public void ShouldParseWindowsPid()
{
const string Input = @" TCP 192.168.1.6:49729 40.103.33.102:443 ESTABLISHED 13324
TCP 192.168.1.6:49732 23.97.157.56:443 TIME_WAIT 0";
List <ListeningPortsPayload> payloads = NetstatUtils.ParseNetstatListeners(
Input,
WindowsLocalAddressColumnNumber,
WindowsRemoteAddressColumnNumber,
WindowsPidColumnNumber
);
Assert.AreEqual(2, payloads.Count);
ListeningPortsPayload payload = payloads.First();
Assert.AreEqual("tcp", payload.Protocol);
Assert.AreEqual("192.168.1.6", payload.LocalAddress);
Assert.AreEqual("40.103.33.102", payload.RemoteAddress);
Assert.AreEqual("49729", payload.LocalPort);
Assert.AreEqual("443", payload.RemotePort);
Assert.AreEqual("13324", payload.ExtraDetails["Pid"]);
payload = payloads.Skip(1).First();
Assert.AreEqual("tcp", payload.Protocol);
Assert.AreEqual("192.168.1.6", payload.LocalAddress);
Assert.AreEqual("23.97.157.56", payload.RemoteAddress);
Assert.AreEqual("49732", payload.LocalPort);
Assert.AreEqual("443", payload.RemotePort);
Assert.AreEqual("0", payload.ExtraDetails["Pid"]);
}
public void ShouldParseWindowsTcpUdpIpv6Ipv4Combination()
{
const string Input = @" TCP 10.166.83.25:64758 23.64.31.74:443 ESTABLISHED
TCP [2001:0:2851:7871:28a9:6860:5823:3ae6]:7680 [2001:0:2851:7871:1054:f038:5823:3be2]:52540 TIME_WAIT
UDP 0.0.0.0:123 *:*";
List <ListeningPortsPayload> payloads = NetstatUtils.ParseNetstatListeners(Input, WindowsLocalAddressColumnNumber, WindowsRemoteAddressColumnNumber);
Assert.AreEqual(3, payloads.Count);
Assert.AreEqual("tcp", payloads.First().Protocol);
Assert.AreEqual("10.166.83.25", payloads.First().LocalAddress);
Assert.AreEqual("23.64.31.74", payloads.First().RemoteAddress);
Assert.AreEqual("64758", payloads.First().LocalPort);
Assert.AreEqual("443", payloads.First().RemotePort);
Assert.AreEqual("tcp", payloads.Skip(1).First().Protocol);
Assert.AreEqual("2001:0:2851:7871:28a9:6860:5823:3ae6", payloads.Skip(1).First().LocalAddress);
Assert.AreEqual("2001:0:2851:7871:1054:f038:5823:3be2", payloads.Skip(1).First().RemoteAddress);
Assert.AreEqual("7680", payloads.Skip(1).First().LocalPort);
Assert.AreEqual("52540", payloads.Skip(1).First().RemotePort);
Assert.AreEqual("udp", payloads.Skip(2).First().Protocol);
Assert.AreEqual("0.0.0.0", payloads.Skip(2).First().LocalAddress);
Assert.AreEqual("*", payloads.Skip(2).First().RemoteAddress);
Assert.AreEqual("123", payloads.Skip(2).First().LocalPort);
Assert.AreEqual("*", payloads.Skip(2).First().RemotePort);
}
public void ShouldParseLinuxPid()
{
const string Input = @"tcp 0 0 1.2.3.4:1 4.3.2.1:1 LISTEN 1234/node
tcp 0 0 4.3.2.1:2 1.2.3.4:2 LISTEN -";
List <ListeningPortsPayload> payloads = NetstatUtils.ParseNetstatListeners(
Input,
LinuxLocalAddressColumnNumber,
LinuxRemoteAddressColumnNumber,
LinuxPidColumnNumber
);
Assert.AreEqual(2, payloads.Count);
ListeningPortsPayload payload = payloads.First();
Assert.AreEqual("tcp", payload.Protocol);
Assert.AreEqual("1.2.3.4", payload.LocalAddress);
Assert.AreEqual("4.3.2.1", payload.RemoteAddress);
Assert.AreEqual("1", payload.LocalPort);
Assert.AreEqual("1", payload.RemotePort);
Assert.AreEqual("1234", payload.ExtraDetails["Pid"]);
payload = payloads.Skip(1).First();
Assert.AreEqual("tcp", payload.Protocol);
Assert.AreEqual("4.3.2.1", payload.LocalAddress);
