Among the many "threats", I see on my SIEM, a non-standard port is a top one. It's always been a false positive, but I don't understand why this happens frequently?
6
-
Do you mean a web server (or similar) on a non-standard port because some operating systems prevent opening ports under 102X as a regular user?– userCommented Nov 15, 2021 at 20:29
-
1There are tons of reasons to run a service on a non-standard port. Can you provide the services you are seeing?– schroeder ♦Commented Nov 15, 2021 at 20:48
-
@schroeder Is there a link you could direct me to so I could read up more on this? Searching my question leads me nowhere I want to be.– user270109Commented Nov 15, 2021 at 20:52
-
I didn't answer because, as I said, there are tons of reasons. There's no "link" that will explain all the reasons. Can you provide more detail in your question?– schroeder ♦Commented Nov 15, 2021 at 20:54
-
I think it’s more likely to be a IOC if it finds a non-standard protocol on a standard port.– John DetersCommented Nov 15, 2021 at 20:55
|
Show 1 more comment
3 Answers
It is not a threat per se, but can be an indication of something unexpected.
For example, HTTPS runs on port 443. If someone starts a rogue HTTPS server on port 10443, for example, it could be used for data exfiltration. Or it could be a development environment running there, with insecure settings.
It is not expected to run HTTPS on port 10443, so finding one HTTPS server there should be investigated.
answered Nov 15, 2021 at 21:15
Some, non-exhaustive reasons a legit server might operate on a non-standard port:
- A development instance that nobody should connect to by accident.
- A low-privileged app that can't listen on ports below 1024
- A second server of a type that already is running on the same host (e.g. you could have a "normal" web server on 80/443, and another one that is used for diagnostics or debugging or a control plane or so on, running on a high port).
- Obscurity to limit the number of bot attacks (e.g. it's relatively common to move SSH or Terminal Services/RDP off their default ports, because there are lots of bots that basically probe ever machine on the Internet trying to brute-force passwords on those services and most such bots give up if the service isn't on the expected port).
Some reasons a legit client might make an outbound request on a non-standard port:
- The client is connecting to a server that has changed its listening port for any of the above reasons (or any other).
- The client is connecting to a proxy that listens on another port (e.g. a web proxy on 8080 that relays traffic to 80/443).
- The client is a port scanner being run for legitimate verification of attack surface (possibly by your security team).
Really, though, you're just going to have to ask the people running those clients and/or servers why they're doing that. They might have great reasons, or they might have safe reasons but not great ones (e.g. "it's just easier to launch the server without sudo"), or they might be legitimately putting your network at risk (through malice or ignorance).
answered Nov 17, 2021 at 19:12
The SIEM can't tell whether it turns out to be a false positive, so will just report this every time. And the SIEM should report on this, because this is an important deviation for a SIEM.
Why do teams keep using non-standard ports? If it happens to you a lot, you could either try to have people use standard ports or get teams to inform you better about when/why they need to use non-standard ports.
Why is this reported as a threat? The goal of a SIEM is to detect adversaries on your network. This means that when it notes a 'threat', that whatever they're seeing is not so much something that's coming after you. The SIEM is trying to tell you it's seeing something that's (also) typical behaviour of an adversary.
It is a given that an adversary needs some channel out of your network. Sometimes for data exfiltration, but it could also be to allow the adversary to command and control whatever system it is in your network that they compromised. The SIEM is the prime measure in your collection of security measures that makes use of this fact. Therefore, it is of great importance that the SIEM draws enough attention to events that are potentially indicative of a channel out of your network controlled by an adversary.
The adversary wants to stay undetected, so will try to conceal their channel out of your network some way. Therefore, services running on non-standard ports should be investigated because they might be such a concealed channel.
-
Your last 3 paragraphs can be reduced to a single line: "SIEMs alert you to anomalies that are worth investigating". Yes, that's fine, and also true, but doesn't answer the question.– schroeder ♦Commented Nov 16, 2021 at 20:18
-
You don't know if "the teams" are using non-standard ports. We know very little about why it's a false positive. You're making broad assumptions.– schroeder ♦Commented Nov 16, 2021 at 20:38
-
"the SIEM should mark this as a high priority, because this is an important deviation for a SIEM" -- I challenge this claim. It's important to understand the anomaly, yes. But I would not place this as a high priority since, as the OP states, it is often a false positive.– schroeder ♦Commented Nov 16, 2021 at 20:39
-
Fair enough, you shouldn't drop everything you're doing because of this.– ikiddoCommented Nov 16, 2021 at 20:45