Track socket listen events for an endpoint security product

Hello!

I'm trying to capture socket state changes for an endpoint security product and have tried the Endpoint Security APIs as well as a Network Extension but there doesn't seem to be a way to detect listening sockets in real time. I've so far been able to capture all process, file and network flow/packet information in real-time but I'm also interested in getting an event when a server socket is opened for listening for incoming connections. Is there a way to do this? If yes, can someone please point me to the documentation or any other information on how to go about it? Thanks!

Up vote post of rmkulkar Down vote post of rmkulkar
145 views
Posted by
rmkulkar
Reply
Add a Comment

Replies

I'm also interested in getting an event when a server socket is opened for listening for incoming connections. Is there a way to do this?

I don’t see any good way to do that.

As you’ve noted, all the NE mechanisms tell you about flows; you’re not notified of a listener being started. You could probably implement some sort of hackish workaround, but I can’t think of anything that I’d actively endorse.

I encourage you to to file an enhancement request describing your requirements. Please post your bug number, just for the record.

WARNING Keep in mind that not all network is done with sockets. See here. I did some tests today and it looks like a listener always uses a file descriptor under the covers, but that’s definitely not part of the API contract.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment