Skip to content



security_socket_bind - An event capturing details when a socket is bound to an address and port.


This event gets triggered whenever a socket is bound to a local address and port, a crucial step for setting up servers or defining source addresses for outgoing connections.i

The eBPF program hooks into the kernel's security_socket_bind function, capturing details about the socket involved and the address to which it binds.

Monitoring socket bindings can provide insights into the activities of servers, services, and applications, revealing which services are being started or if specific services are being bound to unexpected addresses.


  1. sockfd (int): The file descriptor referring to the socket that is being bound.
  2. local_addr (struct sockaddr*): A pointer to the structure holding the local address and port details to which the socket is binding.




Kprobe (using kprobe/security_socket_bind).


To observe and gather data whenever a socket is bound to a local address and port. The captured data, including the socket's descriptor and its binding address, gets saved into a buffer and is subsequently submitted to user-space for further processing, analysis, or logging.

Example Use Case

Monitoring the security_socket_bind event can be of high value for server or network administrators. By observing this event, they can get insights about the services being initiated, ensuring that only authorized services are started and unexpected bindings are detected, which can be a sign of misconfiguration or a potential threat.

  • security_socket_accept
  • security_socket_create
  • security_socket_listen
  • security_socket_connect
  • security_socket_setsockopt

Note: This document was generated by OpenAI with a human review process.