How to identify and monitor network ports after intrusion detection

What should your next step be after finding an unfamiliar source or destination port on an IDS alert or firewall log? JP Vossen takes you through the process of port analysis.

JP Vossen, CISSP

When analyzing firewall logs or IDS alerts, you have probably come across an unfamiliar source or destination port. The next step in the analysis process is to figure out what service is using that network port so you can determine if it puts your network at risk.

More on this topic

Get strategies for managing network ports.
Find out how to scan for a port to see if it's being used in a network

The easiest way to identify and begin monitoring a network port is to look in the services file included with every modern TCP/IP stack. That's C:\WINDOWS\SYSTEM32\DRIVERS\ETC\SERVICES under Windows (Hint: You can use Notepad to view or edit the file -- just double-click on it and choose notepad from the list), or /etc/services under most Unix variants. The Windows 'find' or Unix 'grep' commands can quickly search these files. Very often you won't find the port in the default services file because they usually list only a tiny subset of the available network ports and services. Then it's time to use the Web:

The Internet Ports Database is a large database of network ports with Web and DNS interfaces, and a downloadable uber-services file you can use to replace or supplement your stock services file. This site rarely lets me down.
The SANS Institute has an enormous amount of security information available, including a (slightly old) list of ports used by common Trojan programs.
DoSHelp.com has a similar list.
Nmap has a list of about 2,200 ports.
The definitive source of assigned port numbers is the Internet Assigned Numbers Authority (IANA) listing. The key word here is "assigned." Crackers typically fail to register port numbers for their malicious programs, and users may move services to a different port for security through obscurity or to get through a firewall.

Once you've found a service that uses the port in question don't assume anything! First, is it really what is seems to be, or did someone switch port numbers? Some ports are commonly used by more than one service, so which is it? Is the service allowed in your environment? Should it be? The following tools will help you find out more about what is really happening.

Foundstone has a command line utility called fport and SysInternals has a GUI program called TCPView. Both of these tools show you open TCP and UDP ports on your Windows computer, as well as what program and process is using them. These programs come in simple ZIP files. You can extract, use and then delete them -- no installation required.
On Unix, just use 'netstat -anp | less' or better yet, 'lsof -Pni'. lsof (LiSt Open Files) comes with many Linux distributions, though it is not usually installed by default. As the name suggests, it can list open files, but since everything in Unix is a file, this tool can do much more than the simple name suggests. I highly recommend exploring it.
Nmap has recently added a service and network port scanner. There are other tools that do similar things, but Nmap is probably the best and simplest. It also runs on Windows. As always, DO NOT PORT SCAN ANYTHING until you have written permission to do so.

If all else fails, try searching on Google, but don't make too many assumptions about what you find. The goal is to identify what is actually happening in your environment -- why did you get an alert, why was this log generated, is it malicious or benign. You know your network better than anyone on the Web.

SNORT INTRUSION DETECTION AND PREVENTION TECHNICAL GUIDE

Introduction
Why Snort makes IDS worth the time and effort
How to identify ports
How to handle network design with switches and segments
Where to place IDS network sensors
Finding an OS for Snort IDS sensors.
How to determine network interface cards for IDS sensors
Modifying and writing custom Snort IDS rules
How to configure Snort variables
Where to find Snort IDS rules
How to automatically update Snort rules
How to decipher the Oinkcode for Snort's VRT rules
Using IDS rules to test Snort

ABOUT THE AUTHOR: JP Vossen, CISSP, is a Senior Security Engineer for Counterpane Internet Security. He is involved with various open source projects including Snort, and has previously worked as an information security consultant and systems engineer.

This was last published in May 2005

Dig Deeper on Network device security: Appliances, firewalls and switches

10 Linux security tools for system administrators Linux-based tools for security are a boon to system admins for monitoring network security. Here are 10 popular and useful Linux-based security tools.

Traffic Talk: Testing Snort with Metasploit Are your customers' network security solutions working as expected? Learn about testing Snort with Metasploit in this detailed tip from Richard Bejtlich, complete with code examples and step-by-step instructions.

Windows security toolbox: Network security Ping and tracert are great, but sometimes you need a more powerful utility when troubleshooting your network -- especially where security is concerned. Check out these 12 free network security tools -- from scanners to network mappers -- that we've compiled into our Windows network security toolbox.

Top security tips for solutions providers Get the top five security tips of the first half of 2008, as chosen by SearchSecurityChannel.com readers.

Open source security tools Open source security tools are often as powerful and effective as their commercial cousins. This guide collects four of the best and shows you how to use them!

Snort 2.8.0 new features: IPv6 and port lists Snort 2.8.0 comes with new features long desired for the open source intrusion detection system, including IPv6, port lists and packet performance monitoring. Learn about the new IPv6 and port lists that VARs and systems integrators can use to optimize their use of the IDS in this latest edition of the Snort Report.

How to identify and monitor network ports after intrusion detection

What should your next step be after finding an unfamiliar source or destination port on an IDS alert or firewall log? JP Vossen takes you through the process of port analysis.

More on this topic

Dig Deeper on Network device security: Appliances, firewalls and switches

Start the conversation

0 comments

Please create a username to comment.

-ADS BY GOOGLE

SearchCloudSecurity

How to implement zero-trust cloud security

AWS Access Analyzer aims to limit S3 bucket exposures

How to evaluate CASB tools for multi-cloud deployments

SearchNetworking

4 SD-WAN vendors integrate with AWS Transit Gateway

Assess the Wi-Fi 6 features available in Wave 1 and Wave 2

3 networking startups rearchitect routing

SearchCIO

Shell, Halliburton, Unibap AB execs share real-world AI strategies

What's the difference between RPA and IPA?

The technological evolution of IT industry leaders: 2000 - 2020

SearchEnterpriseDesktop

Microsoft extends Office 365 benefit to nonprofit volunteers

Cut through confusion of the digital workspace market

Windows 10 issues top list of most read stories for IT pros

SearchCloudComputing

Review these Azure Service Bus best practices

Instill cloud change management best practices

How much cloud does an IT disaster recovery plan need?

ComputerWeekly.com

Top APAC telecoms predictions for 2020

FCO to boost cloud analysis setup

Tories plan electronic visa waiver for EU citizens

More on this topic

Dig Deeper on Network device security: Appliances, firewalls and switches

Start the conversation

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.