lowexperimentalLinuxOCINetworkT1071.001

Linux Agent Connecting To Localhost Tooling Services

Detects AI agent processes establishing connections to localhost on common tooling and inter-agent communication ports, which may indicate unmonitored agent-to-tool or agent-to-agent communication channels.

Updated Jan 10, 2025 · OCI AI Security Team

agentic-aiinter-agentlocalhosttoolinglinuxociowasp-asi07

Problem Statement

Localhost connections between an AI agent and local tooling services may lack authentication or encryption, creating attack opportunities. Unmonitored inter-process communication channels can be exploited to inject malicious tool responses or intercept sensitive data exchanged between agent components.

Sample Logs

{"timestamp":"2025-01-10T10:30:00Z","computer_name":"oci-worker-29","user":"agent_svc","image":"/usr/bin/python3","destination_ip":"127.0.0.1","destination_port":11434,"initiated":true}

Required Fields

image

destination_ip

destination_port

user

computer_name

False Positives

·Legitimate local Ollama LLM inference on port 11434
·Development web servers and API services on ports 5000/8000/8080
·Local monitoring agents or health check endpoints

Tuning Guidance

Build an allowlist of approved localhost services and their ports per host. Alert only on connections to ports not in the allowlist for that host.