Monitoring if a remote IP is connected to particular local port 🔗 link

Hi,
                I've got an application that has a specific port open 11001, that multiple connections, most looped back on itself.

                However, we have another server (that is another groups machine, and isn't monitored by Xymon), that connects to this port.

                Reading the analysis.cfg man page, it looks like criteria is either local or remote, not both.

                Is there a way to monitor this situation?

# netstat -ant |grep 11001
tcp        0      0 0.0.0.0:11001               0.0.0.0:*                   LISTEN
tcp        0      0 192.168.30.15:11001       192.168.30.15:37852       ESTABLISHED
tcp        0      0 192.168.30.15:37852       192.168.30.15:11001       ESTABLISHED
tcp        0      0 192.168.30.15:37864       192.168.30.15:11001       ESTABLISHED
tcp        0      0 192.168.30.15:37856       192.168.30.15:11001       ESTABLISHED
tcp        0      0 192.168.30.15:11001       172.28.104.66:39904           ESTABLISHED
tcp        0      0 192.168.30.15:11001       192.168.30.15:37862       ESTABLISHED
tcp       81      0 192.168.30.15:11001       204.155.140.230:53680       ESTABLISHED
tcp      486      0 192.168.30.15:11001       172.28.104.66:39910           ESTABLISHED
tcp        0      0 192.168.30.15:11001       204.155.140.230:53682       ESTABLISHED
tcp        0      0 192.168.30.15:11001       204.155.140.230:53679       ESTABLISHED
tcp        0      0 192.168.30.15:37862       192.168.30.15:11001       ESTABLISHED
tcp       34      0 192.168.30.15:11001       192.168.30.15:37864       ESTABLISHED
tcp        0      0 192.168.30.15:11001       192.168.30.15:37856       ESTABLISHED


Paul Root
Lead Operations Engineer    - IT Managed Services
XXX Commerce Dr
Woodbury, Mn 55125
XXX-XXX-XXXX  user-76fdb6883669@xymon.invalid

This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.

Paul

On Thu, 9 Jan 2020 at 08:04, Root, Paul T via Xymon <xymon at xymon.com> wrote:

An interesting use case.

I'm not sure I read it the same way. The format is "PORT criteria
[MIN=mincount] ...etc" and what you're wanting to do is specify "criteria".
The example in the man page for usage of "TEXT=" shows:

        PORT LOCAL=%[.:]22$ STATE=LISTEN "TEXT=SSH listener"

So this is giving two criteria: LOCAL and STATE. This implies that the
format is really "PORT criteria [...criteria] [MIN=mincount] ...etc" and
thus you can chain multiple criteria. In your use case I would expect you
to be able to use something like:

  PORT LOCAL=%[.:]10001 REMOTE=172.28.104.66:* STATE=ESTABLISHED

Not sure if the wildcard is valid for REMOTE port number; perhaps use a
regex here as well:

  PORT LOCAL=%[.:]10001 REMOTE=%172\.28\.104\.66:.* STATE=ESTABLISHED

The analysis.cfg file distributed with the source code specifies this
format:

    PORT [LOCAL=addr] [EXLOCAL=addr] [REMOTE=addr] [EXREMOTE=addr]
[STATE=state] [EXSTATE=state] [MIN=mincount] [MAX=maxcount]
[COLOR=color] [TRACK=id] [TEXT=displaytext]

So I can see no problem specifying a local port *and *a remote IP address
as you seem to require.

<http://192.168.30.15:11001>;       172.28.104.66:39904
<http://172.28.104.66:39904>;           ESTABLISHED*

<http://192.168.30.15:11001>;       172.28.104.66:39910
<http://172.28.104.66:39910>;           ESTABLISHED*

Thanks Jeremy,
                Yes, that works. I interpreted PORT as looking at either LOCAL or REMOTE.

        PORT   LOCAL=%[.:]11001 REMOTE=%172\.28\.104\.66:.

[green] local=%[.:]11001 remote=%172\.28\.104\.66:. : (found 2, req. 1 or more)

Paul.

From: Jeremy Laidman <user-0608abae5e7c@xymon.invalid>
Sent: Thursday, January 09, 2020 5:01 AM
To: Root, Paul T <user-76fdb6883669@xymon.invalid>
Cc: Xymon MailingList <xymon at xymon.com>
Subject: Re: [Xymon] Monitoring if a remote IP is connected to particular local port

Paul

On Thu, 9 Jan 2020 at 08:04, Root, Paul T via Xymon <xymon at xymon.com<mailto:xymon at xymon.com>> wrote:

Hi,
                I?ve got an application that has a specific port open 11001, that multiple connections, most looped back on itself.

                However, we have another server (that is another groups machine, and isn?t monitored by Xymon), that connects to this port.

An interesting use case.

                Reading the analysis.cfg man page, it looks like criteria is either local or remote, not both.

