Bad and good port lists

Hi SmallR2002,

> Also I would like a few ports which should be monitored and what to
> look for in the connection traffic.
As there are a lot of lists of ports available, I'll just give you simple input on this. Not even having one port open is safe in any way, all can be exploited once a hole is detected in the program that's listening on that port.

All connections should be monitored at all known exploids for the programs running behind them. For example port 80, you'll need to scan for exploids like Nimda uses. (easely recognisable in about every IIS logfile :o) ) What I can suggest you to do is to install another IDS like blackice on a testing system (as in, completely unpatched) then see what blackice will find. After you've been able to program your way to capture those (note that I'm not a programmer, so I can't help you with that, but there are a lot of excellent programmers around EE that might be able to help you with it) you'll have to keep following the latest exploids and find your way to include them.

Greetings,

LucF

p.s. I'm interested in the final product :)

how should such a list tell you which ports to monitor?
It's up to you to monitor *all* ports you consider unsecure, that are at least *all* those where there is a service listening.

Trogan Ports:

http://www.simovits.com/sve/nyhetsarkiv/1999/nyheter9902.html

General Good list:

http://keir.net/portlist.html

The trouble is that many trogans use known ports that are usually considered 'good'. There is no reason why a trogan cant use the HTTP (80) port or the port normally used for Telnet (23). Like ahoffman said, all ports should be considered.

If you need assistence in programming the actual firewall post a question in the relevant language (Delphi, C++ etc)

Regards,

Hypoviax

OK, so lets presume the list part is sorted, what do I need to look for in the traffic?

There is no such thing as bad or good ports. First you have to know your network, what services are being ofer to the outside (or the other side of the firewall, whatever that is) and then you can choose which are the "good" ports: the ones you actually need to allow on your firewall and the "bad" ports: the ones you have no need to allow because are not being used. Every network is different, a list of good and bad ports is not a good approach to securing a network. Remember that you should deny everything by default and allow only what's explicitly defined and configured.

You should monitor as much ports as you can, for instance, if you're using an ftp server you might want to monitor where a connection request came from, how long the connection was open, the login name and so on. On the other hand, traffic such as DNS requests is very difficult to monitor and to log because of the huge number of requests that a name server receives in a short period of time.

For a list of ports commonly used by trojans visit http://www.doshelp.com/trojanports.htm

yeah the dos help one is the one I'm currently on the fourth page of typing out...

be a little more specific, where can i find lists of things to look for etc

It all depends on what software you're running. Your firewall/ids might have some integrated log analysis tool that will give you pointers on suspicious activity and even will let you set alarms, if not or if you want to use other tools to monitor your network using log analysis you can try these http://www.phoneboy.com/bin/view.pl/FAQs/ThirdPartyProgramsLogAnalysis if you're using checkpoint . These will let know, for instance, which are the top dropped/rejected packets which are the ones you should start keeping an eye on.
http://tud.at/programm/fwanalog/ is another popular tool that you can try.

The reports these tools generate will guide you to know what you should look for in your environment.

Here's a good article that gives you a list of things to look for:  http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2782699,00.html

Can I remind you that I'm writing the program...

oh yeah, i forgot .. sorry about that (however the article should have given you good ideas to implement on your program)

You probably already know these (i'm just brainstorming here):

You should take every packet see the source, destination, protocol and port fields and compare them to a table that holds your firewall configuration and decide wether to allow the packet through or drop it or reject it.

For intrusion detection that runs on the firewall instead of the hosts you could see how many dropped/rejected packets are coming from a particular source (net or host) and trigger an alert. Also to determine if a host behind the firewall is being scanned you should check for requests from the same source targgeting the host on different ports.

Depending on how complex you want your software to be you can add virtual servers such as smtp, ftp and so on and then forward the packets to the appropiate servers inside.

Hope this helps

hmm, is this an exercise, or an attempt to re-envent the wheel?

If it isn't an exersice it's better to use toolkits such as these http://www.cotse.com/tools/firewall.htm

It is a bid to make money...

What language are you programming in?

If Delphi i can help otherwise not. Have a look on sourceforg - you may be able to examine other firewalls and thus determine what data they examine etc

Regards,

Hypoviax

I use VB, but I dotn need help with coding, I need help in what to code against. I can block, and examine traffic easily.

Why don't you use these well-known ports open by default and close all other ports, but with option to enable.

http://www.webopedia.com/quick_ref/portnumbers.asp