ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

DCS/SCSP False positive event matches possible on Linux when specific local port or IP provided in outbound network rules. Linux Agent Denying All Outbound Connections

book

Article ID: 161626

calendar_today

Updated On:

Products

Critical System Protection Data Center Security Server Critical System Protection Client Edition Data Center Security Server Advanced

Issue/Introduction

   Linux Agent have been seen Denying All Outbound Connections, even if the local port is set to a specific value. In SCSP / DCS on a Linux system the local IP/Port are zero on outbound connections and the rule matching in common code appears to treat that as a wildcard to match against any value.  The rule matching behavior should be to use zeros as a wildcard only for rules, not for passed in values to prevent the deny-all behavior as seen on Linux since most of the time the local port/IP are unknown at the time we see the event. We will be changing the rule matching behavior in the future to not match on zero when passed in as input (IP/Port values) in SDCS:SA 6.5.


 

PNET,519,2015-01-08 20:21:03.765 Z-0500,W,,BR,cb70c9791ce8eba98d1c691d8bbcd451,e,:i.SO,,WIN-0MISKKIBA1V\Administrator,0,C:\WINDOWS\SYSTEM32 TELNET.EXE,2156,D,6,Connect,def_winsvcs_ps,,53857,10.160.118.64,,10.160.118.33,5678,,C:\WINDOWS\SYSTEM32\TELNET.EXE,2272,,,,,,,000b9037,000b9037,,,,,,,,,
 

Cause

Network rules will match against the local port/IP address when a specific local port or IP address is specified in an outbound network rule.  The issue is that on Linux, the local IP or port may not be known at the time a process initiates a network connection.  The value of zero acts as a wildcard in the rule matching algorithm in the driver and will match if a network rule has a specific Local port or IP is specified in the process' PSET outbound network rules.  This can result in false positive event matches when a specific local port or IP provided in outbound network rule.

 

Resolution


 Symantec support recommends upgrading to SDCS:SA 6.5 when it comes out and be aware that in pre 6.5 policy packs that on Linux, the local IP or port may not be known at the time a process initiates a network connection. The value of zero acts as a wildcard in the rule matching algorithm in the driver and will match if a network rule has a specific Local port or IP is specified in the process' PSET outbound network rules that can act as a false positve condition.