False-positive event matches are possible on Linux systems when the specific local port or IP is provided in an outbound network rule.

Network rules will match against the local port/IP address when a specific local port or IP address is specified in an outbound network rule.  The issue is that on Linux, the local IP or port may not be known at the time a process initiates a network connection.  The value of zero acts as a wildcard in the rule-matching algorithm in the driver, and will match if a network rule has a specific Local port, or IP is specified, in the process' PSET outbound network rules.

This is a known issue and will be resolved in a future release.

Applies To

All Linux OS's supported by SCSP and DCS