NoteThe Integrity Monitoring module scans for unexpected changes to directories, registry values, registry keys, services, processes, installed software, ports, groups, users, files, and the WQL query statement on agents. To enable and configure Integrity Monitoring, see Set up integrity monitoring.
|
Represents a set of listening ports.
Tag Attributes
These are XML attributes of the tag itself, as opposed to the attributes of the Entity
monitored by Integrity Monitoring Rules.
Attribute
|
Description
|
Required
|
Default Value
|
Allowed Values
|
onChange
|
Will be monitored in real time
|
No
|
false
|
true, false
|
Entity Set Attributes
These are the attributes of the Entity that can be monitored by Integrity Monitoring
Rules.
- Created: Windows only - XP SP2+ and Server 2003 SP1+ required. Returned by the GetExtendedTcpTable() or GetExtendedUdpTable() functions of the Windows API. Indicates when the bind operation that created this TCP or UDP link occurred.
- Listeners: The number of active listeners on this protocol, IP address, and port number combination. This reflects the number of sockets bound-to and listening-on the given port, and may be greater than the number of processes listening on the port if processes bind multiple sockets to the port. This attribute has no value if only one socket is bound to the given port.
- Path: (Windows only - XP SP2+ and Server 2003 SP1+ required.) Gives the full path, if available, of the module that owns the port. On Windows this comes from the GetOwnerModuleFromXxxEntry() functions of the Windows API. According to Microsoft documentation, the resolution of connection table entries to owner modules is a best practice.
- Process: (Windows only - XP SP2+ and Server 2003 SP1+ required.) Gives the short name, if available, of the module that owns the port. On Windows this comes from the GetOwnerModuleFromXxxEntry() functions of the Windows API. According to Microsoft documentation, the resolution of connection table entries to owner modules is a best practice. In a few cases, the owner module name returned can be a process name, such as "svchost.exe", a service name (such as "RPC"), or a component name, such as "timer.dll".
- ProcessId: (Windows only - XP SP2+ and Server 2003 SP1+ required.) Gives the PID of the process that issued the bind for this port.
- User: (Linux only.) Gives the user that owns the port.
Meaning of "Key"
The key is in the following format:
<PROTOCOL>/<IP ADDRESS>/<PORT>
For example:
tcp/172.14.207.94/80 udp/172.14.207.94/68
IPV6
If the IP address is IPv6 the key is in the same format, but the protocol is TCP6
or UDP6 and the IP address is an IPv6 address as returned by the getnameinfo command:
tcp6/3ffe:1900:4545:3:200:f8ff:fe21:67cf/80 udp6/3ffe:1900:4545:3:200:f8ff:fe21:67cf/68
Matching of the Key
This is not a hierarchical key, so ** is not applicable. Unix-style glob matching
is possible using * and ?. The following pattern matches port 80 on the IP addresses
72.14.207.90 through 72.14.207.99:
*/72.14.207.9?/80
The following pattern matches port 80 on the IP addresses 72.14.207.2, 72.14.207.20
through 72.14.207.29 as well as 72.14.207.200 through 72.14.207.255:
*/72.14.207.2*/80
The following pattern matches port 80 on any IP.
*/80
The following example would monitor for any change in the listening ports but ignore
port 80 for TCP in IPv4 and IPv6:
<PortSet> <include key="*"/> <exclude key="tcp*/*/80"/> </PortSet>
Sub Elements
- Include
- Exclude
See Integrity monitoring rules language for a general description of Include and Exclude and their allowed attributes and
sub elements. Only information specific to includes and excludes relating to this
EntitySet class are included here.
Special attributes of Include and Exclude for PortSets
Various other attributes of the port may be used in include and exclude feature tests.
These tests compare a value against the value of an attribute of the port; take note
of the platform support for various attributes - not all attributes are available
across platforms or even platform revisions, hence the use of these tests in include
and exclude tags is of limited use. The feature tests support Unix glob-style wildcarding
with * and ?, and there is no normalization of path separators or other characters
- it is a simple match against the value of the attribute.
Path: Checks for a wildcard match against the path attribute of the port. The following
example would monitor ports owned by processes running the main IIS binary:
<PortSet> <include path="*\system32\inetsrv\inetinfo.exe"/> </PortSet>
Process: Checks for a wildcard match against the process attribute of the port. The following
example would monitor ports owned by anything running in a svchost.exe or outlook.*
binary:
<PortSet> <include process="svchost.exe"/> <include process="outlook.\*"/> </PortSet>
User: Checks for a wildcard match against the user attribute of the port. The following
example would monitor ports on a Unix system that were owned by the super-user (root):
<PortSet> <include user="root"/> </PortSet>