logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

EDR: Are TCP Netconn Events Only for Established Connections?

EDR: Are TCP Netconn Events Only for Established Connections?

Environment

  • EDR: All Supported Versions

Question

Is TCP netconn events only for established connections?

Answer

  • The sensor does see half-open (SYN-flag only) port scans, but only on listening ports where a connection is possible. If a port is closed, then the OS will either drop the scanner's SYN packet (firewall on), or else send a RST (firewall off). In either of these cases, an actual connection is not created. This is an important distinction, due to how the sensor works: The sensor learns about connections via callouts (a callback, but for network functions) from the OS. If the OS does not progress far enough along the code path of establishing a connection, the registered callout functions are never reached, so the driver isn't notified..
  • One really needs to review firewall or perimeter device logs to see exactly what that traffic was doing. 

Additional Notes

There is also no way to search IP by outbound or inbound communication

Related Content


Labels (1)
Labels:
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎12-07-2018
Views:
1051
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.