Understanding IDP Custom Attack Objects Service Contexts
The service or application binding field specifies the service that the attack uses to enter your network.
Specify either the service or the protocol binding in a custom attack. In case you specify both, the service binding takes precedence.
any
—Specifyany
if you are unsure of the correct service and want to match the signature in all services. Because some attacks use multiple services to attack your network, you might want to select theAny
service binding to detect the attack regardless of which service the attack chooses for a connection.service
—Most attacks use a specific service to attack your network. You can select the specific service used to perpetrate the attack as the service binding.Table 1 displays supported services and default ports associated with the services.
Table 1: Supported Services for Service Bindings Service
Description
Default Port
aim
AOL Instant Messenger. America Online Internet service provider (ISP) provides Internet, chat, and instant messaging applications.
TCP/5190
bgp
Border Gateway Protocol
TCP/179
chargen
Character Generator Protocol is a UDP- or TCP-based debugging and measurement tool.
TCP/19, UDP/19
dhcp
Dynamic Host Configuration Protocol allocates network addresses and delivers configuration parameters from server to hosts.
UDP/67, UDP/68
discard
Discard protocol is an Application Layer protocol that describes a process for discarding TCP or UDP data sent to port 9.
TCP/9, UDP/9
dns
Domain Name System translates domain names into IP addresses.
TCP/53, UDP/53
echo
Echo
TCP/7, UDP/7
finger
Finger is a UNIX program that provides information about users.
TCP/79, UDP/79
ftp
File Transfer Protocol (FTP) allows the sending and receiving of files between machines.
TCP/21, UDP/21
gGnutella
Gnutella is a public domain file sharing protocol that operates over a distributed network.
TCP/6346
gopher
Gopher organizes and displays Internet servers' contents as a hierarchically structured list of files.
TCP/70
h225ras
H.225.0/RAS (Registration, Admission, and Status)
UDP/1718, UDP/1719
http
HyperText Transfer Protocol is the underlying protocol used by the World Wide Web (WWW).
TCP/80, TCP/81, TCP/88, TCP/3128, TCP/7001 (Weblogic), TCP/8000, TCP/8001, TCP/8100 (JRun), TCP/8200 (JRun), TCP/8080, TCP/8888 (Oracle-9i), TCP/9080 (Websphere), UDP/80
icmp
Internet Control Message Protocol
ident
Identification protocol is a TCP/IP Application Layer protocol used for TCP client authentication.
TCP/113
ike
Internet Key Exchange protocol (IKE) is a protocol to obtain authenticated keying material for use with ISAKMP.
UDP/500
imap
Internet Message Access Protocol is used for retrieving messages.
TCP/143, UDP/143
irc
Internet Relay Chat (IRC) allows people connected to the Internet to join live discussions.
TCP/6667
ldap
Lightweight Directory Access Protocol is a set of protocols used to access information directories.
TCP/389
lpr
Line Printer Daemon protocol is a TCP-based protocol used for printing applications.
TCP/515
msn
Microsoft Network Messenger is a utility that allows you to send instant messages and talk online.
TCP/1863
msrpc
Microsoft Remote Procedure Call
TCP/135, UDP/135
mssql
Microsoft SQL is a proprietary database server tool that allows for the creation, access, modification, and protection of data.
TCP/1433, TCP/3306
mysql
MySQL is a database management system available for both Linux and Windows.
TCP/3306
nbds
NetBIOS Datagram Service application, published by IBM, provides connectionless (datagram) applications to PCs connected with a broadcast medium to locate resources, initiate sessions, and terminate sessions. It is unreliable and the packets are not sequenced.
UDP/137 (NBName), UDP/138 (NBDS)
nfs
Network File System uses UDP to allow network users to access shared files stored on computers of different types. SUN RPC is a building block of NFS.
TCP/2049, UDP/2049
nntp
Network News Transport Protocol is a protocol used to post, distribute, and retrieve USENET messages.
TCP/119
ntp
Network Time Protocol provides a way for computers to synchronize to a time reference.
UDP/123
pop3
Post Office Protocol is used for retrieving e-mail.
UDP/110, TCP/110
prtmapper
Service that runs on nodes on the Internet to map an ONC RPC program number to the network address of the server that listens for the program number.
TCP/111, UDP/111
radius
Remote Authentication Dial-In User Service application is a server program used for authentication and accounting purposes.
UDP/1812, UDP/1813
rexec
Rexec
TCP/512
rlogin
RLOGIN starts a terminal session on a remote host.
TCP/513
rsh
RSH executes a shell command on a remote host.
TCP/514
rtsp
Real-Time Streaming Protocol (RTSP) is for streaming media applications
TCP/554
sip
Session Initiation Protocol (SIP) is an Application Layer control protocol for creating, modifying, and terminating sessions.
TCP/5060, UDP/5060
smb
Server Message Block (SMB) over IP is a protocol that allows you to read and write files to a server on a network.
TCP/139, TCP/445
smtp
Simple Mail Transfer Protocol is used to send messages between servers.
TCP/25, UDP/25
snmp
Simple Network Management Protocol is a set of protocols for managing complex networks.
TCP/161, UDP/161
snmptrap
SNMP trap
TCP/162, UDP/162
sqlmon
SQL monitor (Microsoft)
UDP/1434
ssh
SSH is a program to log into another computer over a network through strong authentication and secure communications on a channel that is not secure.
TCP/22, UDP/22
ssl
Secure Sockets Layer
TCP/443, TCP/80
syslog
Syslog is a UNIX program that sends messages to the system logger.
UDP/514
tlnet
Telnet is a UNIX program that provides a standard method of interfacing terminal routers and terminal-oriented processes to each other.
TCP/23, UDP/23
tns
Transparent Network Substrate
TCP/1521, TCP/1522, TCP/1523, TCP/1524, TCP/1525, TCP/1526, TCP/1527, TCP/1528, TCP/1529, TCP/1530, TCP/2481, TCP/1810, TCP/7778
tftp
Trivial File Transfer Protocol
UDP/69
vnc
Virtual Network Computing facilitates viewing and interacting with another computer or mobile router connected to the Internet.
TCP/5800, TCP/5900
whois
Network Directory Application Protocol is a way to look up domain names.
TCP/43
ymsg
Yahoo! Messenger is a utility that allows you to check when others are online, send instant messages, and talk online.
TCP/5050