[Snort-sigs] Port agnostic application layer protocol identification and parsing

Bennett Todd bet at ...654...
Fri Nov 18 12:07:45 EST 2011

Treat the port number as the first, simplest gating criterion. If you don't
want people talking http to ephemeral port numbers, don't allow outbound
tcp to those numbers. Allow connections only to ports reserved for
protocols you approve, and either proxy the traffic, or do very
protocol-aware analysis of the traffic you're allowing.

My favourite example of this, is DNS. People can tunnel anything over DNS.
That just means you don't allow arbitrary DNS traffic across your firewall,
instead you operate a recursive resolver as an integral part of your
security perimeter.

Similarly, rather than worrying about detecting http to unexpected ports,
only allow access to it through a protocol-aware http proxy.

It is undoubtedly informative to, e.g., recognize that a port you've
approved for some other protocol is actually carrying http. It's a popular
building block. But if the sniffer has performance problems its role needs
to be partitioned from protocol-specific and -aware forwarding or analysis.

It's the work of a moment to devise a masquerade encapsulation for any
traffic to deceive monitoring; so for peace of mind, if you want to block
any such attempt, you start with a default-closed security stance, then
watch for anomalies in the volume or dispersion of the traffic you do
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20111118/867227ea/attachment.html>

More information about the Snort-sigs mailing list