Reputable knowledge base for TCP/UDP port lookup?

Started by LynK, May 18, 2016, 11:06:24 AM

Previous topic - Next topic

LynK

Hey guys,

Working with our netflow here and trying to identify the root programs using associated unknown ports. Any recommendations besides blindly googling?
Sys Admin: "You have a stuck route"
            Me: "You have an incorrect Default Gateway"

icecream-guy

:professorcat:

My Moral Fibers have been cut.

deanwebb

I usually blindly Google, unless I know who owns the source or destination IP. Then I can hit that guy up for info.

"Say, do you know why (source hostname) would be talking with (destination hostname)?"
"Ohh, yeah, that's all (strange little program published by a vendor I've never heard of, yet we owe our entire existence as a company to this software) traffic."
"Great. Do you have any vendor documentation on what ports it uses? It may be in the section about firewall permissions."

Usually that works real wonders. That way, when I find the ports the vendor didn't document, I can see if blocking them also messes up that traffic. If so, I add it to the list of ports that app uses. If not, then I leave it block and figure I just canned some state-sponsored advanced persistent threat that was riding on that port.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

icecream-guy

usually we just get server names,   SERVERX4318296 cant get to SERVERY7474569,  no IP's, no MAC's, no ports, no protocols, then we pry some IP's and dive into syslog, and go from there.

:professorcat:

My Moral Fibers have been cut.

wintermute000

#4
Quote from: LynK on May 18, 2016, 11:06:24 AM
Hey guys,

Working with our netflow here and trying to identify the root programs using associated unknown ports. Any recommendations besides blindly googling?

evil thought: hit up Palo Alto for a 'demo', put it in-line (layer 2) transparent and watch the application classification reporting roll in.
record it all (i.e. record the ports seen by the FW against the apps)
Then return it saying "thanks but no thanks" LOL


but seriously, IPS/NGFW should be able to pick apart most apps, TBH, ports isn't enough or even isn't accurate anymore (different versions changing to different ports etc.)


Dieselboy

Quote from: deanwebb on May 18, 2016, 12:10:35 PM
That way, when I find the ports the vendor didn't document, I can see if blocking them also messes up that traffic. If so, I add it to the list of ports that app uses. If not, then I leave it block and figure I just canned some state-sponsored advanced persistent threat that was riding on that port.
Hahaha I've done this :)

Quote from: wintermute000 on May 20, 2016, 10:39:02 PM
evil thought: hit up Palo Alto for a 'demo', put it in-line (layer 2) transparent and watch the application classification reporting roll in.
record it all (i.e. record the ports seen by the FW against the apps)
Then return it saying "thanks but no thanks" LOL


but seriously, IPS/NGFW should be able to pick apart most apps, TBH, ports isn't enough or even isn't accurate anymore (different versions changing to different ports etc.)

Yea traffic fingerprinting. Can tell if someones running a web server on tcp port 22. Uses netflow tho :)