
NETWORK SECURITY TACTICS
How to identify and monitor network ports after intrusion detection
JP Vossen, CISSP 01.06.2004
Rating: -4.52- (out of 5)




|
When analyzing firewall logs or IDS alerts, you have probably come across an unfamiliar source or destination port. The next step in the analysis process is to figure out what service is using that network port so you can determine if it puts your network at risk.
The easiest way to identify and begin monitoring a network port is to look in the services file included with every modern TCP/IP stack. That's C:\WINDOWS\SYSTEM32\DRIVERS\ETC\SERVICES under Windows (Hint: You can use Notepad to view or edit the file -- just double-click on it and choose notepad from the list), or /etc/services under most Unix variants. The Windows 'find' or Unix 'grep' commands can quickly search these files. Very often you won't find the port in the default services file because they usually list only a tiny subset of the available network ports and services. Then it's time to use the Web:
Once you've found a service that uses the port in question don't assume anything! First, is it really what is seems to be, or did someone switch port numbers? Some ports are commonly used by more than one service, so which is it? Is the service allowed in your environment? Should it be? The following tools will help you find out more about what is really happening.
- Foundstone has a command line utility called fport and SysInternals has a GUI program called TCPView. Both of these tools show you open TCP and UDP ports on your Windows computer, as well as what program and process is using them. These programs come in simple ZIP files. You can extract, use and then delete them -- no installation required.
- On Unix, just use 'netstat -anp | less' or better yet, 'lsof -Pni'. lsof (LiSt Open Files) comes with many Linux distributions, though it is not usually installed by default. As the name suggests, it can list open files, but since everything in Unix is a file, this tool can do much more than the simple name suggests. I highly recommend exploring it.
- Nmap has recently added a service and network port scanner. There are other tools that do similar things, but Nmap is probably the best and simplest. It also runs on Windows. As always, DO NOT PORT SCAN ANYTHING until you have written permission to do so.
If all else fails, try searching on Google, but don't make too many assumptions about what you find. The goal is to identify what is actually happening in your environment -- why did you get an alert, why was this log generated, is it malicious or benign. You know your network better than anyone on the Web.

SNORT INTRUSION DETECTION AND PREVENTION TECHNICAL GUIDE

Introduction
Why Snort makes IDS worth the time and effort
How to identify ports
How to handle network design with switches and segments
Where to place IDS network sensors
Finding an OS for Snort IDS sensors.
How to determine network interface cards for IDS sensors
Modifying and writing custom Snort IDS rules
How to configure Snort variables
Where to find Snort IDS rules
How to automatically update Snort rules
How to decipher the Oinkcode for Snort's VRT rules
Using IDS rules to test Snort
ABOUT THE AUTHOR:
|
JP Vossen, CISSP, is a Senior Security Engineer for Counterpane Internet Security. He is involved with various open source
projects including Snort, and has previously worked as an information security consultant and systems engineer.
|
|
 |

|
Rate this Tip
|
To rate tips, you must be a member of SearchSecurity.com. Register now
to start rating these tips. Log in if you are already a member.
|


');
// -->
DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.
|
 |
|
|
 |
|
 |