EDR: Are TCP Netconn Events Only for Established Connections?
book
Article ID: 285939
calendar_today
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
Is TCP netconn events only for established connections?
Environment
EDR: All Supported Versions
Resolution
The sensor does see half-open (SYN-flag only) port scans, but only on listening ports where a connection is possible. If a port is closed, then the OS will either drop the scanner's SYN packet (firewall on), or else send a RST (firewall off). In either of these cases, an actual connection is not created. This is an important distinction, due to how the sensor works: The sensor learns about connections via callouts (a callback, but for network functions) from the OS. If the OS does not progress far enough along the code path of establishing a connection, the registered callout functions are never reached, so the driver isn't notified..
One really needs to review firewall or perimeter device logs to see exactly what that traffic was doing.
Additional Information
There is also no way to search IP by outbound or inbound communication