Assert.AreEqual("1.2.3.4", payload.RemoteAddress);
Assert.AreEqual("2", payload.LocalPort);
Assert.AreEqual("2", payload.RemotePort);
Assert.IsNull(payload.ExtraDetails);
}
public void ShouldIgnoreUnrecognizedProtocols()
{
const string Input = " PrOtOcOl 10.166.83.25:57604 192.30.253.124:443 ESTABLISHED";
List <ListeningPortsPayload> payloads = NetstatUtils.ParseNetstatListeners(Input, WindowsLocalAddressColumnNumber, WindowsRemoteAddressColumnNumber);
Assert.AreEqual(0, payloads.Count);
}
public void ShouldIgnoreWindowsHeader()
{
const string Input = @"
Active Connections
";
List <ListeningPortsPayload> payload = NetstatUtils.ParseNetstatListeners(Input, WindowsLocalAddressColumnNumber, WindowsRemoteAddressColumnNumber);
Assert.AreEqual(0, payload.Count);
}
public void ShouldNormalizeProtocolNameToLowercase()
{
const string Input = " tCp 10.166.83.25:57604 192.30.253.124:443 ESTABLISHED";
List <ListeningPortsPayload> payloads = NetstatUtils.ParseNetstatListeners(Input, WindowsLocalAddressColumnNumber, WindowsRemoteAddressColumnNumber);
Assert.AreEqual(1, payloads.Count);
ListeningPortsPayload payload = payloads.First();
Assert.AreEqual("tcp", payload.Protocol);
}
public void ShouldParseWindowsIpv6()
{
const string Input = " TCP [2a01:110:68:2c:745a:5970:a2f2:e0f3]:64400 [2a02:26f0:e8:2b3::201a]:80 CLOSE_WAIT";
List <ListeningPortsPayload> payloads = NetstatUtils.ParseNetstatListeners(Input, WindowsLocalAddressColumnNumber, WindowsRemoteAddressColumnNumber);
Assert.AreEqual(1, payloads.Count);
ListeningPortsPayload payload = payloads.First();
Assert.AreEqual("tcp", payload.Protocol);
Assert.AreEqual("2a01:110:68:2c:745a:5970:a2f2:e0f3", payload.LocalAddress);
Assert.AreEqual("2a02:26f0:e8:2b3::201a", payload.RemoteAddress);
Assert.AreEqual("64400", payload.LocalPort);
Assert.AreEqual("80", payload.RemotePort);
}
public void ShouldParseLinuxIpv4()
{
const string Input = "tcp 0 0 10.166.83.31:33872 10.166.83.16:631 TIME_WAIT";
List <ListeningPortsPayload> payloads = NetstatUtils.ParseNetstatListeners(Input, LinuxLocalAddressColumnNumber, LinuxRemoteAddressColumnNumber);
Assert.AreEqual(1, payloads.Count);
ListeningPortsPayload payload = payloads.First();
Assert.AreEqual("tcp", payload.Protocol);
Assert.AreEqual("10.166.83.31", payload.LocalAddress);
Assert.AreEqual("10.166.83.16", payload.RemoteAddress);
Assert.AreEqual("33872", payload.LocalPort);
Assert.AreEqual("631", payload.RemotePort);
}
public void ShouldParseLinuxUdpIpv6Any()
{
const string Input = "udp6 0 0 :::5353 :::* ";
List <ListeningPortsPayload> payloads = NetstatUtils.ParseNetstatListeners(Input, LinuxLocalAddressColumnNumber, LinuxRemoteAddressColumnNumber);
Assert.AreEqual(1, payloads.Count);
ListeningPortsPayload payload = payloads.First();
Assert.AreEqual("udp6", payload.Protocol);
Assert.AreEqual("::", payload.LocalAddress);
Assert.AreEqual("::", payload.RemoteAddress);
Assert.AreEqual("5353", payload.LocalPort);
Assert.AreEqual("*", payload.RemotePort);
}
public void ShouldParseWindowsIpv6Any()
{
const string Input = " TCP [::]:445 [::]:0 LISTENING";
List <ListeningPortsPayload> payloads = NetstatUtils.ParseNetstatListeners(Input, WindowsLocalAddressColumnNumber, WindowsRemoteAddressColumnNumber);
Assert.AreEqual(1, payloads.Count);
ListeningPortsPayload payload = payloads.First();
