Re: Port agnostic application layer protocol identification and parsing

[Bennett Todd <bet () rahul net>]

Treat the port number as the first, simplest gating criterion. If you don't
want people talking http to ephemeral port numbers, don't allow outbound
tcp to those numbers. Allow connections only to ports reserved for
protocols you approve, and either proxy the traffic, or do very
protocol-aware analysis of the traffic you're allowing.

My favourite example of this, is DNS. People can tunnel anything over DNS.
That just means you don't allow arbitrary DNS traffic across your firewall,
instead you operate a recursive resolver as an integral part of your
security perimeter.

Similarly, rather than worrying about detecting http to unexpected ports,
only allow access to it through a protocol-aware http proxy.

It is undoubtedly informative to, e.g., recognize that a port you've
approved for some other protocol is actually carrying http. It's a popular
building block. But if the sniffer has performance problems its role needs
to be partitioned from protocol-specific and -aware forwarding or analysis.

It's the work of a moment to devise a masquerade encapsulation for any
traffic to deceive monitoring; so for peace of mind, if you want to block
any such attempt, you start with a default-closed security stance, then
watch for anomalies in the volume or dispersion of the traffic you do
permit.

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!