IPS/IDS device questions

[Sheepykins]

Hello,

Recently been experimenting with IPS/IDS devices and currently I have a snort sensor setup mirroring a VLAN from a switch.

Just a quick question about port numbers really, as i come to understand it... connections outgoing from a client to say a webserver would generally have a high port connecting to a low port (such as DNS or HTTP)

Is this the right way of thinking?

Also I noticed that when I attempted to look at a video on the tube of you! it would generate an FLV etc signature with my IP as the target + random highport and youtube as the source on 80.. which confuses me.

Anyone have more expertise with this?

Much obliged

 

[office politics]

Just a quick question about port numbers really, as i come to understand it... connections outgoing from a client to say a webserver would generally have a high port connecting to a low port (such as DNS or HTTP)

Is this the right way of thinking?

yes, internet browsers usually pick high numbered ports outside of the well known port range (click this link). webservers usually accept connections on either 80, 8080, 443, or any combination of these.

running netstat -a on a computer can confirm this

Also I noticed that when I attempted to look at a video on the tube of you! it would generate an FLV etc signature with my IP as the target + random highport and youtube as the source on 80.. which confuses me.

Anyone have more expertise with this?

Much obliged

i think this is the webserver sending you a flv etc outbound on port 80 on their side. They send it to the same port the inet browser opened up becasue its still waiting for a reply back using that port.

 

[Sheepykins]

yeah its just people i know say that the direction traffic is flowing (half duplex) would be high port to lowport still, so if youtube were sending it back wouldnt i see their IP address sending something back to mine on a lower port? maybe im missing the point lol or just once a connection is established its fullduplex

 

[office politics]

duplex speed isnt going to have a effect on which ports are being chosen.

duplex speed determines how much data you can send in a single moment in time.

full duplex - both ways, half duplex - one way only


the process for sending recieving data from youtube is something like

browser opens port in high range

browser sends data to youtube's http port (80)

youtube sends data back to sender on the same port the browser used to transmit.

** it uses this port because the browser still has the port open and waiting for the server's reply

client server transmits on same ports for a while.

browser closes port after idle timeout is reached (this should be confirmed; its a guess).

 

[Sheepykins]

fair enough, thank you