[Snort-devel] a doozie of a metaphysical question

Martin Roesch roesch at ...402...
Wed Jun 13 00:00:08 EDT 2001

You're hosed.  You have to guess or do progressive decomposition of the
protocols and see which one makes more sense.  Goodbye fast decoding. 
Luckily, for the most part the destination port can be considered to be
the application for the sake of fast decoding (how many times has anyone
seen a web server running on port 23 after all) and if that turns out to
be incorrect, then you can attempt to decode it another way (or just do
a straight content check on the application layer).  

This is the sort of thing that it's really handy to have a portscanner
capable of doing application identification and communication into a
common storage format, but then you have to build a target-based engine
due to locality issues with which hosts on the network are running which
services on non-standard ports.  

For the sake of sanity and timeliness (unless you want to write a
application identifier/vulnerability scanner/target-based IDS) it's best
to assume that the destination port is the protocol.


tlewis at ...255... wrote:
> If you see a UDP packet with a source port of 123 (NTP) and a destination
> port of 53 (DNS), then what protocol should you assume is used in that
> packet?  If one were elbow-deep in building a next-generation intrusion
> detection system with automatic protocol decomposition, then this sort
> of question could be very important to one's quest...
> --
> Todd Lewis
> tlewis at ...255...
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel

Martin Roesch
roesch at ...402...
http://www.sourcefire.com - http://www.snort.org

More information about the Snort-devel mailing list