diff --git a/communication/socket/tcp/create-tcp-socket.yml b/communication/socket/tcp/create-tcp-socket.yml
index 54aa03e2..0ba683c0 100644
--- a/communication/socket/tcp/create-tcp-socket.yml
+++ b/communication/socket/tcp/create-tcp-socket.yml
@@ -12,12 +12,17 @@ rule:
       dynamic: call
     mbc:
       - Communication::Socket Communication::Create TCP Socket [C0001.011]
+    references:
+      - https://learn.microsoft.com/en-us/windows/win32/api/winsock2/nf-winsock2-socket
+      - https://man7.org/linux/man-pages/man2/socket.2.html
     examples:
       - Practical Malware Analysis Lab 01-01.dll_:0x10001010
   features:
     - or:
       - and:
-        - number: 6 = IPPROTO_TCP
+        - or:
+          - number: 0 = protocol (default)
+          - number: 6 = IPPROTO_TCP
         - number: 1 = SOCK_STREAM
         - number: 2 = AF_INET
         - or:
diff --git a/communication/socket/udp/send/create-udp-socket.yml b/communication/socket/udp/send/create-udp-socket.yml
index 64e00c4d..c783157d 100644
--- a/communication/socket/udp/send/create-udp-socket.yml
+++ b/communication/socket/udp/send/create-udp-socket.yml
@@ -17,6 +17,9 @@ rule:
     - or:
       - and:
         - count(number(2 = AF_INET/SOCK_DGRAM)): 2 or more
+        - or:
+          - number: 0 = protocol (default)
+          - number: 17 = IPPROTO_UDP
         - or:
           - api: socket
           - api: ws2_32.socket