Snort mailing list archives

Re: [Emerging-Sigs] TCP/UDP "trivial" ports?

From: "Castle, Shane" <scastle () bouldercounty org>
Date: Tue, 23 Apr 2013 19:56:33 +0000

More checking has shown that several varieties of smart phones (Android for sure) are using 13/tcp for time sync. Sigh.

Maybe this should be left to classic firewall rules rather than IDS? But it'd be nice to have defense in depth.

I regularly see blocked 7/udp (echo) requests from outside, several per day, but less than 1/hour.

-- 
Shane Castle
Data Security Mgr, Boulder County IT


-----Original Message-----
From: Will Metcalf [mailto:wmetcalf () emergingthreatspro com] 
Sent: Tuesday, April 23, 2013 13:45
To: Castle, Shane
Cc: Will Metcalf; emerging-sigs () lists emergingthreats net; snort-sigs () lists sourceforge net
Subject: Re: [Emerging-Sigs] TCP/UDP "trivial" ports?

Cheap check, But a large number of them as there is nothing to go into fast_pattern. The reason I said UDP is that TCP 
requires a TWH. I would be more worried about spoofed src's and targeted responses.  Anybody seeing these? What sort of 
rates i.e. what is a sane threshold value?  We could always add and disable by default.

Regards,

Will


On Tue, Apr 23, 2013 at 2:38 PM, Castle, Shane <scastle () bouldercounty org> wrote:


        To follow up, after some investigating (never assume) I see that I am not doing the job of blocking these that 
I thought I was doing. I even had to add some to the firewall's list of known ports.
        
        In general, it appears that ports 7, 9, 11, 13, 15, 17, 18, and 19 fall into this area (18 is actually message 
send protocol and is used in older Unix "message" commands). I suppose that it might be possible to create rules that 
are for each protocol or for the entire range (make it 1-19 maybe, both for TCP and for UDP).
        
        Why would this be expensive? No digging beyond the protocol headers need occur I'd think. Could a preprocessor 
be built instead, if it's expensive?
        

        --
        Shane Castle
        Data Security Mgr, Boulder County IT
        
        
        
        -----Original Message-----
        From: Will Metcalf [mailto:william.metcalf () gmail com]
        Sent: Tuesday, April 23, 2013 13:29
        To: Castle, Shane
        Cc: emerging-sigs () lists emergingthreats net; snort-sigs () lists sourceforge net
        Subject: Re: [Emerging-Sigs] TCP/UDP "trivial" ports?
        
        UDP sig with threshold might be interesting... Will be expensive though. What do yo guy's think?
        
        
        Regards,
        
        Will
        
        
        
        On Tue, Apr 23, 2013 at 1:35 PM, Castle, Shane <scastle () bouldercounty org> wrote:
        
        
                I see that using the chargen port for DDoS is happening: 
https://isc.sans.edu/diary/A+Chargen-based+DDoS+Chargen+is+still+a+thing+/15647
        
                Now, I block all these both ways at my firewall (actually, on the outside, I think they are in a router 
ACL), but looking through the complete set of rules I don't see anything but one ("DOS UDP echo+chargen bomb",sid 271) 
that seems to address this port range of the TCP and UDP "trivial" (AKA "simple") ports. Has there ever been one? 
Should we have one?
        
                --
                Shane Castle
                Data Security Mgr, Boulder County IT
        
        
                _______________________________________________
                Emerging-sigs mailing list
                Emerging-sigs () lists emergingthreats net
                http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
        
                Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
                The ONLY place to get complete premium rulesets for all versions of Suricata and Snort 2.4.0 through 
Current!
        
        
        
        _______________________________________________
        Emerging-sigs mailing list
        Emerging-sigs () lists emergingthreats net
        http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
        
        Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
        The ONLY place to get complete premium rulesets for all versions of Suricata and Snort 2.4.0 through Current!
        



------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

TCP/UDP "trivial" ports? Castle, Shane (Apr 23)
- Re: [Emerging-Sigs] TCP/UDP "trivial" ports? Will Metcalf (Apr 23)
  - Re: [Emerging-Sigs] TCP/UDP "trivial" ports? Castle, Shane (Apr 23)
    - Message not available
    - Re: [Emerging-Sigs] TCP/UDP "trivial" ports? Castle, Shane (Apr 23)
    - Re: [Emerging-Sigs] TCP/UDP "trivial" ports? Joel Esler (Apr 23)