Snort mailing list archives
Re: [Emerging-Sigs] TCP/UDP "trivial" ports?
From: "Castle, Shane" <scastle () bouldercounty org>
Date: Tue, 23 Apr 2013 19:56:33 +0000
More checking has shown that several varieties of smart phones (Android for sure) are using 13/tcp for time sync. Sigh. Maybe this should be left to classic firewall rules rather than IDS? But it'd be nice to have defense in depth. I regularly see blocked 7/udp (echo) requests from outside, several per day, but less than 1/hour. -- Shane Castle Data Security Mgr, Boulder County IT -----Original Message----- From: Will Metcalf [mailto:wmetcalf () emergingthreatspro com] Sent: Tuesday, April 23, 2013 13:45 To: Castle, Shane Cc: Will Metcalf; emerging-sigs () lists emergingthreats net; snort-sigs () lists sourceforge net Subject: Re: [Emerging-Sigs] TCP/UDP "trivial" ports? Cheap check, But a large number of them as there is nothing to go into fast_pattern. The reason I said UDP is that TCP requires a TWH. I would be more worried about spoofed src's and targeted responses. Anybody seeing these? What sort of rates i.e. what is a sane threshold value? We could always add and disable by default. Regards, Will On Tue, Apr 23, 2013 at 2:38 PM, Castle, Shane <scastle () bouldercounty org> wrote: To follow up, after some investigating (never assume) I see that I am not doing the job of blocking these that I thought I was doing. I even had to add some to the firewall's list of known ports. In general, it appears that ports 7, 9, 11, 13, 15, 17, 18, and 19 fall into this area (18 is actually message send protocol and is used in older Unix "message" commands). I suppose that it might be possible to create rules that are for each protocol or for the entire range (make it 1-19 maybe, both for TCP and for UDP). Why would this be expensive? No digging beyond the protocol headers need occur I'd think. Could a preprocessor be built instead, if it's expensive? -- Shane Castle Data Security Mgr, Boulder County IT -----Original Message----- From: Will Metcalf [mailto:william.metcalf () gmail com] Sent: Tuesday, April 23, 2013 13:29 To: Castle, Shane Cc: emerging-sigs () lists emergingthreats net; snort-sigs () lists sourceforge net Subject: Re: [Emerging-Sigs] TCP/UDP "trivial" ports? UDP sig with threshold might be interesting... Will be expensive though. What do yo guy's think? Regards, Will On Tue, Apr 23, 2013 at 1:35 PM, Castle, Shane <scastle () bouldercounty org> wrote: I see that using the chargen port for DDoS is happening: https://isc.sans.edu/diary/A+Chargen-based+DDoS+Chargen+is+still+a+thing+/15647 Now, I block all these both ways at my firewall (actually, on the outside, I think they are in a router ACL), but looking through the complete set of rules I don't see anything but one ("DOS UDP echo+chargen bomb",sid 271) that seems to address this port range of the TCP and UDP "trivial" (AKA "simple") ports. Has there ever been one? Should we have one? -- Shane Castle Data Security Mgr, Boulder County IT _______________________________________________ Emerging-sigs mailing list Emerging-sigs () lists emergingthreats net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com The ONLY place to get complete premium rulesets for all versions of Suricata and Snort 2.4.0 through Current! _______________________________________________ Emerging-sigs mailing list Emerging-sigs () lists emergingthreats net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com The ONLY place to get complete premium rulesets for all versions of Suricata and Snort 2.4.0 through Current! ------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- TCP/UDP "trivial" ports? Castle, Shane (Apr 23)
- Re: [Emerging-Sigs] TCP/UDP "trivial" ports? Will Metcalf (Apr 23)
- Re: [Emerging-Sigs] TCP/UDP "trivial" ports? Castle, Shane (Apr 23)
- Message not available
- Re: [Emerging-Sigs] TCP/UDP "trivial" ports? Castle, Shane (Apr 23)
- Re: [Emerging-Sigs] TCP/UDP "trivial" ports? Joel Esler (Apr 23)
- Re: [Emerging-Sigs] TCP/UDP "trivial" ports? Castle, Shane (Apr 23)
- Re: [Emerging-Sigs] TCP/UDP "trivial" ports? Will Metcalf (Apr 23)