mshaw at wwisp
Aug 22, 2002, 2:13 PM
Post #3 of 6
At 10:41 PM 8/22/2002 +0200, Michel Arboi wrote:
>Mike Shaw <mshaw [at] wwisp> writes:
> > It's pretty hard to detect trojan horses purely by port numbers.
>Better than nothing?
Not really a great justification. Sure, something is always better than
nothing, but not necessarily *much* better than nothing. And the
incremental benefit of simply looking for odd ports will probably be more
than offset by the additional cost.
It's simply something better reserved for another area of security. If you
are doing nothing other than vulnerability scanning, then you're asking for
>Well, if we look only at *unknown* services, that's better.
You're going to spend an awful lot of time hunting down odd ports on a
typical windows network (or explaining away the false positive in a
resulting report), and what if somebody gets wise and runs one off a port
that doesn't look suspicious?
Now if you looked for a signature trojan response from a certain port then
sure, why not have it? That's much more definitive than a simple open
port. But then they could make one that looked like a telnet server, or an
ftp server, or whatever. Again, scanning for vulnerabilities is one thing,
but trying to detect someone or something who has explicitly compromised
you is a different animal.