Netstat protocol and visibility into connection activity

In
Symantec Endpoint Security
the Netstat protocol connection activity events are generated only for the supported protocols.
Supported Netstat Protocols
Protocol
ID
Supported
Description
APPLICATION_MSPOWERPOINT
311
Yes
Content identification : Microsoft PowerPoint
APPLICATION_MSPUBLISHER
312
Yes
application/x-mspublisher : Microsoft Publisher
APPLICATION_MSVISIO
313
Yes
application/"vnd.visio\x-visio" : Microsoft Visio
APPLICATION_POSTSCRIPT
276
Yes
Content identification : Post script
APPLICATION_RTF
275
Yes
Rich text format
BT_HTTP_TRACKER
465
Yes
Bittorrent HTTP tracker protocol
DNS
258
Yes
The Domain Network System (DNS) protocol that translates domains to the numerical IP addresses
FILE_7Z
429
Yes
Content identification : 7Z
FILE_JS
714
Yes
HTTP payloads with content type Javascript
FILE_PLS
341
Yes
Content identification : (Apple iTunes) playlist
FILE_RAR
354
Yes
Content identification : RAR file is an archive that contains one or more files compressed with RAR compression
FILE_SHELL_SCRIPT
712
Yes
Content identification : Shell Script
FILE_TAR
342
Yes
Content identification : Tar archive created by tar, a Unix-based utility used to package files together
FILE_TORRENT
356
Yes
Content identification : a TORRENT file is a file used by BitTorrent, a peer-to-peer (P2P) file sharing program
FILE_VBS
721
Yes
Content identification : Virtual basic script written in the VBScript scripting language
FILE_XZ
432
Yes
Content identification : XZ file format - archive compressed using XZ compression
FILE_ZIP
353
Yes
Content identification : ZIP file format
FILE_GZIP
430
Yes
Content identification : GZIP
FILE_BZIP2
431
Yes
Content identification : BZIP2
FILE_PY
719
Yes
Content identification : program file or script written in Python
FINGER
260
Yes
Finger protocol to gather user information
FTP
261
Yes
File transfer protocol
FTP_DATA
262
Yes
FTP data
GHOST_RAT_DATA
385
Yes
Remote access Trojan data
GHOST_RAT_HEADER
384
Yes
Remote access Trojan header
HSRP
278
Yes
Hot Standby Router Protocol is a Cisco proprietary redundancy protocol for establishing a fault-tolerant default gateway
HTML
266
Yes
Content identification : Hypertext Markup Language
HTML_CSS_BLOCK
335
Yes
HTML CSS block detected
HTML_SCRIPT_BLOCK
331
Yes
HTML script block detected
HTTP
256
Yes
Hypertext Transfer Protocol (HTTP) is the underlying protocol used by the World Wide Web and defines how messages are formatted and transmitted and what actions need to be taken by Web servers and Web browsers
HTTP2
279
Yes
HTTP/2 is a major revision of HTTP and is based on SPDY protocol developed by Google
ICMP
1
Yes
Internet Control Message Protocol : used to provide error and operational information
ICMP_DATA
391
Yes
Data part of ICMP
ICMPV6
58
Yes
Internet control message protocol for IPv6 : used to provide error and operational information
ICMPV6_DATA
711
Yes
Data part of ICMPv6
IGMP
2
Yes
Internet Group Management Protocol (IGMP) is a communications protocol used by hosts and adjacent routers on IPv4 networks to establish multicast group memberships
IMAGE_ANI
324
Yes
Content identification : image - ANI
IMAGE_BMP
274
Yes
Content identification : image - BMP
IMAGE_GIF
268
Yes
Content identification : image - GIF
IMAGE_ICO
272
Yes
Content identification : image - ICO
IMAGE_JPEG
257
Yes
Content identification : image - JPEG
IMAGE_PNG
270
Yes
Content identification : image - PNG
IMAGE_TIFF
269
Yes
Content identification : image - TIFF
IMAGE_WMF
316
Yes
Content identification : image - WMF
IMAP
281
Yes
Internet Message Access Protocol (IMAP) is an Internet standard protocol used by email clients to retrieve email messages from a mail server over a TCP/IP connection
(TCP port 143)
IRC
283
Yes
Internet Relay Chat (IRC) is an application layer protocol that facilitates communication in the form of text (RFC 1459)
ISAKMP
307
Yes
Internet Security Association and Key Management Protocol is a protocol defined by RFC 2408 for establishing Security Associations (SA) and cryptographic keys in an Internet environment
KERBEROS
284
Yes
Kerberos is a network authentication protocol designed to provide strong authentication for client/server applications by using secret-key cryptography
LDAP
285
Yes
Lightweight Directory Access Protocol is a lightweight client-server protocol for accessing directory services, specifically X.500-based directory services and runs over TCP/IP or other connection-oriented transfer services
MDNS
350
Yes
Multicast DNS (mDNS) protocol resolves host names to IP addresses within small networks that do not include a local name server
MSMQ
386
Yes
Microsoft Message Queuing or MSMQ is a message queue implementation, which is essentially a messaging protocol that allows applications running on separate servers/processes to communicate in a failsafe manner (based on TCP port 1801)
