The Internet Storm Center is focusing on IP ports for the month of October. I am going to continue the theme, but with a bit of a twist. I am going to talk about a few of the ports that are usually not desirable to appear in a traffic analysis. There are many more than I could list, the majority associated with malware. But not all of them. Here we go:
1214 - Limewire/Kazaa (A Peer-to-Peer application. Not by definition malware, but not something desirable in an enterprise)
2773 - SubSeven (Trojan)
5631 - pcAnywhere (A commercial remote control application)
1863 - Numerous Microsoft applications
I want to emphasize that these listed are not necessarily bad. The point here is awareness. Knowledge, and management, of the ports required and permitted in the enterprise, and at home, will lead to an overall improvement of the security posture of a network. This is where syslogs, traffic analysis, and documentation will tie everything together.
I welcome any and all thoughts, comments, questions, queries, concerns, etc. I will post updates to this story as comments come in to the ISC.
tony d0t carothers @ isc d0t sans d0t org