EDR: Are TCP Netconn Events Only for Established Connections?
search cancel

EDR: Are TCP Netconn Events Only for Established Connections?


Article ID: 285939


Updated On:


Carbon Black EDR (formerly Cb Response)


Is TCP netconn events only for established connections?


  • EDR: All Supported Versions


  • The sensor does see half-open (SYN-flag only) port scans, but only on listening ports where a connection is possible. If a port is closed, then the OS will either drop the scanner's SYN packet (firewall on), or else send a RST (firewall off). In either of these cases, an actual connection is not created. This is an important distinction, due to how the sensor works: The sensor learns about connections via callouts (a callback, but for network functions) from the OS. If the OS does not progress far enough along the code path of establishing a connection, the registered callout functions are never reached, so the driver isn't notified..
  • One really needs to review firewall or perimeter device logs to see exactly what that traffic was doing. 

Additional Information

There is also no way to search IP by outbound or inbound communication