Home page logo

snort logo Snort mailing list archives

Re: [Emerging-Sigs] TCP/UDP "trivial" ports?
From: "Castle, Shane" <scastle () bouldercounty org>
Date: Tue, 23 Apr 2013 19:38:45 +0000

To follow up, after some investigating (never assume) I see that I am not doing the job of blocking these that I 
thought I was doing. I even had to add some to the firewall's list of known ports.

In general, it appears that ports 7, 9, 11, 13, 15, 17, 18, and 19 fall into this area (18 is actually message send 
protocol and is used in older Unix "message" commands). I suppose that it might be possible to create rules that are 
for each protocol or for the entire range (make it 1-19 maybe, both for TCP and for UDP).

Why would this be expensive? No digging beyond the protocol headers need occur I'd think. Could a preprocessor be built 
instead, if it's expensive?

Shane Castle
Data Security Mgr, Boulder County IT

-----Original Message-----
From: Will Metcalf [mailto:william.metcalf () gmail com] 
Sent: Tuesday, April 23, 2013 13:29
To: Castle, Shane
Cc: emerging-sigs () lists emergingthreats net; snort-sigs () lists sourceforge net
Subject: Re: [Emerging-Sigs] TCP/UDP "trivial" ports?

UDP sig with threshold might be interesting... Will be expensive though. What do yo guy's think?



On Tue, Apr 23, 2013 at 1:35 PM, Castle, Shane <scastle () bouldercounty org> wrote:

        I see that using the chargen port for DDoS is happening: 
        Now, I block all these both ways at my firewall (actually, on the outside, I think they are in a router ACL), 
but looking through the complete set of rules I don't see anything but one ("DOS UDP echo+chargen bomb",sid 271) that 
seems to address this port range of the TCP and UDP "trivial" (AKA "simple") ports. Has there ever been one? Should we 
have one?
        Shane Castle
        Data Security Mgr, Boulder County IT
        Emerging-sigs mailing list
        Emerging-sigs () lists emergingthreats net
        Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
        The ONLY place to get complete premium rulesets for all versions of Suricata and Snort 2.4.0 through Current!

Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
Snort-sigs mailing list
Snort-sigs () lists sourceforge net

Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]