Common Ports and Protocols

The Ports Every Analyst Must Know and What They Mean in Context

Port numbers identify specific services on a host. The first 1024 ports are well-known ports assigned by IANA. When an analyst sees a network connection in a SIEM alert, the destination port tells them which service was being accessed — which immediately narrows what the attacker was doing. The source port is usually ephemeral (1024-65535) and rarely meaningful.

The table below covers every port you’ll encounter in a workday SOC investigation. For each port, the table covers: what the service normally does, what it looks like in logs, and the suspicious patterns that warrant escalation.

Web and Email Services

Port	Protocol	Service	Normal Use	Suspicious Indicators
80	TCP	HTTP	Standard web traffic. Web servers, API endpoints, redirect targets.	Unencrypted traffic in a HTTPS-first environment suggests a downgrade attack or misconfigured internal app. HTTP traffic carrying binary payloads or large POST bodies may indicate data exfiltration or C2.
443	TCP	HTTPS	Encrypted web traffic. The backbone of modern internet communication.	Nearly everything runs on 443. Suspicious patterns: connections to known-bad IPs, unusual JA3/JA3S fingerprints, connections to domains registered < 30 days ago, unusually long-lived sessions.
8080	TCP	HTTP-Alt	Alternative HTTP port. Common for development servers, proxies, application servers.	Outbound connections on 8080 from production servers. Often abused by malware as a fallback C2 port when 443 is blocked.
8443	TCP	HTTPS-Alt	Alternative HTTPS port. Common for admin interfaces, API gateways.	Admin interfaces exposed on non-standard ports. Check if the destination belongs in your asset inventory.
25	TCP	SMTP	Email submission between mail servers (MTA-to-MTA).	Open relay detection: any inbound SMTP connection on 25 from the internet that isn’t from a known mail exchange. Outbound 25 from non-mail servers indicates spam bot activity.
465	TCP	SMTPS	SMTP over SSL/TLS (deprecated but still in use).	Same as port 25. Increasingly rare — flag connections for review.
587	TCP	SMTPS	SMTP with STARTTLS (modern mail submission).	Legitimate mail clients use this to send mail through authenticated relay. Abuse: compromised credentials used to relay spam.
110	TCP	POP3	Post Office Protocol — downloading email from server to client.	Very rare in modern environments (most orgs use IMAP or Outlook/Exchange). Any POP3 traffic after ~2020 is suspect — likely a legacy app or an attacker exfiltrating email archives.
143	TCP	IMAP	Internet Message Access Protocol — managing email on server.	Normal for configured email clients. Suspicious: a client downloading large volumes of emails in bulk (mailbox enumeration or data theft).
993	TCP	IMAPS	IMAP over SSL/TLS.	Same as port 143. Monitor for bulk download patterns.
995	TCP	POP3S	POP3 over SSL/TLS.	As rare as port 110. Heavy traffic on 995 warrants investigation.

Remote Administration

Port	Protocol	Service	Normal Use	Suspicious Indicators
22	TCP	SSH	Secure shell — remote administration, file transfer (SCP/SFTP), tunneling.	Outbound SSH from a server to the internet: almost always suspicious (data exfiltration, C2 tunnel, or pivot). Inbound SSH from unexpected source IPs (especially from countries where your org has no presence). Failed auth volume > 10/min suggests brute forcing.
23	TCP	Telnet	Unencrypted remote terminal access.	Should not exist in any modern network. Any Telnet traffic is a finding. Credentials are sent in plaintext — packet capture reveals them immediately.
3389	TCP	RDP	Remote Desktop Protocol — Windows remote GUI access.	The most attacked remote access port. External RDP brute force attempts are constant. Monitor for: RDP from unexpected source IPs, off-hours RDP sessions, RDP from admin workstations to multiple servers (lateral movement, `T1021.001`).
5900-5901	TCP	VNC	Virtual Network Computing — remote desktop (cross-platform).	Similar to RDP but less monitored. Any external VNC connection is extremely suspicious.
5985	TCP	WinRM-HTTP	Windows Remote Management (HTTP).	Used for PowerShell remoting and system management. Suspicious: WinRM from a non-admin workstation to a domain controller — lateral movement indicator (`T1021.006`).
5986	TCP	WinRMS	Windows Remote Management (HTTPS).	Same as 5985 but encrypted. Monitor for atypical source-destination pairs.

