Hey guys,
Working with our netflow here and trying to identify the root programs using associated unknown ports. Any recommendations besides blindly googling?
I use the IANA port registry document found here
http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt
I usually blindly Google, unless I know who owns the source or destination IP. Then I can hit that guy up for info.
"Say, do you know why (source hostname) would be talking with (destination hostname)?"
"Ohh, yeah, that's all (strange little program published by a vendor I've never heard of, yet we owe our entire existence as a company to this software) traffic."
"Great. Do you have any vendor documentation on what ports it uses? It may be in the section about firewall permissions."
Usually that works real wonders. That way, when I find the ports the vendor didn't document, I can see if blocking them also messes up that traffic. If so, I add it to the list of ports that app uses. If not, then I leave it block and figure I just canned some state-sponsored advanced persistent threat that was riding on that port.
usually we just get server names, SERVERX4318296 cant get to SERVERY7474569, no IP's, no MAC's, no ports, no protocols, then we pry some IP's and dive into syslog, and go from there.
Quote from: LynK on May 18, 2016, 11:06:24 AM
Hey guys,
Working with our netflow here and trying to identify the root programs using associated unknown ports. Any recommendations besides blindly googling?
evil thought: hit up Palo Alto for a 'demo', put it in-line (layer 2) transparent and watch the application classification reporting roll in.
record it all (i.e. record the ports seen by the FW against the apps)
Then return it saying "thanks but no thanks" LOL
but seriously, IPS/NGFW should be able to pick apart most apps, TBH, ports isn't enough or even isn't accurate anymore (different versions changing to different ports etc.)
Quote from: deanwebb on May 18, 2016, 12:10:35 PM
That way, when I find the ports the vendor didn't document, I can see if blocking them also messes up that traffic. If so, I add it to the list of ports that app uses. If not, then I leave it block and figure I just canned some state-sponsored advanced persistent threat that was riding on that port.
Hahaha I've done this :)
Quote from: wintermute000 on May 20, 2016, 10:39:02 PM
evil thought: hit up Palo Alto for a 'demo', put it in-line (layer 2) transparent and watch the application classification reporting roll in.
record it all (i.e. record the ports seen by the FW against the apps)
Then return it saying "thanks but no thanks" LOL
but seriously, IPS/NGFW should be able to pick apart most apps, TBH, ports isn't enough or even isn't accurate anymore (different versions changing to different ports etc.)
Yea traffic fingerprinting. Can tell if someones running a web server on tcp port 22. Uses netflow tho :)