Introduction
Not everything on the attack surface is an outright vulnerability. Each organization has their own security workflows and criteria on what is an acceptable risk in their business context. The challenge for many security teams is: how do you ensure that your attack surface is adhering to these internal policies? This is doubly challenging as the attack surface is messy and constantly evolving.
Security teams in today’s organizations are enablers, not gatekeepers. New assets and technologies added to an organization’s attack surface get there without the security team ever being aware. However, they are still accountable for ensuring these assets are secured. This lack of insight creates many policy breaches that go unnoticed for months, sometimes even years. This is why our customers use Custom Policies to bring visibility back to the security team and alert them as soon as an asset does not comply with any of their policies.
To read about how to get started with your first policy, see this article.
What dimensions can I build my policies on?
The current version of Custom Policies allows policies to be defined with the port number as the main variable. This can be used to alert if a port other than the typical http and https (80 and 443) are open, see image below. Another alternative is to provide a list of ports that should trigger an alert by selecting "is one of". Some ports that are known to be more risky are: 21, 22, 23, 25, 137, 139, 445, 1433, 3306, 3390, 3389, 5432, 33060. For a more complete list of risky ports, see the bottom of this article.
It is also possible to trigger an alert as soon as any port is found to be open by using the "is any" alternative.
Notifications
We don't currently support any notifications for our Custom Policies, however, that is something that we are currently working on.
Some ports to consider for Custom Policies
Here's a list of ports from different categories that are good to consider monitoring as part of Custom Policies:
Routing:
* DNS: 53, 5353
* SMTP: 25, 465, 587, 2525
* BGP: 179
NetBIOS & CIFS:
* NBNS: 137, 138
* NetBIOS Session Service: 139
* SMB: 445
* NFS: 2049
VOIP:
* SIP: 5060, 5061
* Ventrilo: 3784
* Viber: 4244, 5242, 5243, 7985
Remote management:
* FTP: 20, 21, 2121
* SSH: 22, 2022, 2122, 2222
* Telnet: 23, 107, 992
* RSH: 514
* RDP: 3388, 3389, 3390
* VNC: 5800, 5900, 5901, 10348
* SNMP: 161, 162
* Portmapper: 111
* Ident: 113
* MSRPC: 135, 445, 593
Databases:
* LDAP: 389, 636
* Aurora/MySQL/MariaDB: 3306, 33060
* PostgreSQL: 5432
* MSSQL: 1433, 1434
* MaxDB: 7210
* Oracle DB: 1830, 1521, 2483, 2484
* Pervasive SQL: 1583, 3351
* OrientDB: 2480
* SAP SQL Anywhere: 2638
* Firebase/Interbase: 3050
* Sybase: 4100, 5000
* CouchDB: 5984
* Redis: 6379
* Cassandra: 7000, 7001, 9042
* Neo4J: 7473, 7474
* Apache Solr: 8983
* Riak: 8087, 8098
* ArangoDB: 8529
* ElasticSearch: 9200, 9300
* memcache: 11211
* MongoDB: 27017, 27018, 27019, 28015, 28017, 29015
Industrial Control Systems:
* Siemens S7: 102
* modbus: 502
* Red Lion: 789
* Niagara/Tridium: 1911, 4911
* PCWorx: 1962
* IEC 60870-5-104: 2404
* CODESYS: 2455
* MELSEC-Q: 5006, 5007
* HART: 5094
* BACnet: 7808
* FINS: 9600
* GE-SRTP: 18245, 18246
* DNP3: 20000
* ProConOS: 20547
* EtherNet/IP: 44818
Sensitive (Risky) Ports:
* Java RMI: 1090, 1098, 1099, 4444, 10999, 11099, 11111, 47001, 47002
* Docker: 2375, 2376
* JBoss: 4445
* Cisco Smart Install: 4786
* Oracle GlassFish: 4848
* Atlassian Crowd: 4990
* Apache Spark: 5000, 6066
* HP Data Protector: 5555, 5556
* Redis: 6379
* WebLogic: 7000, 7001, 7002, 7003, 7004, 7070, 7071, 8000, 8001, 8002, 8003, 9000, 9001, 9002, 9003, 9503
* Apache Hadoop: 8088
* Zoho Manageengine Desktop: 8383
* LDAP: 389, 636
* Consul: 8500, 8600
* JMX: 8686, 9012
* JDWP: 45000, 45001, 50500
Alternative Web:
* HTTP: 81, 82, 591, 3000, 5000, 7547, 8000, 8008, 8080, 8089, 8090, 8081, 8082, 8088
* HTTPS: 1443, 4433, 4443, 5443, 6443, 7443, 8443, 9443, 10443
Ephemeral ports:
* RFC6056: 1024, 1025, 1026
* RFC6335: 49152, 49153, 49154
* Linux: 32768, 32769, 32770
If you want to monitor all of these you can easily copy the following list and paste into your policy creation flow:
53, 5353, 25, 465, 587, 2525, 179, 137, 138, 139, 445, 2049, 5060, 5061, 3784, 4244, 5242, 5243, 7985, 20, 21, 2121, 22, 2022, 2122, 2222, 23, 107, 992, 514, 3388, 3389, 3390, 5800, 5900, 5901, 10348, 161, 162, 111, 113, 135, 445, 593, 389, 636, 3306, 33060, 5432, 1433, 1434, 7210, 1830, 1521, 2483, 2484, 1583, 3351, 2480, 2638, 3050, 4100, 5000, 5984, 6379, 7000, 7001, 9042, 7473, 7474, 8983, 8087, 8098, 8529, 9200, 9300, 11211, 27017, 27018, 27019, 28015, 28017, 29015, 102, 502, 789, 1911, 4911, 1962, 2404, 2455, 5006, 5007, 5094, 7808, 9600, 18245, 18246, 20000, 20547, 44818, 1090, 1098, 1099, 4444, 10999, 11099, 11111, 47001, 47002, 2375, 2376, 4445, 4786, 4848, 4990, 5000, 6066, 5555, 5556, 6379, 7000, 7001, 7002, 7003, 7004, 7070, 7071, 8000, 8001, 8002, 8003, 9000, 9001, 9002, 9003, 9503, 8088, 8383, 389, 636, 8500, 8600, 8686, 9012, 45000, 45001, 50500, 81, 82, 591, 3000, 5000, 7547, 8000, 8008, 8080, 8089, 8090, 8081, 8082, 8088, 1443, 4433, 4443, 5443, 6443, 7443, 8443, 9443, 10443, 1024, 1025, 1026, 49152, 49153, 49154, 32768, 32769, 32770