[Snort-sigs] [Emerging-Sigs] TCP/UDP "trivial" ports?

Castle, Shane scastle at ...3555...
Tue Apr 23 15:38:45 EDT 2013

To follow up, after some investigating (never assume) I see that I am not doing the job of blocking these that I thought I was doing. I even had to add some to the firewall's list of known ports.

In general, it appears that ports 7, 9, 11, 13, 15, 17, 18, and 19 fall into this area (18 is actually message send protocol and is used in older Unix "message" commands). I suppose that it might be possible to create rules that are for each protocol or for the entire range (make it 1-19 maybe, both for TCP and for UDP).

Why would this be expensive? No digging beyond the protocol headers need occur I'd think. Could a preprocessor be built instead, if it's expensive?

Shane Castle
Data Security Mgr, Boulder County IT

-----Original Message-----
From: Will Metcalf [mailto:william.metcalf at ...2420...] 
Sent: Tuesday, April 23, 2013 13:29
To: Castle, Shane
Cc: emerging-sigs at ...3694...; snort-sigs at lists.sourceforge.net
Subject: Re: [Emerging-Sigs] TCP/UDP "trivial" ports?

UDP sig with threshold might be interesting... Will be expensive though. What do yo guy's think?



On Tue, Apr 23, 2013 at 1:35 PM, Castle, Shane <scastle at ...3555...> wrote:

	I see that using the chargen port for DDoS is happening: https://isc.sans.edu/diary/A+Chargen-based+DDoS+Chargen+is+still+a+thing+/15647
	Now, I block all these both ways at my firewall (actually, on the outside, I think they are in a router ACL), but looking through the complete set of rules I don't see anything but one ("DOS UDP echo+chargen bomb",sid 271) that seems to address this port range of the TCP and UDP "trivial" (AKA "simple") ports. Has there ever been one? Should we have one?
	Shane Castle
	Data Security Mgr, Boulder County IT
	Emerging-sigs mailing list
	Emerging-sigs at ...3694...
	Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
	The ONLY place to get complete premium rulesets for all versions of Suricata and Snort 2.4.0 through Current!

More information about the Snort-sigs mailing list