File and Print Services

Port	Protocol	Service	Normal Use	Suspicious Indicators
445	TCP	SMB	Server Message Block — file sharing, printers, named pipes.	External SMB (port 445 from internet) = immediate incident. Internally: EternalBlue/MS17-010 exploits targeted 445. Abnormal SMB connections between segmented zones suggest lateral movement. Large file transfers to an unusual destination suggest data exfiltration.
139	TCP	NetBIOS-SSN	NetBIOS Session Service (legacy file/print sharing).	Increasingly rare. Predecessor to SMB over 445. Traffic on 139 in a modern Windows domain is unusual — check if legacy apps require it.
137-138	UDP	NetBIOS-NS/DGM	NetBIOS Name Service / Datagram Service.	Name resolution broadcasts. Excessive NetBIOS traffic + SMB on 445 often accompanies Worm-like spreading (e.g., WannaCry malware patterns).
2049	TCP/UDP	NFS	Network File System (UNIX/Linux file sharing).	Unusual in Windows-centric environments. Monitor for: NFS mounts from unexpected sources, large file transfers outside business hours.

Authentication and Directory Services

Port	Protocol	Service	Normal Use	Suspicious Indicators
88	TCP/UDP	Kerberos	Active Directory authentication. Ticket requests and renewals.	Kerberos from a non-domain-joined machine = suspicious. AS-REP roasting detection: high volume of AS-REQ without pre-authentication (`T1558.004`). Kerberoasting: many TGS-REQ for service tickets (`T1558.003`).
389	TCP/UDP	LDAP	Lightweight Directory Access Protocol (unencrypted).	LDAP queries from non-admin accounts enumerating users/groups = reconnaissance (`T1482`). High query volume suggests directory enumeration for password spray targets.
636	TCP	LDAPS	LDAP over SSL/TLS.	Same as 389 but encrypted. Any unauthenticated LDAP query from a new source is suspicious.
3268-3269	TCP	Global Catalog	Global Catalog for large Active Directory forests (plaintext/TLS).	GC queries from non-domain controllers are unusual — investigate.

Database Ports

Port	Protocol	Service	Normal Use	Suspicious Indicators
1433	TCP	MSSQL	Microsoft SQL Server.	Outbound 1433 from an application server is normal. Inbound 1433 from the internet is almost never legitimate. Brute force attempts against SQL Server are common. Monitor for large query results (SELECT *) indicating bulk data theft.
3306	TCP	MySQL	MySQL/MariaDB database.	Same pattern as 1433. Inbound from internet = bad. Outbound from unexpected app servers = potential pivot point.
5432	TCP	PostgreSQL	PostgreSQL database.	Same pattern as other databases. Check PgBouncer connections if pooling is in use.
6379	TCP	Redis	Redis key-value store.	Often exposed without authentication. Scan for unauthorized SET commands or data extraction.
27017	TCP	MongoDB	MongoDB database.	Historically subject to mass ransom attacks on exposed instances. Any external MongoDB connection should escalate.
1521	TCP	Oracle DB	Oracle database listener.	Legacy. External connections to 1521 are almost always attackers scanning for exposed Oracle databases.

