Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Cyber Security Awareness Month - Day 10 - The Questionsable Ports SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Cyber Security Awareness Month - Day 10 - The Questionsable Ports

The Internet Storm Center is focusing on IP ports for the month of October.  I am going to continue the theme, but with a bit of a twist.  I am going to talk about a few of the ports that are usually not desirable to appear in a traffic analysis.  There are many more than I could list, the majority associated with malware.  But not all of them.  Here we go:

1214 - Limewire/Kazaa (A Peer-to-Peer application.  Not by definition malware, but not something desirable in an enterprise)

2773 - SubSeven (Trojan)

5631 - pcAnywhere (A commercial remote control application)

1863 - Numerous Microsoft applications

I want to emphasize that these listed are not necessarily bad.  The point here is awareness.  Knowledge, and management, of the ports required and permitted in the enterprise, and at home, will lead to an overall improvement of the security posture of a network.  This is where syslogs, traffic analysis, and documentation will tie everything together.

I welcome any and all thoughts, comments, questions, queries, concerns, etc.  I will post updates to this story as comments come in to the ISC.

tony d0t carothers @ isc d0t sans d0t org


150 Posts
ISC Handler
Oct 10th 2009

Sign Up for Free or Log In to start participating in the conversation!