Critical Systems Protection (SCSP) Logs Report a 0.0.0.0 Local IP Address When a Policy is Triggered
Last Updated November 04, 2011
When viewing the logs on CSP, you notice that the local IP address of the event is 0.0.0.0
Symptoms: Local IP Address 0.0.0.0 in event logs
The SCSP firewall blocks inbound/outbound connections by hooking socket-style interfaces. It blocks accept() calls for inbound traffic to a socket at the application layer, but does not have access to layer 3 information such as the inbound IP address.
The SCSP firewall is certainly not meant to be used for anything other than a simple way to block inbound/outbound connections, implemented by hooking socket-style interfaces. We block the connect() call for outbound traffic and the accept() call for inbound traffic. Because of this, there is no information about destination addresses available at the time of accept()... that is all done at the time of socket creation when the listener is started -- but because the listener was not bound to a specific interface, this information simply doesn't exist. For more information on this type of network programming, please see the winsock page in the "References" section below.