Let’s say we have Splunk Universal Forwarder agents installed on windows servers.
Is it known what ports are being used by windows servers to send data FROM (not sent TO) to splunk deployment server?
In the following example source port = 61616 is used. Can it be something like 8180?
TCP windows_server_source_ip:61616 splunk_deployment_server:8089 ESTABLISHED 3232
On Universal forwarders , TCP source ports are assigned randomly . Nn the receiver(for example Indexer) the port is reserved (like 9997). If you capture a TCP dump between UF and Indexer you can determine that UF communicates with indexer on random ports but indexer acknowledges back only with the reserved port defined.
@mbagali, thank you for your reply!
We verified for you in the Slack channel, and longtime heavy hitter Clint Sharp (coccyx) confirmed that, regardless of WIndows or Unix, TCP source ports are ephemeral and assigned randomly, and always above 1024 and generally above 32 k (32768).
https://en.wikipedia.org/wiki/Ephemeral_port
If you are trying to filter your incoming data by source port, you are probably building an unnecessary and unhelpful technical limitation into your system that will come back to haunt you, and it will come bearing hand grenades.
If your security area is trying to firewall your data by source port, then they need a refresher course. That won't inconvenience hackers anywhere near as much as it inconveniences your network guys.
@DalJeanis & @mbagali .
Our Application support team is troubleshooting the issue with a specific Application, that runs on the server, where we have Splunk Universal forwarder (SUF) installed.
Let's say that Application is configured to use tcp port 8180.
If tcp source ports are assigned randomly, then 8180 could have been randomly assigned as source port for Splunk Universal Forwarder and it would take down Application production service that was configured to use that port, per Application Support team.
Do you think it is possible?