Re: how can I track networked games

From: Randy Taylor (gnu@charm.net)
Date: 01/04/02

• Previous message: Derek Walker: "RE: how can I track networked games"
• In reply to: Richard.CTR.Mickey@tc.faa.gov: "how can I track networked games"
• Next in thread: Tiller, Edward: "RE: how can I track networked games"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 03 Jan 2002 18:17:28 -0500
To: focus-ids@securityfocus.com
From: Randy Taylor <gnu@charm.net>

At 10:39 AM 1/3/2002 -0500, Richard.CTR.Mickey@tc.faa.gov wrote:
>I would like to watch for networked games (such as Doom), but it seems
>they use a multitude of options for connecting. I found clients that
>connect via IPX, TCP, UDP and Server side Java applets just poking around
>the Internet.
>
>Any help with Snort rules or general strategies for monitoring these will
>be appreciated.
>
>Thanks in Advance.
>
>Rich

Just a quick list.

Games that run off of MSN's GamingZone can be picked up
from TCP port 80 activity - this includes Age of Empires and Asheron's
Call, among others.

Baldur's Gate 2 can be detected at TCP port 8000.

Civ II intranet servers run from TCP port 4993.

Diablo 2 - TCP port 6112

Everquest - UDP port 53 on patch server lookups

Dark Age of Camelot - TCP port 1280

Gamespy - UDP port 25365

Giants - Citizen Kabuto - via Gamespy on TCP 28900
                                    - via Mplayer on TCP 8000

Half-Life - UDP 27015

Star Trek Voyager Elite Force - UDP 27960

Ultima Online - TCP 8888

Unreal Tournament - detectable off TCP port 80

I can't speak to Snort sigs - I use Dragon. At any rate,
I hope this helps - and Snort sigs should be easy to
write given a sniffer and copies of your target games.

Best regards,

Randy
-----
"You wield your heinous power like a heinous thing being wielded
by a guy wielding a heinous power." - scrappins

---

• Previous message: Derek Walker: "RE: how can I track networked games"
• In reply to: Richard.CTR.Mickey@tc.faa.gov: "how can I track networked games"
• Next in thread: Tiller, Edward: "RE: how can I track networked games"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Warcraft 3 Frozen Throne Cannot Make Games ... the PORTS not being opend, but I opend all the Zone Alarm ... the same thing no one can join my games. ... I tried mutliple ports the default 6112 tcp and Udp 4000 ... (microsoft.public.games) RE: how can I track networked games ... Just remember that a lot of these games can utilize socks proxies. ... > ports after all and are subject to change. ... The ports are UDP unless ... > I would like to watch for networked games, ... (Focus-IDS) Re: pcAnywhere..thru firewall?? ... At a bare minimum, TCP port 5631 will be sufficient enough to ... allow the connection between the two systems. ... >>To allow this application through a firewall, you only need to open TCP port>>5631 and UDP 5632. ... (comp.security.firewalls) Unable to connect to port 445 ... Nestat shows the system listening on TCP port 445 but I ... do not see any service listening on UDP 445. ... (microsoft.public.windows.server.networking) Port 443 Access ... Nestat shows the system listening on TCP port 445 but I ... do not see any service listening on UDP 445. ... (microsoft.public.windows.server.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > focus-ids  > 2002-01