I want to captures the protocols found to be utilized on a device, With following statement I can get the TCP
(remote ports of it, tcp states of it) of sockets whose (tcp of it) of network
but I want to get all protocol and ports such as SMB v2, TCP, UDP, SMTP, HTTP, https along with their status such as establishted, Wait time… etc
Greetings @annoymous
Thank you for showing your relevance "so far"
For future, please put your relevance and code into a code block, for better readability
it looks like this </> in the toolbar
I can get you associated processes with this
(name of process of it | "NoProcess", remote ports of it, tcp states of it) of sockets whose (tcp of it) of network
but that still does not get you the protocol information.
I poked around on https://developer.bigfix.com/relevance/reference/socket.html
but I did not find a property of that object type that gives what you are seeking - the named protocol.
I did find this bit on Windows Firewall that deals with Protocol… but again I don’t think it’s what you are asking for.
protocols of globally open ports of profiles of local policies of firewall
What thing would you type at the terminal or command line to get Windows or Linux to output this information (outside of BigFix)? I played around with netstat but did not find a way.
this is very helpful, this is for TCP ports only, I want to see the UDP as well
I used following to get almost what I needed
<(( (if (tcp of it) then (“TCP”) else (“UDP”)), (if (ip version of it = ipv4) then (it as string) else ("[" & it as string & “]”)) of local address of it & “:” & local port of it as string, ((remote address of it as string | “") & “:” & (remote port of it as string |":*”)), tcp state of it as string|"-", name of process of it|"-" )) of sockets whose ( established of tcp state of it) of network>
I’m not sure why you’re trying to retrieve the tcp state of it and also filtering to only the “established” tcp state?
The whose() filter with established of tcp state of it will exclude all the UDP and also exclude all the LISTENING or TIME_WAIT or SYN_SENT or other TCP states as well
q: ((if tcp of it then "tcp" else "udp"), local address of it as string | "-", remote address of it as string | "-", local port of it as string | "-", remote port of it as string | "-") of sockets of network
This much will get you the protocol, IP addresses, and port numbers. Matching that to a protocol would be an expensive lookup into \windows\system32\drivers\etc\services or /etc/services, matching each protocol and port for the “well-known” ports.
This can be a hugely expensive query though, I’m not really sure I understand why you’re trying to capture this, but capturing a huge number of results like this from a huge number of computers could impact your system performance and grow your database considerably.
You are correct. I think it is better if I create three seperate relevance statements. with your query I can get the ports and protocol. Now I am going to get services part.
Sure, that’s just a matter of string concatenation
"string" & "string"@JasonWalker could you please share the full statement ?
((if tcp of it then “tcp” else “udp”), local address of it as string | “-”, remote address of it as string | “-”, local port of it as string | “-”, remote port of it as string | “-”) of sockets of network
Gives me ports and protocol and I want to tie those with services
Strictly using BigFix, great, I would love to do it that way. But…
Can you sit down in front of a computer and use a command prompt to get the data you want? If so, then write a script to do the work and dump the answers into a reg key to store the data, THEN use an analysis to pull the data.
I have several processes that use that method.
For Example, we had to find out which systems were listening on web ports, 80, 443, 8080 and 8443. I wrote the script below.
Then used the analysis to get the data I dumped in the registry
In case you don’t know what my script does, it uses the netstat command to get the PID of listening ports (I limited to the 4 ports I was looking for but you don’t have to). Then it uses the tasklist command to find the process that uses that PID.
I just think you could be in for some serious database growth and performance issues if you try to retrieve all open ports info from every client. That could be tens of thousands of results, from each client. I’d strongly advise you to look at your use-case and whether this is really required, and if so, you might look at IPS / IDS or GigaMON-type network logging systems.
I was able to pull all the information using following two relevance statements
Ports and Protocol.
<((if (tcp of it) then (“tcp”) else (“udp”)), local ports of it as string) of (sockets whose ((local address of it as string != “0.0.0.0”) and (local address of it as string != “0:0:0:0:0:0:0:0”) and (local address of it as string != “127.0.0.1”)) of network)>
services
<(preceding text of first " " of it) of (services whose (state of it as lowercase = “running”) as string)>
