November 13, 2005
Use the SANS Internet Storm Center to research "weird" ports!
Network General's Sniffer User Summit was this week in Miami Beach, and it was great to discuss tips and tricks with Sniffer users from all over the world. Although I was a bit under-the-weather, I was able to compile a few helpful hints that I'll share over the next few weeks.
I was pleased with the people who are using their Sniffer InfiniStream as a security tool. Sniffer InfiniStream adds a number of useful features, especially given the "back in time" functionality available when you have 4 terabytes of hard drive space at your command. With this broad perspective of time, the number of questions about the network traffic flows have also increased.
With Sniffer InfiniStream, port activity can be viewed graphically over time. With this unique view of network activity, it's simple to view traffic spikes and trends that occur across minutes, hours, or days.
What does a network or security manager do when an odd port number increases dramatically?
With over a hundred-thousand port numbers, the list of ports and their uses are practically impossible to memorize. Since worms, viruses, and other malware are also "stealing" popular port numbers, there's often no perfect answer when port activity increases.
Fortunately, the SANS (SysAdmin, Audit, Network, Security) Institute has created the Internet Storm Center (ISC). The Internet Storm Center acts as an "early warning system" for dramatic changes in traffic and activity over the Internet, and their free online resources are also useful for managing local network traffic patterns.
The main page of the Internet Storm Center includes a number of resources, including lookup tools for IP addresses, port numbers, and a tool for observing the trends of traffic flows over time.
For example, querying for our unusual port of 27015 found some real-world explanations of the port usage. The port lookup displays a graph of the usage of this port over time, the services associated with this port number, and a group of user comments relating to this port.
In this example, we found 27015 to be associated with the Half-Life Game Server. Some of the user comments associated an increase in Half-Life traffic with the release of the latest game version. These user comments can be an extremely valuable part of this service!
This is just one of the many ways to use the free SANS resources to learn more about networks and network security. There's a reason we keep a link to the Internet Storm Center on the sidebar of Network Uptime!
Posted by james_messer at November 13, 2005 01:10 PM
Thanks for signing in, . Now you can comment. (sign out)
(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)