TCP Port 33621 denied by ACL

JOHN FROST · ‎05-03-2016

I have just started using ACL's in my environment. After creating all the ACL's I want in place I started monitoring to see what was denied. The one thing that I keep seeing is access to tcp port 33621denied. It looks like just about every host in my environment is trying to hit a single server on this port number. What is driving me nuts is trying to figure what this port is for, because at this rate it is going to fill up my syslog server before long. I can't find any reference to it on the internet. There are two services this server is used for, a local host update server for Symantec's endpoint protection and a print server. I scoured the documentation for both products to see if that port was used by them but there is nothing about it. Does anyone have any idea what this port is or how to isolate a service using it?

Ben Gartland · ‎05-04-2016

Hi John,

If you're more interested in determining the source application of the traffic, so you can decide how to handle it in the ACLs, go to a WIndows PC that you have seen as a source of the traffic in the Syslog events, then run this Windows command in a command session (DOS box).

netstat -bvn

This will show you the usual netstat info like source & destination IP address, ports, protocol. But it will also show the application that is in use for that given socket.

If the traffic is not constant, you may have to script this command to run every few seconds and log the output to a text file, then when you see the Syslog event, check the log file.

Hope this helps

Ben

JOHN FROST · ‎05-04-2016

That is a good idea!

Running netsstat shows a syn_sent for the spooler service. I just find it a little odd because it seems to only be coming from a handful of machines and the source port isn't always the same, but the destination IP and port is. It also seems to be going on all day and night, not just a certain period of time.

Ben Gartland · ‎05-05-2016

Hi John,

Spooler service is for printing. So maybe all the PCs use a common print server or network printer, the regular traffic will likely be printer (or print server) status checks. Possibly all the PCs have a printer management/status application installed as well as a print driver. Time for a dig around on those PCs.

It is normal for the source port to change, this is the expected behaviour, the destination port will remain constant.

Cheers,

Ben

JOHN FROST · ‎05-05-2016

That is the most strange part about it all. All pc's in our domain are configured to use the same print server and all the same printers via group policy. So there shouldn't be anything unique between them, as far as the spooler server is concerned, yet there's only about a dozen out of 200 devices generating these requests.

They're spread out over a good distance, so it's going to take some time get around to each for investigation. That's why I was hoping to find a more automated way to track down what this was.