Assert.AreEqual("tcp", payload.Protocol);
Assert.AreEqual("::", payload.LocalAddress);
Assert.AreEqual("::", payload.RemoteAddress);
Assert.AreEqual("445", payload.LocalPort);
Assert.AreEqual("0", payload.RemotePort);
}
public void ShouldParseWindowsIpv4()
{
const string Input = " TCP 10.166.83.25:57604 192.30.253.124:443 ESTABLISHED";
List <ListeningPortsPayload> payloads = NetstatUtils.ParseNetstatListeners(Input, WindowsLocalAddressColumnNumber, WindowsRemoteAddressColumnNumber);
Assert.AreEqual(1, payloads.Count);
ListeningPortsPayload payload = payloads.First();
Assert.AreEqual("tcp", payload.Protocol);
Assert.AreEqual("10.166.83.25", payload.LocalAddress);
Assert.AreEqual("192.30.253.124", payload.RemoteAddress);
Assert.AreEqual("57604", payload.LocalPort);
Assert.AreEqual("443", payload.RemotePort);
}
public void ShouldParseLinuxTcpIpv6()
{
const string Input = "tcp6 0 0 2a01:110:68:2c:745a:5970:a2f2:e0f3:22 2a02:26f0:e8:2b3::201a:* LISTEN";
List <ListeningPortsPayload> payloads = NetstatUtils.ParseNetstatListeners(Input, LinuxLocalAddressColumnNumber, LinuxRemoteAddressColumnNumber);
Assert.AreEqual(1, payloads.Count);
ListeningPortsPayload payload = payloads.First();
Assert.AreEqual("tcp6", payload.Protocol);
Assert.AreEqual("2a01:110:68:2c:745a:5970:a2f2:e0f3", payload.LocalAddress);
Assert.AreEqual("2a02:26f0:e8:2b3::201a", payload.RemoteAddress);
Assert.AreEqual("22", payload.LocalPort);
Assert.AreEqual("*", payload.RemotePort);
}
public void ShouldParseWindowsUdp()
{
const string Input = " UDP 10.166.83.25:50049 *:*";
List <ListeningPortsPayload> payloads = NetstatUtils.ParseNetstatListeners(Input, WindowsLocalAddressColumnNumber, WindowsRemoteAddressColumnNumber);
Assert.AreEqual(1, payloads.Count);
ListeningPortsPayload payload = payloads.First();
Assert.AreEqual("udp", payload.Protocol);
Assert.AreEqual("10.166.83.25", payload.LocalAddress);
Assert.AreEqual("*", payload.RemoteAddress);
Assert.AreEqual("50049", payload.LocalPort);
Assert.AreEqual("*", payload.RemotePort);
}
/// <summary>
/// Read the netsat output
/// Create an event that conatins all the open ports in state LISTEN (UDP and TCP)
/// </summary>
/// <returns>List of open ports event</returns>
protected override List <IEvent> GetEventsImpl()
{
//Run netstat and parse the output
const string netstatCommand = "netstat -ln";
string content = _processUtil.ExecuteBashShellCommand(netstatCommand);
List <ListeningPortsPayload> payloads = NetstatUtils.ParseNetstatListeners(content, LocalAddressColumnNumber, RemoteAddressColumnNumber);
SimpleLogger.Debug($"NetstatEventGenerator returns {payloads.Count} payloads");
var openPorts = new ListeningPorts(Priority, payloads.ToArray());
return(new List <IEvent>()
{
openPorts
});
}
/// <summary>
/// Read the netsat output
/// Create an event that conatins all the open ports in state LISTEN (UDP and TCP)
/// </summary>
/// <returns>List of open ports event</returns>
protected override List <IEvent> GetEventsImpl()
{
//Run netstat and parse the output
//We redirect stderr to /dev/null to avoid root requirements (sudo)
const string netstatCommand = "netstat -an";
string content = _processUtil.ExecuteWindowsCommand(netstatCommand);
List <ListeningPortsPayload> payloads = NetstatUtils.ParseNetstatListeners(content, LocalAddressColumnNumber, RemoteAddressColumnNumber);
