Snort mailing list archives
Re: Port agnostic application layer protocol identification and parsing
From: Bennett Todd <bet () rahul net>
Date: Fri, 18 Nov 2011 12:07:45 -0500
Treat the port number as the first, simplest gating criterion. If you don't want people talking http to ephemeral port numbers, don't allow outbound tcp to those numbers. Allow connections only to ports reserved for protocols you approve, and either proxy the traffic, or do very protocol-aware analysis of the traffic you're allowing. My favourite example of this, is DNS. People can tunnel anything over DNS. That just means you don't allow arbitrary DNS traffic across your firewall, instead you operate a recursive resolver as an integral part of your security perimeter. Similarly, rather than worrying about detecting http to unexpected ports, only allow access to it through a protocol-aware http proxy. It is undoubtedly informative to, e.g., recognize that a port you've approved for some other protocol is actually carrying http. It's a popular building block. But if the sniffer has performance problems its role needs to be partitioned from protocol-specific and -aware forwarding or analysis. It's the work of a moment to devise a masquerade encapsulation for any traffic to deceive monitoring; so for peace of mind, if you want to block any such attempt, you start with a default-closed security stance, then watch for anomalies in the volume or dispersion of the traffic you do permit.
------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Port agnostic application layer protocol identification and parsing Miso Patel (Nov 18)
- Re: Port agnostic application layer protocol identification and parsing Bennett Todd (Nov 18)