Re: top protocols - defining ports

Les,

I see a lot of not-so-subtle 445 SYN traffic, but that is more of a symptom
of a compromised host that legitimate traffic. I'm not sure if it merits a
definition or is better placed in the snort area.

With your permission, I'd like to use your list in our implementation as
i'm still using the default. Thanks for the info!

Kevin.

At 02:47 PM 10/12/2004 -0500, you wrote:
>We're using TrafficServer on our campus to see traffic from both the
>ResNet (residential) and CampusNet (admin & faculty) on our network. We
>are using the Snort-like feature as well.
>
>One of the problems is trying to get the "Other" category when looking at
>top protocols as small as possible. I've plugged in a lot of known ports,
>and have researched even more through the many web-sites who list out
>known ports. (see lists below)
>
>Does anyone have more ports defined?
>
>Are we missing any blatantly obvious ones?
>
>Thank you in advance for your help.
>I hope our list may help you.
>
>Les Yaw
>Luther College
>Decorah, IA
>
>ConsolidatePorts.UDP = 53,161,162,139
>ConsolidatePorts.TCP = 80,8080,8088,139
>
>; Protocol Groups
>; TCP Group Definitions
>protocol.priority.TCP = 1-512,2049,513-1023,6000-6010,8080,8088
>protocol.group.TCP.privileged = 1-1023
>protocol.group.TCP.login = 22,23,513
>
>protocol.group.TCP.file-transfer = 20,21,139
>protocol.group.TCP.telnet = 22
>protocol.group.TCP.SSH = 23
>protocol.group.TCP.SMTP = 25
>protocol.group.TCP.printing = 35
>protocol.group.TCP.web = 80,8080,8088
>protocol.group.TCP.kerberos = 88,749,750
>protocol.group.TCP.networkPrinting = 92
>protocol.group.TCP.POP = 110
>protocol.group.TCP.DCOM/Blaster = 135
>protocol.group.TCP.NetBios = 137-139
>protocol.group.TCP.IMAP = 143
>protocol.group.TCP.LDAP = 389
>protocol.group.TCP.Novell = 396,1366,2645
>protocol.group.TCP.HTTPS = 443
>protocol.group.TCP.QuickTime-RealAudio = 554,7070
>protocol.group.TCP.SNTPheartbeat = 580
>protocol.group.TCP.Keyserver = 584
>protocol.group.TCP.EudoraSet = 592
>protocol.group.TCP.LDAPS = 636
>protocol.group.TCP.MacOSadmin = 660
>protocol.group.TCP.Doom = 666
>protocol.group.TCP.IEEE-mms-ssl = 695
>protocol.group.TCP.AIM_video = 1024
>protocol.group.TCP.Kazaa = 1214
>protocol.group.TCP.MS-SQL-Srvr = 1433,1434
>protocol.group.TCP.WINS = 1512
>protocol.group.TCP.InterLibLoan = 1611
>protocol.group.TCP.Shockwave = 1626
>protocol.group.TCP.TFTP-mcast = 1758
>protocol.group.TCP.MSN_Messenger = 1863
>protocol.group.TCP.iCU-2,iSpQ = 2000-2003
>protocol.group.TCP.SoulSeek = 2234,5534
>protocol.group.TCP.DirectXgames = 2300-2400,47624
>protocol.group.TCP.mySQL = 3306
>protocol.group.TCP.WindowsRDP = 3389
>protocol.group.TCP.iTunes = 3689
>protocol.group.TCP.ICQ = 4000
>protocol.group.TCP.YahooMsgr = 5000-5010,5050,5100
>protocol.group.TPC.Loafy = 5190
>protocol.group.TCP.AOL = 5191-5193
>protocol.group.TCP.HotLine(FileShare) = 5500-5503
