OpenPortCollector does not work under all circumstances on Ubuntu
See original GitHub issueDescribe the bug
There are certain cases when the OpenPortCollector
will fail parsing the output of ss
. The issue arises when there’s only a single space separating the data of two columns. For me it’s the data of the State
and the Recv-Q
columns. I don’t know whether it can happen with other columns too, the formatting logic of ss
is quite unclear. It actually seems to be affected by the terminal width too, at least when there’s a tty attached, so it’s even more uncertain what the ASA app “sees”.
Partial example from an effectively empty Ubuntu 22.04 VM:
# ss -lnp | head
Netid State Recv-Q Send-Q Local Address:Port Peer Address:PortProcess
nl UNCONN 0 0 0:530 *
nl UNCONN 0 0 0:1559 *
nl UNCONN 0 0 0:0 *
nl UNCONN 0 0 0:1 *
nl UNCONN 0 0 0:1559 *
nl UNCONN 0 0 0:530 *
nl UNCONN 0 0 0:1 *
nl UNCONN 4352 0 4:5054 *
nl UNCONN 768 0 4:0 *
This will break the parsing of the lines, I believe here, where it’s expected that the column data is separated by at least 2 spaces.
To Reproduce
Reproduction is not trivial, as the output formatting of ss
depends on a lot of not-so-well-known factors (see above).
Expected behavior
Detection of open ports should work even if ss
columns are only separated by a single space.
System Configuration
root@ubuntu:~/ASA# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu Jammy Jellyfish (development branch)
Release: 22.04
Codename: jammy
root@ubuntu:~/ASA# uname -a
Linux ubuntu 5.15.0-25-generic #25-Ubuntu SMP Wed Mar 30 15:54:22 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
root@ubuntu:~/ASA# ./Asa --version
[13:17:49 INF] AttackSurfaceAnalyzer v.2.3.277+40072595ef
Asa 2.3.277+40072595ef
Issue Analytics
- State:
- Created a year ago
- Comments:10 (6 by maintainers)
Top GitHub Comments
Thank you for rechecking. I can merge another fix with the proposed Regex today.
Thank you! I checked the fix, and it does seem to fix the original issue, but I think it accidentally broke process/PID extraction for some cases. Simple example:
Now this doesn’t fully match the current regex (does not produce 10 groups), basically due to the second
:
.Going with the current approach the smallest diff fix is probably using the following slightly modified regex (not string-escaped):
^([\S]+)\s+([\S]+)\s+([\S]+)\s+([\S]+)\s+([\S]+)[\s:]([\S]+)\s+([\S]+)(?:([\s:]([\S]+))?\s+([\S]+))?\s*$
I tested it (only the regex, not the whole app) on a larger real example, which I attached here (should have than this earlier, sorry): ss.txt
Also seems to be working with my earlier examples.