitude can either be 100 if you have a new connection, or else 0.

If the LOG output is precised in the darwin configuration, the body send by the filter will be for example :

{ 
    "evt_id": "<header's_evt_id>",
    "time": "<ISO8601>",
    "filter": "connection",
    "connection" : "172.17.10.12;172.17.10.12;1",
    "certitude": 0
}

Configuration with Rsyslog

Modules necessary

To work alongside this filter, Rsyslog must be used with those compiled modules:

impcap
mmdarwin

Impcap

The Impcap module is a network sniffing module, it will recover information and data from packets on the network. Please go to its corresponding wiki to get full documentation on how to configure it.

Mmdarwin

The Mmdarwin module comes after Impcap, and handles the transmission of data to darwin, the configuration of Mmdarwin in the rsyslog configuration file should be:

action(type="mmdarwin" socketpath="/path/to/darwin/sockets/connection_1.sock" fields=["!impcap!net_src_ip", "!impcap!net_dst_ip", "!ipmcap!net_dst_port", "!impcap!IP_proto"] key="CONNECTION" filtercode="0x636E7370")

Home
Darwin Configuration
Connect to Darwin with Python
Management Socket
Alert Format
Statistics
Rsyslog Configuration
Workflow
Automated Testing
Unit Testing
Available Docker images
Filters
- Template
- Anomaly
- Buffer
- Connection
- Content Inspection
- DGA
- HostLookup
- Sofa
- TAnomaly
- Test
- Yara
- (Coming) Session
- (Obsolete) End
- (Obsolete) Logs
- (Obsolete) Reputation
Tools
- Reconciler
HAproxy
- General Configuration
- SPOE Data
Contributions

Provide feedback

Saved searches

Use saved searches to filter your results more quickly