Problem solve Get help with specific problems with your technologies, process and projects.

How to identify and monitor network ports after intrusion detection

What should your next step be after finding an unfamiliar source or destination port on an IDS alert or firewall log? JP Vossen takes you through the process of port analysis.

When analyzing firewall logs or IDS alerts, you have probably come across an unfamiliar source or destination port. The next step in the analysis process is to figure out what service is using that network port so you can determine if it puts your network at risk.

More on this topic

The easiest way to identify and begin monitoring a network port is to look in the services file included with every modern TCP/IP stack. That's C:\WINDOWS\SYSTEM32\DRIVERS\ETC\SERVICES under Windows (Hint: You can use Notepad to view or edit the file -- just double-click on it and choose notepad from the list), or /etc/services under most Unix variants. The Windows 'find' or Unix 'grep' commands can quickly search these files. Very often you won't find the port in the default services file because they usually list only a tiny subset of the available network ports and services. Then it's time to use the Web:

Once you've found a service that uses the port in question don't assume anything! First, is it really what is seems to be, or did someone switch port numbers? Some ports are commonly used by more than one service, so which is it? Is the service allowed in your environment? Should it be? The following tools will help you find out more about what is really happening.

  • Foundstone has a command line utility called fport and SysInternals has a GUI program called TCPView. Both of these tools show you open TCP and UDP ports on your Windows computer, as well as what program and process is using them. These programs come in simple ZIP files. You can extract, use and then delete them -- no installation required.
  • On Unix, just use 'netstat -anp | less' or better yet, 'lsof -Pni'. lsof (LiSt Open Files) comes with many Linux distributions, though it is not usually installed by default. As the name suggests, it can list open files, but since everything in Unix is a file, this tool can do much more than the simple name suggests. I highly recommend exploring it.
  • Nmap has recently added a service and network port scanner. There are other tools that do similar things, but Nmap is probably the best and simplest. It also runs on Windows. As always, DO NOT PORT SCAN ANYTHING until you have written permission to do so.

If all else fails, try searching on Google, but don't make too many assumptions about what you find. The goal is to identify what is actually happening in your environment -- why did you get an alert, why was this log generated, is it malicious or benign. You know your network better than anyone on the Web.


  Why Snort makes IDS worth the time and effort
  How to identify ports
  How to handle network design with switches and segments
  Where to place IDS network sensors
  Finding an OS for Snort IDS sensors.
  How to determine network interface cards for IDS sensors
  Modifying and writing custom Snort IDS rules
  How to configure Snort variables
  Where to find Snort IDS rules
  How to automatically update Snort rules
  How to decipher the Oinkcode for Snort's VRT rules
  Using IDS rules to test Snort


ABOUT THE AUTHOR: JP Vossen, CISSP, is a Senior Security Engineer for Counterpane Internet Security. He is involved with various open source projects including Snort, and has previously worked as an information security consultant and systems engineer.

This was last published in May 2005

Dig Deeper on Network device security: Appliances, firewalls and switches