Re: Port Cheat Sheet

[Joseph S D Yao <jsdy () cospo osis gov>]

> On Mon, 24 May 1999, Joseph S D Yao wrote:
> > Seriously, the first place I always look is /etc/services on some J Q
> > Random Unix [or derivative] system.  The DEC one used to be very good.
> > The Linux one seems to be good; probably *BSDs' are, as well.  Some
> > companies seem to trim it a bit to mostly include the Well Known ports
> > and their proprietary ports, though ...
>
> /etc/services is not usually that helpful if you're sitting on a network
> and watching traffic run by in attempt to track down a problem or
> intrustion. It would be helpful, for example, to be able to figure out
> what could be potentially passing traffic on given ports. Let's say I
> witness a ton of traffic being passed on port 35767. Well it would be
> helpful to know that XXXX application or trojan horse uses that port in a
> default configuration. I don't think that you want to have that kind of
> information sitting around in /etc/service, but it would be helpful if
> security thugs and administrators around the world had a place to tagline
> ports and say things like "Hey. I've noticed XXXX trend recently."

Oh, agreed.  Fortunately, 99% of the queries I have are of the form, "I
just installed a network security program and noticed a TCP connection
on port {80,25,210,143,110,136-139,etc}, and I was wondering whether
you knew of any programs that used those ports.  ;-}

I keep the other information elsewhere.

--
Joe Yao                         jsdy () cospo osis gov - Joseph S. D. Yao
COSPO/OSIS Computer Support                                     EMT-B
-----------------------------------------------------------------------
      This message is not an official statement of COSPO policies.