How to identify and monitor network ports after intrusion detection

When analyzing firewall logs or IDS alerts, you have probably come across an unfamiliar source or destination port. The next step in the analysis process is to figure out what service is using that network port so you can determine if it puts your network at risk.

The easiest way to identify and begin monitoring a network port is to look in the services file included with every modern TCP/IP stack. That's C:\WINDOWS\SYSTEM32\DRIVERS\ETC\SERVICES under Windows (Hint: You can use Notepad to view or edit the file -- just double-click on it and choose notepad from the list), or /etc/services under most Unix variants. The Windows 'find' or Unix 'grep' commands can quickly search...

BROWSE BY TAG Network Security Tactics,   Network Security: Tools, Products, Software,   Enterprise Network Security,   Network Firewalls, Routers and Switches,   Network Intrusion Detection (IDS),   Network Intrusion Detection and Analysis,   VIEW ALL TAGS

RELATED CONTENT Network Security Tactics How to properly implement firewall egress filtering What to do with network penetration test results How to use TrueCrypt for disk encryption Protecting enterprise networks from new mobile application downloads Maintaining security after a cloud computing implementation Preparing the network for a cloud computing implementation PuTTY configuration tips: How to connect to remote network systems A guide to internal and external network security auditing How to keep networks secure when deploying an 802.11n upgrade Screencast: Find rogue wireless access points with Vistumbler Network Firewalls, Routers and Switches How to properly implement firewall egress filtering How to prepare for a secure network hardware upgrade Best Network Firewall Products What is the difference between static and dynamic network validation? Screencast: Smoothwall offers firewall defense in lean times New Cisco IOS bugs pose tempting targets, says Black Hat researcher How to implement virtual firewalls in a complex network infrastructure How to manage network bandwidth with distributed ISP bandwidth Firewall rule management best practices Should enterprises be running multiple firewalls? Network Intrusion Detection (IDS) Preventing SQL injection attacks: A network admin's perspective Lifecycle of a network security vulnerability Best Intrusion Prevention and Detection Products Rogue AP containment methods SIMs tools and tactics for business intelligence IPS and IDS deployment strategies Know when you need IDS, IPS or both Trend Micro to acquire Third Brigade for virtualization, cloud security New product aims to control rogue applications that avoid firewalls How to perform a network forensic analysis and investigation Network Intrusion Detection (IDS) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bastion host  (SearchSecurity.com) firewall  (SearchSecurity.com) Firewall Builder  (SearchSecurity.com) screened subnet  (SearchSecurity.com) virus  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

these files. Very often you won't find the port in the default services file because they usually list only a tiny subset of the available network ports and services. Then it's time to use the Web:

• The Internet Ports Database is a large database of network ports with Web and DNS interfaces, and a downloadable uber-services file you can use to replace or supplement your stock services file. This site rarely lets me down.
• The SANS Institute has an enormous amount of security information available, including a (slightly old) list of ports used by common Trojan programs.
• DoSHelp.com has a similar list.
• Nmap has a list of about 2,200 ports.
• The definitive source of assigned port numbers is the Internet Assigned Numbers Authority (IANA) listing. The key word here is "assigned." Crackers typically fail to register port numbers for their malicious programs, and users may move services to a different port for security through obscurity or to get through a firewall.

Once you've found a service that uses the port in question don't assume anything! First, is it really what is seems to be, or did someone switch port numbers? Some ports are commonly used by more than one service, so which is it? Is the service allowed in your environment? Should it be? The following tools will help you find out more about what is really happening.

• Foundstone has a command line utility called fport and SysInternals has a GUI program called TCPView. Both of these tools show you open TCP and UDP ports on your Windows computer, as well as what program and process is using them. These programs come in simple ZIP files. You can extract, use and then delete them -- no installation required.
• On Unix, just use 'netstat -anp | less' or better yet, 'lsof -Pni'. lsof (LiSt Open Files) comes with many Linux distributions, though it is not usually installed by default. As the name suggests, it can list open files, but since everything in Unix is a file, this tool can do much more than the simple name suggests. I highly recommend exploring it.
• Nmap has recently added a service and network port scanner. There are other tools that do similar things, but Nmap is probably the best and simplest. It also runs on Windows. As always, DO NOT PORT SCAN ANYTHING until you have written permission to do so.

If all else fails, try searching on Google, but don't make too many assumptions about what you find. The goal is to identify what is actually happening in your environment -- why did you get an alert, why was this log generated, is it malicious or benign. You know your network better than anyone on the Web.

ABOUT THE AUTHOR:

[IMAGE]JP Vossen, CISSP, is a Senior Security Engineer for Counterpane Internet Security. He is involved with various open source projects including Snort, and has previously worked as an information security consultant and systems engineer.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.