Trojan Port Lists - Any Value?
-
Is there any value to these lists? I see them every now and then on the web but never an updated list.
Is this useless or worth blocking or logging the ports?
https://www.sans.org/security-resources/idfaq/which-backdoors-live-on-which-ports/8/4
-
I'd say almost useless because you'll never identify the trojan traffic based on just the port numbers because anyone can write a port scanner probing the listed ports but it would be just port scan. You'll need more tools such as IP blocklists of known botnets etc.
-
Those sorts of list are only good in a sense if you are seeing traffic from say one of your hosts on odd ball ports and and trying to figure out what it "could" be..
As kpa mentions seeing traffic on known used backdoor ports to IPs on bad lists should for sure raise some eyebrows to the nature of the traffic for sure.
-
OK, that makes sense thank you both. I setup rules with aliases to pass but log them just out of curiosity.