[Dshield] Ports & Protocols Wiki reminder

Cefiar cef at optus.net
Tue May 17 01:25:03 GMT 2005


On Tuesday 17 May 2005 01:25, Ted Cooper wrote:
> David Cannings wrote:
> > Pete Cap wrote:
> >>I recall a few months ago a disagreement on the very basic behavior
> >>of HTTP.  This highlights that the community NEEDS an authoritative
> >>source for this information
> >
> > Why aren't the RFCs sufficient?  One would assume that these are the
> > standard "authoritative" source of information on protocols such as HTTP.
>
> HTTP isn't the greatest example for why you'd need a resource like this,
> nor is any of the other protocols that have RFCs. Where do you go for
> details on those that don't?

And you also have quite a number of programs that BREAK the RFC's regularly, 
or have commercially customised the protocol to add new features. This can be 
particularly problematic if you've never seen the customised version before, 
as you could mistake the custom parts as say, a buffer overflow attempt. A 
perfect example of this (in my mind at least) is MS's bastardised version of 
Kerberos.

> I often want to know why someone is trying to probe port X on these servers
> and what they could be looking for. This usually means going off to Google
> to try find which programs sit on the port or if there's some new bug out
> today.

And this in itself can be a huge time-waster - Sorting through all the non 
relevant entries that a search engine puts out takes up time that you may not 
have. Numbers below 65536 appear everywhere in common life, so you can easily 
get results that are not relevant, even if you add lots of qualifiers to the 
search.

-- 
 Stuart Young - aka Cefiar - cef at optus.net



More information about the list mailing list