On Thu, Jan 29, 2009 at 8:48 AM, Damon Getsman <[email protected]> wrote:
> [...] Is there any part of the SunRay
> services that would be utilizing these ports and/or 'hiding' them?
SRSS would be using ports in the 40,000-42,000 range by default. It
wouldn't be deliberately "hiding" that usage in any way, but (depending
on what release of SRSS you're running) it might be aggressively
reusing ports in the lower part of the range. That might create the
the "false positive" situation mentioned below.
The SRSS port range is defined in /etc/services by a couple of entries
whose names begin with 'utservices'. You could try temporarily
changing that range and seeing whether your scanner still reports the
same "hidden" ports or whether they move to match the SRSS range.
You'll need to do a cold restart ('utrestart -c') after changing the
/etc/services file to make sure that all SRSS processes start using the
modified values.
OttoM.
__
ottomeister
Disclaimer: These are my opinions. I do not speak for my employer.
> For a little more added information, here is how OSSEC is determining
> that these ports are hidden:
>
> The way we detect hidden ports is the following:
>
> 1- Try to bind to every port in the system (tcp and udp).
> 2- If bind fails (port is being used), we run netstat to see if it
> showing in there.
> 3- If it is not showing on netstat, we attempt to bind the port again.
> 4- If we are able to bind again, we try netstat the last time.
> 5- If netstat does not show the port, we consider it hidden.
>
> So, false positives can happen if you have a very busy system, opening and
> closing ports very fast (or using some form of system virtualization).
>
> TIA for help in tracking this down.
> --
> ----------
> Damon Getsman
> -=-=-=-
> ITRx http://www.itrx-nd.com/
> Programmer/IT Customer Relations/Sys Admin
> -=-=-=-
> _______________________________________________
> SunRay-Users mailing list
> [email protected]
> http://www.filibeto.org/mailman/listinfo/sunray-users
>
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users
