Skip to content
Last update: 2022-05-10

External-bound network traffic - IPv4

Auditing servers that are not supposed to make connections to the public internet can be achieved by querying Sophos Linux Sensor's Investigations connection events. The results of the query will be a list of destination addresses. These destination addresses can be used to ensure that current external connections are known and identified as safe or malicious.

Required Tables

  • connections

Returned Fields

Field Description
ipint
dst_addr
ipint and dst_addr for the external connection

Query

WITH 
ipranges as (
  SELECT '10.0.0.0' as low, '10.255.255.255' as high
  UNION ALL
  SELECT '172.16.0.0' as low, '172.31.255.255' as high
  UNION ALL
  SELECT '192.168.0.0' as low, '192.168.255.255' as high
  UNION ALL
  SELECT '127.0.0.0' as low, '127.255.255.255' as high
),
ipint as (SELECT dst_addr, (
         cast(split_part(dst_addr, '.', 1) AS bigint) * (256 * 256 * 256) + 
         cast(split_part(dst_addr, '.', 2) AS bigint) * (256 * 256 ) + 
         cast(split_part(dst_addr, '.', 3) AS bigint) * (256 ) + 
         cast(split_part(dst_addr, '.', 4) AS bigint)) AS ipint
    FROM connections WHERE regexp_like(dst_addr, '^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$')),
iprangesint as (
  SELECT CONCAT(ipranges.low, ' - ', ipranges.high) as str, 
         (cast(split_part(ipranges.low, '.', 1) AS bigint) * (256 * 256 * 256) + 
          cast(split_part(ipranges.low, '.', 2) AS bigint) * (256 * 256 ) + 
          cast(split_part(ipranges.low, '.', 3) AS bigint) * (256 ) + 
          cast(split_part(ipranges.low, '.', 4) AS bigint)) AS low,
         (cast(split_part(ipranges.high, '.', 1) AS bigint) * (256 * 256 * 256) + 
          cast(split_part(ipranges.high, '.', 2) AS bigint) * (256 * 256 ) + 
          cast(split_part(ipranges.high, '.', 3) AS bigint) * (256 ) + 
          cast(split_part(ipranges.high, '.', 4) AS bigint)) AS high
  FROM ipranges)
SELECT ipint.ipint, ipint.dst_addr
FROM ipint
WHERE NOT EXISTS (SELECT iprangesint.str FROM iprangesint WHERE iprangesint.low <= ipint.ipint AND iprangesint.high >= ipint.ipint)
Back to top