Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
app-mismatch(3)			SiLK Tool Suite		       app-mismatch(3)

NAME
       app-mismatch - SiLK plug-in to find services on unusual ports

SYNOPSIS
	 rwfilter --plugin=app-mismatch.so ...

DESCRIPTION
       The app-mismatch	plug-in	adds a partitioning rule to rwfilter(1)	that
       helps to	find services running on unusual port numbers.

       Specifically, when the app-mismatch plug-in is loaded into rwfilter(1),
       rwfilter	adds a partitioning rule that passes a record when the
       record's	application field (the applabel(1) value determined by yaf(1))
       is set and the value does not match the value of	either the source port
       or destination port.

       The plug-in causes rwfilter to write each record	that meets any of
       these criteria to the location specified	by the --fail-destination
       switch:

       o   the "protocol" field	has a value other than 6 or 17 (TCP or UDP)

       o   the "application" field has the value 0, indicating that the
	   application labeling	feature	was disabled or	that it	was unable to
	   determine the type of application

       o   the "application" field value is equal to either the	"sPort"	or the
	   "dPort" field, indicating the type of traffic appears to be
	   consistent with what	would be expected

       The remaining records are either	TCP or UDP records where the
       application field is set	and its	value is different than	that in	the
       source and destination port.  These records are written to the location
       specified by the	--pass-destination switch.

OPTIONS
       The app-mismatch	plug-in	does not add any additional switches to
       rwfilter	nor modify any field.

EXAMPLES
       In the following	examples, the dollar sign ("$")	represents the shell
       prompt.	The text after the dollar sign represents the command line.
       Lines have been wrapped for improved readability, and the back slash
       ("\") is	used to	indicate a wrapped line.

       The app-mismatch.so plug-in must	be explicitly loaded into rwfilter(1)
       using the --plugin switch.  The plug-in becomes active once it is
       loaded and no additional	switches are required.

       The following searches the SiLK Flow file data.rw for services that
       appear to be running on unusual or non-typical ports.  To get a quick
       summary of the data, the	output from rwfilter is	piped into rwuniq(1):

	$ rwfilter --plugin=app-mismatch.so --print-stat --pass=- data.rw \
	  | rwuniq --fields=application,sPort,dPort | head
	Files	  1.  Read	24494.	Pass	    890. Fail	    23604.
	appli|sPort|dPort|   Records|
	   53|62579| 5355|	   1|
	   53|55188| 5355|	   1|
	   53|57807| 5355|	   1|
	   53|54898| 5355|	   1|
	   80| 1171|  591|	   1|
	   53| 5355|50478|	   1|
	   53|64981| 5355|	   1|
	  139|52845|  445|	   1|
	   53|52536| 5355|	   1|

       As seen in the output of	the --print-stat switch	from rwfilter, the
       plug-in failed 23,604 records.  Some of those records have protocols
       other than TCP and UDP, and some	records	have an	application value of
       zero.  Adding additional	rwfilter invocations provides a	way to get
       count for each:

	$ rwfilter --protocol=6,17 --print-stat	--pass=- data.rw       \
	  | rwfilter --application=1- --print-stat --pass=- -	       \
	  | rwfilter --plugin=app-mismatch.so --print-stat --pass=- -  \
	  | rwuniq --fields=application,sPort,dPort --pager= | head
	Files	  1.  Read	24494.	Pass	  24420. Fail	       74.
	Files	  1.  Read	24420.	Pass	  14228. Fail	    10192.
	Files	  1.  Read	14228.	Pass	    890. Fail	    13338.
	appli|sPort|dPort|   Records|
	   53|62579| 5355|	   1|
	   53|55188| 5355|	   1|
	   53|57807| 5355|	   1|
	   53|54898| 5355|	   1|
	   80| 1171|  591|	   1|
	   53| 5355|50478|	   1|
	   53|64981| 5355|	   1|
	  139|52845|  445|	   1|
	   53|52536| 5355|	   1|

       All but 74 records were either TCP or UDP.  For the TCP and UDP
       records,	10,192 had an application label	of 0.  There were 13,338
       records where the application label matched the port number.  Change
       the final rwfilter invocation to	use --fail-destination to see those
       records:

	$ rwfilter --protocol=6,17 --print-stat	--pass=- data.rw       \
	  | rwfilter --application=1- --print-stat --pass=- -	       \
	  | rwfilter --plugin=app-mismatch.so --print-stat --pass=- -  \
	  | rwuniq --fields=application,sPort,dPort --pager= | head
	Files	  1.  Read	24494.	Pass	  24420. Fail	       74.
	Files	  1.  Read	24420.	Pass	  14228. Fail	    10192.
	Files	  1.  Read	14228.	Pass	    890. Fail	    13338.
	appli|sPort|dPort|   Records|
	  443|	443|53257|	   1|
	   80|54123|   80|	   2|
	   80|52322|   80|	   1|
	   80|54749|   80|	   1|
	   80|	 80|52885|	   3|
	   80|	 80|54204|	   1|
	   53|	 53|55964|	   1|
	   80|53497|   80|	   1|
	   80|54122|   80|	   2|

ENVIRONMENT
       SILK_PATH
	   This	environment variable gives the root of the install tree.  When
	   searching for plug-ins, a SiLK application may use this environment
	   variable.  See the "FILES" section for details.

       SILK_PLUGIN_DEBUG
	   When	set to 1, the SiLK applications	print status messages to the
	   standard error as they attempt to find and open the app-mismatch.so
	   plug-in.  A typical invocation using	this variable is:

	    env	SILK_PLUGIN_DEBUG=1 rwfilter --plugin=app-mismatch.so --version

FILES
       ${SILK_PATH}/lib64/silk/app-mismatch.so
       ${SILK_PATH}/lib64/app-mismatch.so
       ${SILK_PATH}/lib/silk/app-mismatch.so
       ${SILK_PATH}/lib/app-mismatch.so
       /usr/local/lib64/silk/app-mismatch.so
       /usr/local/lib64/app-mismatch.so
       /usr/local/lib/silk/app-mismatch.so
       /usr/local/lib/app-mismatch.so
	   Possible locations for the plug-in.

SEE ALSO
       rwfilter(1), rwuniq(1), silk(7),	yaf(1),	applabel(1)

SiLK 3.19.1			  2021-09-21		       app-mismatch(3)

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | EXAMPLES | ENVIRONMENT | FILES | SEE ALSO

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=app-mismatch&sektion=3&manpath=FreeBSD+13.0-RELEASE+and+Ports>

home | help