Retrieve a Listing of All Active Connections Running on a Local Machine

[brichard1638]

I have recently been pursuing the possibility of developing R functions in support of facilitating cybersecurity-based tasks. As it turns out, there is a dearth of functions in R that address this need. To that end, I thought I would present a few ideas for your review and consideration to be included in the next version of quickcode.

There is an interesting R package called netstat which is a cybersecurity utility designed to extract a set of active network statistics on a local machine including available TCP ports.

ABSTRACT Upon examination of this R package, it was concluded that the principal functions provided in this package, namely the netstat and the parse_netstat functions, could be both extended and combined to produce a much more compelling and optimal cybersecurity function for use in R.

FUNCTION IDEA & BACKGROUND EXPLANATION Extend and combine the functional capabilities of the netstat and parse_netstat functions provided in the netstat package to create a much more compelling output in support of conducting much more effective cybersecurity-based tasks.

• Extend - The proposed function would extend the netstat function by adding the PID field which is missing from the function. This is a critical field to have when conducting a cybersecurity analysis. When combining this field with other data information, an immediate determination can be made as to whether a machine has been breached by malicious services or processes.
• Combine - The proposed function would effectively combine the functionality provided by the netstat and parse_netstat functions. The netstat function extracts netstat statistics from the command line utility and the parse_netstat function repurposes the output provided by the netstat function, converting the results into a proper data frame object.

RECOMMENDED FUNCTION NAME Get_active_conn

TOTAL NUMBER OF FUNCTIONAL ARGUMENTS 0

FUNCTION STRUCTURE Get_active_conn <- function() { # Retrieve netstat output netstat_output <- system("netstat -a -n -o", intern = TRUE)

# Formalize vector structure netstat_output <- netstat_output[4:length(netstat_output)]

# Rename line columns netstat_output[1] <- " Proto Local_Address Foreign_Address State PID"

# Split the lines into columns data <- strsplit(netstat_output, "\\s+")

# Create a matrix m <- stringi::stri_list2matrix(x = data, byrow = TRUE, fill = 0)

# Convert to data frame df <- data.frame(m)

# Remove empty column df$X1 <- NULL

# Set column names colnames(df) <- c("Proto", "Local_Address", "Foreign_Address", "State", "PID")

# Reset dataframe df <- df[-c(1),]

return(df) }

TEST STATUS The function, as defined under the FUNCTION STRUCTURE section of this issue has been tested, yielding accurate results. However, more testing should be conducted to verify both its accuracy and functional utility.

FUNCTION EXAMPLE x = Get_active_conn()

EXTENDED FUNCTIONAL EXAMPLES

• Example 1: Combining the extract_IP function presented in an earlier issue will generate a nice character vector, with each element containing a specifically extracted IP address from the Foreign_Address variable in data frame x. extract_IP(x$Foreign_Address)
• Example 2: To retrieve a unique listing of the IP addresses captured in the Foreign_Address variable: unique(extract_IP(x$Foreign_Address))

[oobianom]

This is great! So, I think it will be reasonable to structure the documentation so that it will have a dedicated section for the cyber security related functions.

I have added the current one to the section i am building, but not the name is get_active_conn()

the documentation will look something like this, with all the functions