mediumexperimentalLinuxOCINetworkT1071.001

Linux Agent Connecting To Peer Workstation Style Ports

Detects AI agent processes connecting to ports commonly used for inter-agent or peer-to-peer communication (including Docker daemon ports), which may indicate unauthorized agent orchestration or container escape attempts.

Updated Jan 10, 2025 · OCI AI Security Team

agentic-aiinter-agentpeer-to-peerdockerlinuxociowasp-asi07

Problem Statement

Connections to Docker daemon ports from an AI agent indicate a potential container escape attempt — the agent may be trying to spawn new containers, modify container configurations, or pivot to the host system through the Docker API.

Sample Logs

{"timestamp":"2025-01-10T13:10:00Z","computer_name":"oci-worker-31","user":"agent_svc","image":"/usr/bin/python3","destination_hostname":"oci-worker-32.internal","destination_ip":"10.0.1.32","destination_port":2375,"initiated":true}

Required Fields

image

destination_hostname

destination_ip

destination_port

user

computer_name

False Positives

·Legitimate multi-agent orchestration systems where agents communicate with peer agents via HTTP APIs
·Microservice architectures where the agent connects to backend services on these ports

Tuning Guidance

Alert specifically on connections to Docker daemon ports (2375/2376) as these have no legitimate agent use case. For other ports, apply destination allowlisting.