How to identify and monitor network ports after intrusion detection

When analyzing firewall logs or IDS alerts, you have probably come across an unfamiliar source or destination port. The next step in the analysis process is to figure out what service is using that network port so you can determine if it puts your network at risk.

More Information Get strategies for managing network ports. Find out how to scan for a port to see if it's being used in a network

The easiest way to identify and begin monitoring a network port is to look in the services file included with every modern TCP/IP stack. That's C:\WINDOWS\SYSTEM32\DRIVERS\ETC\SERVICES under Windows (Hint: You can use Notepad to view or edit the file -- just double-click on it and choose notepad from the list), or /etc/services under most Unix variants. The Windows 'find' or Unix 'grep' commands can quickly search these files. Very often you won't find the port in the default services file because they usually list only a tiny subset of the available network ports and services. Then it's time to use the Web:

• The Internet Ports Database is a large database of network ports with Web and DNS interfaces, and a downloadable uber-services file you can use to replace or supplement your stock services file. This site rarely lets me down.
• The SANS Institute has an enormous amount of security information available, including a (slightly old) list of ports used by common Trojan programs.
• DoSHelp.com has a similar list.
• Nmap has a list of about 2,200 ports.
• The definitive source of assigned port numbers is the Internet Assigned Numbers Authority (IANA) listing. The key word here is "assigned." Crackers typically fail to register port numbers for their malicious programs, and users may move services to a different port for security through obscurity or to get through a firewall.

Once you've found a service that uses the port in question don't assume anything! First, is it really what is seems to be, or did someone switch port numbers? Some ports are commonly used by more than one service, so which is it? Is the service allowed in your environment? Should it be? The following tools will help you find out more about what is really happening.

• Foundstone has a command line utility called fport and SysInternals has a GUI program called TCPView. Both of these tools show you open TCP and UDP ports on your Windows computer, as well as what program and process is using them. These programs come in simple ZIP files. You can extract, use and then delete them -- no installation required.
• On Unix, just use 'netstat -anp | less' or better yet, 'lsof -Pni'. lsof (LiSt Open Files) comes with many Linux distributions, though it is not usually installed by default. As the name suggests, it can list open files, but since everything in Unix is a file, this tool can do much more than the simple name suggests. I highly recommend exploring it.
• Nmap has recently added a service and network port scanner. There are other tools that do similar things, but Nmap is probably the best and simplest. It also runs on Windows. As always, DO NOT PORT SCAN ANYTHING until you have written permission to do so.

If all else fails, try searching on Google, but don't make too many assumptions about what you find. The goal is to identify what is actually happening in your environment -- why did you get an alert, why was this log generated, is it malicious or benign. You know your network better than anyone on the Web.

SNORT INTRUSION DETECTION AND PREVENTION TECHNICAL GUIDE

  Introduction
  Why Snort makes IDS worth the time and effort
  How to identify ports
  How to handle network design with switches and segments
  Where to place IDS network sensors
  Finding an OS for Snort IDS sensors.
  How to determine network interface cards for IDS sensors
  Modifying and writing custom Snort IDS rules
  How to configure Snort variables
  Where to find Snort IDS rules
  How to automatically update Snort rules
  How to decipher the Oinkcode for Snort's VRT rules
  Using IDS rules to test Snort

ABOUT THE AUTHOR:

JP Vossen, CISSP, is a Senior Security Engineer for Counterpane Internet Security. He is involved with various open source projects including Snort, and has previously worked as an information security consultant and systems engineer.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics Enterprise role management: Trends and best practices Using Nessus Attack Scripting Language (NASL) to find application vulnerabilities Screencast: Recovering lost data with WinHex How to build security into a virtualized server environment How to install and configure Nessus How to run a Nessus system scan Nessus: Vulnerability scanning in the enterprise Screencast: An introduction to the Open Source Security Testing Methodology Manual (OSSTMM) Understanding multifactor authentication features in IAM suites Network intrusion prevention systems: Should enterprises deploy now? Network Firewalls Is it possible to allow select access to IP addresses using Windows Server 2003? Sophos finds patching issues through endpoint NAC tool Fortinet acquires database vulnerability scanner from IPLocks Is an IPsec VPN necessary when connecting remote servers that process financial transactions? Embedding security has drawbacks says TippingPoint chief architect Is security improved when the number of Internet gateways is reduced? Nipper audits routers, reveals insecure settings Product review: Netgear's Netgear FVS336G ProSafe Dual WAN Gigabit Firewall Product review: Tufin's Tufin SecureTrack 4.1 Product review: SonicWALL's SonicWALL NSA E5500 Network Intrusion Detection (IDS) What are best practices for creating an IDS and maintaining a signature database? Network intrusion prevention systems: Should enterprises deploy now? RSA 2008: Sourcefire founder Roesch previews Snort 3 Screencast: Opening up the Network Security Toolkit Can a firewall alone effectively block port-scanning activity? Should an intrusion detection system (IDS) be written using Java? What security risks do enterprise honeypots pose? What are the benefits of 'in-the-cloud' network security services? Screencast: Snort -- Tactics for basic network analysis Can Snort stop application-layer attacks? Network Intrusion Detection (IDS) Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bastion host  (SearchSecurity.com) firewall  (SearchSecurity.com) Firewall Builder  (SearchSecurity.com) personal firewall  (SearchSecurity.com) screened subnet  (SearchSecurity.com) virus  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.