SimpleLogger.Debug($"NetstatEventGenerator returns {payloads.Count} payloads");
var openPorts = new ListeningPorts(Priority, payloads.ToArray());
return(new List <IEvent>()
{
openPorts
});
}
public void ShouldParseLinuxTcpIpv6Any()
{
const string Input = "tcp6 0 0 :::22 :::* LISTEN 8023/node";
List <ListeningPortsPayload> payloads = NetstatUtils.ParseNetstatListeners(
Input,
LinuxLocalAddressColumnNumber,
LinuxRemoteAddressColumnNumber,
LinuxPidColumnNumber
);
Assert.AreEqual(1, payloads.Count);
ListeningPortsPayload payload = payloads.First();
Assert.AreEqual("tcp6", payload.Protocol);
Assert.AreEqual("::", payload.LocalAddress);
Assert.AreEqual("::", payload.RemoteAddress);
Assert.AreEqual("22", payload.LocalPort);
Assert.AreEqual("*", payload.RemotePort);
Assert.AreEqual("8023", payload.ExtraDetails["Pid"]);
}
public void ShouldParseLinuxPayload()
{
const string Input = @"Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp6 0 0 :::39565 :::* LISTEN 8023/node
tcp6 0 0 :::22 :::* LISTEN -
udp 0 0 0.0.0.0:631 0.0.0.0:* -
udp6 0 0 :::5353 :::* -
raw6 0 0 :::58 :::* 7 - ";
List <ListeningPortsPayload> payloads = NetstatUtils.ParseNetstatListeners(
Input,
LinuxLocalAddressColumnNumber,
LinuxRemoteAddressColumnNumber,
LinuxPidColumnNumber
);
Assert.AreEqual(6, payloads.Count);
ListeningPortsPayload payload = payloads.First();
Assert.AreEqual("tcp", payload.Protocol);
Assert.AreEqual("127.0.0.53", payload.LocalAddress);
Assert.AreEqual("0.0.0.0", payload.RemoteAddress);
Assert.AreEqual("53", payload.LocalPort);
Assert.AreEqual("*", payload.RemotePort);
Assert.IsNull(payload.ExtraDetails);
payload = payloads.Skip(1).First();
Assert.AreEqual("tcp6", payload.Protocol);
Assert.AreEqual("::", payload.LocalAddress);
Assert.AreEqual("::", payload.RemoteAddress);
Assert.AreEqual("39565", payload.LocalPort);
Assert.AreEqual("*", payload.RemotePort);
Assert.AreEqual("8023", payload.ExtraDetails["Pid"]);
payload = payloads.Skip(2).First();
Assert.AreEqual("tcp6", payload.Protocol);
Assert.AreEqual("::", payload.LocalAddress);
Assert.AreEqual("::", payload.RemoteAddress);
Assert.AreEqual("22", payload.LocalPort);
Assert.AreEqual("*", payload.RemotePort);
Assert.IsNull(payload.ExtraDetails);
payload = payloads.Skip(3).First();
Assert.AreEqual("udp", payload.Protocol);
Assert.AreEqual("0.0.0.0", payload.LocalAddress);
Assert.AreEqual("0.0.0.0", payload.RemoteAddress);
Assert.AreEqual("631", payload.LocalPort);
Assert.AreEqual("*", payload.RemotePort);
Assert.IsNull(payload.ExtraDetails);
payload = payloads.Skip(4).First();
Assert.AreEqual("udp6", payload.Protocol);
Assert.AreEqual("::", payload.LocalAddress);
Assert.AreEqual("::", payload.RemoteAddress);
Assert.AreEqual("5353", payload.LocalPort);
Assert.AreEqual("*", payload.RemotePort);
Assert.IsNull(payload.ExtraDetails);
payload = payloads.Skip(5).First();
Assert.AreEqual("raw6", payload.Protocol);
Assert.AreEqual("::", payload.LocalAddress);
Assert.AreEqual("::", payload.RemoteAddress);
Assert.AreEqual("58", payload.LocalPort);
Assert.AreEqual("*", payload.RemotePort);
Assert.IsNull(payload.ExtraDetails);
}
public void ShouldParseWindowsPayload()
{
const string Input = @"
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4
TCP 192.168.1.6:49750 10.166.83.164:22 SYN_SENT 25956
