Linux Agent have been seen Denying All Outbound Connections, even if the local port is set to a specific value. In SCSP / DCS on a Linux system the local IP/Port are zero on outbound connections and the rule matching in common code appears to treat that as a wildcard to match against any value.  The rule matching behavior should be to use zeros as a wildcard only for rules, not for passed in values to prevent the deny-all behavior as seen on Linux since most of the time the local port/IP are unknown at the time we see the event. We will be changing the rule matching behavior in the future to not match on zero when passed in as input (IP/Port values) in SDCS:SA 6.5.


 

PNET,519,2015-01-08 20:21:03.765 Z-0500,W,,BR,cb70c9791ce8eba98d1c691d8bbcd451,e,:i.SO,,WIN-0MISKKIBA1V\Administrator,0,C:\WINDOWS\SYSTEM32 TELNET.EXE,2156,D,6,Connect,def_winsvcs_ps,,53857,10.160.118.64,,10.160.118.33,5678,,C:\WINDOWS\SYSTEM32\TELNET.EXE,2272,,,,,,,000b9037,000b9037,,,,,,,,,
 

Network rules will match against the local port/IP address when a specific local port or IP address is specified in an outbound network rule.  The issue is that on Linux, the local IP or port may not be known at the time a process initiates a network connection.  The value of zero acts as a wildcard in the rule matching algorithm in the driver and will match if a network rule has a specific Local port or IP is specified in the process' PSET outbound network rules.  This can result in false positive event matches when a specific local port or IP provided in outbound network rule.

 Symantec support recommends upgrading to SDCS:SA 6.5 when it comes out and be aware that in pre 6.5 policy packs that on Linux, the local IP or port may not be known at the time a process initiates a network connection. The value of zero acts as a wildcard in the rule matching algorithm in the driver and will match if a network rule has a specific Local port or IP is specified in the process' PSET outbound network rules that can act as a false positve condition.