I'm not sure I read it the same way. The format is "PORT criteria [MIN=mincount] ...etc" and what you're wanting to do is specify "criteria". The example in the man page for usage of "TEXT=" shows:

        PORT LOCAL=%[.:]22$ STATE=LISTEN "TEXT=SSH listener"

So this is giving two criteria: LOCAL and STATE. This implies that the format is really "PORT criteria [...criteria] [MIN=mincount] ...etc" and thus you can chain multiple criteria. In your use case I would expect you to be able to use something like:

  PORT LOCAL=%[.:]10001 REMOTE=172.28.104.66:* STATE=ESTABLISHED

Not sure if the wildcard is valid for REMOTE port number; perhaps use a regex here as well:

  PORT LOCAL=%[.:]10001 REMOTE=%172\.28\.104\.66:.* STATE=ESTABLISHED

The analysis.cfg file distributed with the source code specifies this format:


    PORT [LOCAL=addr] [EXLOCAL=addr] [REMOTE=addr] [EXREMOTE=addr] [STATE=state] [EXSTATE=state] [MIN=mincount] [MAX=maxcount] [COLOR=color] [TRACK=id] [TEXT=displaytext]
So I can see no problem specifying a local port and a remote IP address as you seem to require.


                Is there a way to monitor this situation?

# netstat -ant |grep 11001

tcp        0      0 0.0.0.0:11001<https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%2f0.0.0.0%3a11001&umid=881A7784-9BB2-F005-88AF-E71505606579&auth=19120be9529b25014b618505cb01789c5433dae7-03e525d730319f9801beb93968f05752249248da>;               0.0.0.0:*                   LISTEN
tcp        0      0 192.168.30.15:11001<http://192.168.30.15:11001>;       192.168.30.15:37852<http://192.168.30.15:37852>;       ESTABLISHED
tcp        0      0 192.168.30.15:37852<http://192.168.30.15:37852>;       192.168.30.15:11001<http://192.168.30.15:11001>;       ESTABLISHED
tcp        0      0 192.168.30.15:37864<http://192.168.30.15:37864>;       192.168.30.15:11001<http://192.168.30.15:11001>;       ESTABLISHED
tcp        0      0 192.168.30.15:37856<http://192.168.30.15:37856>;       192.168.30.15:11001<http://192.168.30.15:11001>;       ESTABLISHED
tcp        0      0 192.168.30.15:11001<http://192.168.30.15:11001>;       172.28.104.66:39904<http://172.28.104.66:39904>;           ESTABLISHED
tcp        0      0 192.168.30.15:11001<http://192.168.30.15:11001>;       192.168.30.15:37862<http://192.168.30.15:37862>;       ESTABLISHED
tcp       81      0 192.168.30.15:11001<http://192.168.30.15:11001>;       204.155.140.230:53680<https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%2f204.155.140.230%3a53680&umid=881A7784-9BB2-F005-88AF-E71505606579&auth=19120be9529b25014b618505cb01789c5433dae7-80eeeb348376af10e27f130bf96c86184aeb85e3>;       ESTABLISHED
tcp      486      0 192.168.30.15:11001<http://192.168.30.15:11001>;       172.28.104.66:39910<http://172.28.104.66:39910>;           ESTABLISHED
tcp        0      0 192.168.30.15:11001<http://192.168.30.15:11001>;       204.155.140.230:53682<https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%2f204.155.140.230%3a53682&umid=881A7784-9BB2-F005-88AF-E71505606579&auth=19120be9529b25014b618505cb01789c5433dae7-dd0e6f7e4c27302e44bbc66d49630b88d870f08f>;       ESTABLISHED
tcp        0      0 192.168.30.15:11001<http://192.168.30.15:11001>;       204.155.140.230:53679<https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%2f204.155.140.230%3a53679&umid=881A7784-9BB2-F005-88AF-E71505606579&auth=19120be9529b25014b618505cb01789c5433dae7-e68f419f6642896f570e66b69b44c1c937088695>;       ESTABLISHED
tcp        0      0 192.168.30.15:37862<http://192.168.30.15:37862>;       192.168.30.15:11001<http://192.168.30.15:11001>;       ESTABLISHED
tcp       34      0 192.168.30.15:11001<http://192.168.30.15:11001>;       192.168.30.15:37864<http://192.168.30.15:37864>;       ESTABLISHED
tcp        0      0 192.168.30.15:11001<http://192.168.30.15:11001>;       192.168.30.15:37856<http://192.168.30.15:37856>;       ESTABLISHED

Paul Root
Lead Operations Engineer    - IT Managed Services
XXX Commerce Dr
Woodbury, Mn 55125

XXX-XXX-XXXX  user-76fdb6883669@xymon.invalid<mailto:user-76fdb6883669@xymon.invalid>

This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.

This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.