[Snort-sigs] [Emerging-Sigs] TCP/UDP "trivial" ports?

Castle, Shane scastle at ...3555...
Tue Apr 23 15:56:33 EDT 2013


More checking has shown that several varieties of smart phones (Android for sure) are using 13/tcp for time sync. Sigh.

Maybe this should be left to classic firewall rules rather than IDS? But it'd be nice to have defense in depth.

I regularly see blocked 7/udp (echo) requests from outside, several per day, but less than 1/hour.

-- 
Shane Castle
Data Security Mgr, Boulder County IT


-----Original Message-----
From: Will Metcalf [mailto:wmetcalf at ...3525...] 
Sent: Tuesday, April 23, 2013 13:45
To: Castle, Shane
Cc: Will Metcalf; emerging-sigs at ...3694...; snort-sigs at lists.sourceforge.net
Subject: Re: [Emerging-Sigs] TCP/UDP "trivial" ports?

Cheap check, But a large number of them as there is nothing to go into fast_pattern. The reason I said UDP is that TCP requires a TWH. I would be more worried about spoofed src's and targeted responses.  Anybody seeing these? What sort of rates i.e. what is a sane threshold value?  We could always add and disable by default.

Regards,

Will


On Tue, Apr 23, 2013 at 2:38 PM, Castle, Shane <scastle at ...3555...> wrote:


	To follow up, after some investigating (never assume) I see that I am not doing the job of blocking these that I thought I was doing. I even had to add some to the firewall's list of known ports.
	
	In general, it appears that ports 7, 9, 11, 13, 15, 17, 18, and 19 fall into this area (18 is actually message send protocol and is used in older Unix "message" commands). I suppose that it might be possible to create rules that are for each protocol or for the entire range (make it 1-19 maybe, both for TCP and for UDP).
	
	Why would this be expensive? No digging beyond the protocol headers need occur I'd think. Could a preprocessor be built instead, if it's expensive?
	

	--
	Shane Castle
	Data Security Mgr, Boulder County IT
	
	
	
	-----Original Message-----
	From: Will Metcalf [mailto:william.metcalf at ...2420...]
	Sent: Tuesday, April 23, 2013 13:29
	To: Castle, Shane
	Cc: emerging-sigs at ...3694...; snort-sigs at lists.sourceforge.net
	Subject: Re: [Emerging-Sigs] TCP/UDP "trivial" ports?
	
	UDP sig with threshold might be interesting... Will be expensive though. What do yo guy's think?
	
	
	Regards,
	
	Will
	
	
	
	On Tue, Apr 23, 2013 at 1:35 PM, Castle, Shane <scastle at ...3555...> wrote:
	
	
	        I see that using the chargen port for DDoS is happening: https://isc.sans.edu/diary/A+Chargen-based+DDoS+Chargen+is+still+a+thing+/15647
	
	        Now, I block all these both ways at my firewall (actually, on the outside, I think they are in a router ACL), but looking through the complete set of rules I don't see anything but one ("DOS UDP echo+chargen bomb",sid 271) that seems to address this port range of the TCP and UDP "trivial" (AKA "simple") ports. Has there ever been one? Should we have one?
	
	        --
	        Shane Castle
	        Data Security Mgr, Boulder County IT
	
	
	        _______________________________________________
	        Emerging-sigs mailing list
	        Emerging-sigs at ...3694...
	        http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
	
	        Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
	        The ONLY place to get complete premium rulesets for all versions of Suricata and Snort 2.4.0 through Current!
	
	
	
	_______________________________________________
	Emerging-sigs mailing list
	Emerging-sigs at ...3694...
	http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
	
	Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
	The ONLY place to get complete premium rulesets for all versions of Suricata and Snort 2.4.0 through Current!
	






More information about the Snort-sigs mailing list