>protocol.group.TCP.pcAnywhere = 5631-5632
>protocol.group.TCP.WarCraft_3_GAME = 6112-6119
>protocol.group.TCP.GNUtella = 6346,6347,6348,6349
>protocol.group.TCP.IRC = 6665-6669
>protocol.group.TCP.YahooGames = 11999
>protocol.group.TCP.X11 = 6000-6010
>protocol.group.TCP.DDRgame = 6112
>protocol.group.TCP.GNUtella = 6346,6347
>protocol.group.TCP.IRC = 6666-7000
>protocol.group.TCP.RealAudio/Video = 7070
>protocol.group.TCP.MonkeyCom(Trojans) 9898
>protocol.group.TCP.YahooGames = 11999
>protocol.group.TCP.BattlezoneGame = 17770-17772
>protocol.group.TCP.Quake = 26000
>protocol.group.TCP.Counter-StrikeGAME = 27015
>protocol.group.TCP.DOOM-3_GAME = 27666
>protocol.group.TCP.MSNgames = 28800-29100
>protocol.group.TCP.AppleTalk = 201-208,387,548
>protocol.group.TCP.LPR = 515
>protocol.group.TCP.Citrix = 1494,2512,2513,2598
>protocol.group.TCP.DELLports = 2606, 2607
>
>; UDP Group Definitions
>protocol.priority.UDP = 1-512,2049,513-1023,6343,9985-9995
>protocol.group.UDP.DNS = 53
>protocol.group.UDP.DHCP request = 67
>protocol.group.UDP.kerberos = 88,749,750
>protocol.group.UDP.networkPrinting = 92
>protocol.group.UDP.netbios = 137-139
>protocol.group.UDP.snmp = 161,162
>protocol.group.UDP.AppleTalk = 201-208,387,548
>protocol.group.UDP.Novell = 396,1366,2645
>protocol.group.UDP.Https = 443
>protocol.group.UDP.QuickTime = 554
>protocol.group.UDP.SNTPheartbeat = 580
>protocol.group.UDP.Keyserver = 584
>protocol.group.UDP.EudoraSet = 592
>protocol.group.UDP.LDAPS = 636
>protocol.group.UDP.MacOSadmin = 660
>protocol.group.UDP.Doom = 666
>protocol.group.UDP.IEEE-mms-ssl = 695
>protocol.group.UDP.AIMvideo = 1024
>protocol.group.UDP.Kazaa = 1214
>protocol.group.UDP.InterLibLoan = 1611
>protocol.group.UDP.Shockwave = 1626
>protocol.group.UDP.TFTP-mcast = 1758
>protocol.group.UDP.MS-SQL-Srvr = 1433,1434
>protocol.group.UDP.WINS = 1512
>protocol.group.UDP.Citrix = 1604,2512,2513,2598
>protocol.group.UDP.nfs = 2049
>protocol.group.UDP.SoulSeek = 2234,5534
>protocol.group.UDP.DirectXgames = 2300,2301,2304-2400,6073
>protocol.group.UDP.HALOgame = 2302-2303
>protocol.group.UDP.DELLports = 2606, 2607
>protocol.group.UDP.X-Box2 = 3074
>protocol.group.UDP.Dell = 3668
>protocol.group.UDP.iTunes = 3689
>protocol.group.UDP.ICQ = 4000
>protocol.group.UDP.YahooMessenger = 5000-5010,5050,5100
>protocol.group.UDP.Loafy = 5190
>protocol.group.UDP.AOL = 5191-5193
>protocol.group.UDP.WarCraft_3_GAME = 6112-6119
>protocol.group.UDP.GNUtella = 6346,6347,6348,6349
>protocol.group.UDP.RealAudio = 6970-7170
>protocol.group.UDP.MonkeyCom(Trojans) = 9898
>protocol.group.UDP.BattlezoneGame = 17770-17772
>protocol.group.UDP.KeyServer = 19283
>protocol.group.UDP.X-Rmon = 19981-19991
>protocol.group.UDP.Quake = 26000
>protocol.group.UDP.Counter-StrikeGAME = 27015
>protocol.group.UDP.DOOM-3_GAME = 27666
>protocol.group.UDP.MSNgames = 28800-29100
>
Received on Mon Oct 18 11:51:06 2004