TCP 192.168.1.6:49752 52.114.132.21:443 TIME_WAIT 0
TCP [::]:80 [::]:0 LISTENING 4
TCP [::]:64868 [::]:0 LISTENING 1056
UDP 0.0.0.0:53 *:* 9364
UDP [::]:123 *:* 2088
UDP [::1]:53437 *:* 9060
UDP [fe80::f1f0:4b7:b5d:ff71%2]:53435 *:* 9060";
List <ListeningPortsPayload> payloads = NetstatUtils.ParseNetstatListeners(
Input,
WindowsLocalAddressColumnNumber,
WindowsRemoteAddressColumnNumber,
WindowsPidColumnNumber
);
Assert.AreEqual(9, payloads.Count);
ListeningPortsPayload payload = payloads.First();
Assert.AreEqual("tcp", payload.Protocol);
Assert.AreEqual("0.0.0.0", payload.LocalAddress);
Assert.AreEqual("0.0.0.0", payload.RemoteAddress);
Assert.AreEqual("80", payload.LocalPort);
Assert.AreEqual("0", payload.RemotePort);
Assert.AreEqual("4", payload.ExtraDetails["Pid"]);
payload = payloads.Skip(1).First();
Assert.AreEqual("tcp", payload.Protocol);
Assert.AreEqual("192.168.1.6", payload.LocalAddress);
Assert.AreEqual("10.166.83.164", payload.RemoteAddress);
Assert.AreEqual("49750", payload.LocalPort);
Assert.AreEqual("22", payload.RemotePort);
Assert.AreEqual("25956", payload.ExtraDetails["Pid"]);
payload = payloads.Skip(2).First();
Assert.AreEqual("tcp", payload.Protocol);
Assert.AreEqual("192.168.1.6", payload.LocalAddress);
Assert.AreEqual("52.114.132.21", payload.RemoteAddress);
Assert.AreEqual("49752", payload.LocalPort);
Assert.AreEqual("443", payload.RemotePort);
Assert.AreEqual("0", payload.ExtraDetails["Pid"]);
payload = payloads.Skip(3).First();
Assert.AreEqual("tcp", payload.Protocol);
Assert.AreEqual("::", payload.LocalAddress);
Assert.AreEqual("::", payload.RemoteAddress);
Assert.AreEqual("80", payload.LocalPort);
Assert.AreEqual("0", payload.RemotePort);
Assert.AreEqual("4", payload.ExtraDetails["Pid"]);
payload = payloads.Skip(4).First();
Assert.AreEqual("tcp", payload.Protocol);
Assert.AreEqual("::", payload.LocalAddress);
Assert.AreEqual("::", payload.RemoteAddress);
Assert.AreEqual("64868", payload.LocalPort);
Assert.AreEqual("0", payload.RemotePort);
Assert.AreEqual("1056", payload.ExtraDetails["Pid"]);
payload = payloads.Skip(5).First();
Assert.AreEqual("udp", payload.Protocol);
Assert.AreEqual("0.0.0.0", payload.LocalAddress);
Assert.AreEqual("*", payload.RemoteAddress);
Assert.AreEqual("53", payload.LocalPort);
Assert.AreEqual("*", payload.RemotePort);
Assert.AreEqual("9364", payload.ExtraDetails["Pid"]);
payload = payloads.Skip(6).First();
Assert.AreEqual("udp", payload.Protocol);
Assert.AreEqual("::", payload.LocalAddress);
Assert.AreEqual("*", payload.RemoteAddress);
Assert.AreEqual("123", payload.LocalPort);
Assert.AreEqual("*", payload.RemotePort);
Assert.AreEqual("2088", payload.ExtraDetails["Pid"]);
payload = payloads.Skip(7).First();
Assert.AreEqual("udp", payload.Protocol);
Assert.AreEqual("::1", payload.LocalAddress);
Assert.AreEqual("*", payload.RemoteAddress);
Assert.AreEqual("53437", payload.LocalPort);
Assert.AreEqual("*", payload.RemotePort);
Assert.AreEqual("9060", payload.ExtraDetails["Pid"]);
payload = payloads.Skip(8).First();
Assert.AreEqual("udp", payload.Protocol);
Assert.AreEqual("fe80::f1f0:4b7:b5d:ff71%2", payload.LocalAddress);
Assert.AreEqual("*", payload.RemoteAddress);
Assert.AreEqual("53435", payload.LocalPort);
Assert.AreEqual("*", payload.RemotePort);
Assert.AreEqual("9060", payload.ExtraDetails["Pid"]);
}