MSRPC
378
Yes
Microsoft Remote Procedure Call, also known as a function call or a subroutine call, is a protocol that uses the client-server model in order to allow one program to request service from a program on another computer without having to understand the details of that computer's network
MSSQL
286
Yes
MS SQL communication to port 1433 (login or query packets) TCP
MSSQL_RESOLVER
287
Yes
MS SQL resolver : UDP port 1434
MYSQL
404
Yes
Connection to MySQL server (from TCP port 3306)
NATS
713
Yes
NATS is an open-source, cloud-native messaging system written in GO that is detected in both client and server bound directions
NBTSS
288
Yes
NetBIOS (network Basic Input Output system) over TCP/IP, which is the session service hosted on port 139 (connection-oriented)
NETBIOS_DCE_PM
289
Yes
NetBIOS RPC endpoint mapper (TCP/UDP port 135)
NETBIOS_DGM
291
Yes
NETBIOS datagram service (TCP/UDP port 138)
NETBIOS_NS
290
Yes
NETBIOS name service (TCP/UDP port 137)
NTP
294
Yes
Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks
OSCAR
369
Yes
Open System for Communication in Realtime an AOL's proprietary instant messaging and presence information protocol and used by AIM and ICQ
P2P_BITTORRENT
452
Yes
BitTorrent is a communication protocol for peer-to-peer file sharing which is used to distribute data and electronic files over the Internet
PAX_EXTENDED_HEADER_DATA
716
Yes
Pax is an archiving utility created by POSIX extended header
PPTP
401
Yes
Point-to-Point Tunneling Protocol (PPTP) for implementing virtual private networks
RLOGIN
298
Yes
Rlogin (remote login) is a UNIX command that allows an authorized user to login to other UNIX machines (hosts) on a network and to interact as if the user were physically at the host computer (TCP port 513)
RSH
299
Yes
Remote shell (rsh) is a command line computer program that can execute shell commands as another user, and on another computer across a computer network (TCP port 514)
SMB
300
Yes
Server Message Block
SMB_PIPEDATA_UNKNOWN
390
Yes
SMB pipedata
SMB_TREE
415
Yes
SMB tree
SMB2
381
Yes
Server Message Block 2
SMB3_ENCRYPTED
440
Yes
Server Message Block 3_ENCRYPTED
SMTP
301
Yes
Simple Mail Transfer Protocol : protocol for electronic mail transmission
SNMP
302
Yes
Simple Network Management Protocol (SNMP) is an Internet standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior
SOCKS
303
Yes
SOCKS is an Internet protocol that exchanges network packets between a client and server through a proxy server, which accepts incoming client connection on TCP port 1080
SOCKS5
722
Yes
SOCKS5 on top of SOCKS provides authentication so only authorized users may access a server, which is detected in both server and client direction
SSH
304
Yes
Secure Shell Protocol
SSL2
424
Yes
Secure Shell Protocol 2
SSL3
425
Yes
Secure Shell Protocol 3
TELNET
305
Yes
Telnet protocol is a bidirectional interactive text-oriented communication facility
TFTP
306
Yes
Trivial File Transfer Protocol
TLS
406
Yes
Transport Layer Security is a cryptographic protocol that provides end-to-end communications security over networks
TLS_ALPN_H2
483
Yes
Application-Layer Protocol Negotiation (ALPN) is a Transport Layer Security (TLS) extension for application layer protocol negotiation
VIDEO_FLV
319
Yes
Content identification : video - FLV file format
VIDEO_QUICKTIME
322
Yes
Content identification : video - QuickTime file format
WEBSOCKET
453
Yes
WebSocket is a computer communications protocol, providing full-duplex communication channels over a single TCP connection
XML
308
Yes
Content identification : XML
XMPP
372
Yes
Extensible Messaging and Presence Protocol : communication protocol based on XML
ZEUS_P2P
422
Yes
Zeus : a family of credential stealing Trojans that is a p2p variant
Gaining visibility into network protocol connection activity
1.
Symantec Endpoint Security
provides visibility into network protocol connection activity as part of the network event (type_ID 8007; disposition 3).
The statistics are as follows:
  • What protocols were involved in the event
  • How much data was inbound and outbound
  • What was the duration of the event
You can correlate pre-existing connect and disconnect events with statistic events. Compare source_ip, source_port, target_ip, target_port attributes from network events (connect, disconnect, statistics). If they’re the same, these events are from the same network session.
2.
When this feature is enabled, protocol connection events are recorded by
Symantec Endpoint Security
and reside on the device.
3.
View the network protocol connection events by performing a full or process dump or by performing an endpoint search.
4.
You must have admin rights to enable the protocol event recording and apply the policy.