Infrastructure and Management

Port	Protocol	Service	Normal Use	Suspicious Indicators
53	TCP/UDP	DNS	Domain Name System — name resolution.	UDP 53 for queries, TCP 53 for zone transfers (>512 bytes). Suspicious: DNS TXT query volumes (DNS tunneling indicator, `T1572`), ANY queries (amplification vector), query volumes > 1000/min to a single domain (beaconing), unusually long subdomain names (data encoding). Zone transfer requests (AXFR) from unauthorized sources.
67-68	UDP	DHCP	Dynamic Host Configuration Protocol.	Rogue DHCP servers handing out malicious DNS/WINS settings. DHCP starvation attacks. Monitor for MAC-IP binding changes.
69	UDP	TFTP	Trivial FTP (no authentication).	Rare in production. Any TFTP traffic is unusual — may indicate firmware manipulation or malware staging.
161	UDP	SNMP	Simple Network Management Protocol (query).	SNMP community string brute forcing. SNMP walking (`snmpwalk`) leaks device configuration. SNMPv1/v2c sends community strings in plaintext.
162	UDP	SNMP-Trap	SNMP trap receiver.	Unexpected trap sources. Traps from decommissioned devices.
514	UDP	Syslog	System logging (plaintext).	Syslog injection — crafting fake log entries to confuse analysts or hide attacker activity.
123	UDP	NTP	Network Time Protocol.	NTP amplification attacks (monlist command). Check for unexpected monlist responses — your NTP server may be abused as a DDoS amplifier.
389	UDP	LDAP	LDAP (UDP variant).	Similar to TCP 389 concerns.
636	TCP	LDAPS	LDAP over SSL.	Encrypted LDAP. Unusual source addresses performing broad queries.

Logging and Monitoring Overhead

Port	Protocol	Service	Normal Use	Suspicious Indicators
22	TCP	SSH tunnel	Admin SSH tunnels for RDP port forwarding.	SSH local/remote forwarding (`-L`/`-R` flags) bypasses firewalls. Monitor for long-lived SSH sessions originating from developer or admin workstations to cloud VMs.
1080	TCP	SOCKS	SOCKS proxy.	Abused as a proxy for routing C2 traffic. Outbound connections on 1080 from internal hosts without a legitimate proxy use case = suspicious.
3128	TCP	Squid	Web proxy cache.	Misconfigured open proxies allow attackers to anonymize traffic. If Squid is not your org’s proxy, any 3128 traffic is suspect.
500	UDP	ISAKMP	IPsec VPN key exchange.	VPN connections from unexpected source countries. Multiple phase-1 negotiation attempts suggest VPN scanning.

Specialty Services

Port	Protocol	Service	Normal Use	Suspicious Indicators
135	TCP	RPC	Remote Procedure Call (endpoint mapper).	EternalBlue (MS17-010) exploited RPC + SMB. RPC traffic between workstation zones and server zones suggests lateral movement. High RPC traffic volume = enumeration (`T1046`).
445	TCP	SMB	SMB named pipes over RPC.	Named pipe abuse for lateral movement via PsExec, WMI, scheduled tasks.
636	TCP	LDAPS	LDAP over SSL.	See directory services above.
1434	UDP	MSSQL-Monitor	SQL Server Browser/Monitor.	SQL Server instance discovery. Network scans often hit this port.
1701	UDP	L2TP	Layer 2 Tunneling Protocol.	VPN connections. Similar ISAKMP concerns.
1723	TCP	PPTP	Point-to-Point Tunneling Protocol.	Legacy VPN protocol. Deprecated in favor of IPsec/WireGuard. Any PPTP traffic should be reviewed.
1812-1813	UDP	RADIUS	Authentication/Accounting.	Widespread Wi-Fi and VPN authentication. RADIUS compromise means network access control is broken.
5060-5061	TCP/UDP	SIP	VoIP session initiation.	War dialing, toll fraud, SIP scanning. Call data record anomalies.
5353	UDP	mDNS	Multicast DNS (ZeroConf).	Rogue devices announcing services. Useful for identifying unauthorized network devices.

Well-Known Port Ranges for Scanning Context

0-1023: System/well-known ports. Most registered to long-established services. Traffic on an unassigned port in this range is anomalous.
1024-49151: Registered/user ports. Ephemeral on many systems, but also registered to specific apps.
49152-65535: Dynamic/private ports. True ephemeral range on modern Windows (Vista+). Any service listening on this range should be investigated.

Practical Triage Using Destination Port

When an alert fires and you see a destination port, here is how to use it:

Is it a standard port for the destination? If the asset is a web server, expect 80/443. If it’s a database server, expect 1433/3306/5432. Mismatched port + asset type = red flag.
Is the direction unusual? Outbound SSH (22) from a server to the internet is never normal. Inbound 445 from outside the org is never normal.
Is the port a known abuse vector? 445, 3389, 22, 1433 are the most attacked ports. Alert on them hitting unexpected assets.
What is the traffic volume? One connection on port 22 to an IP that resolves to a known cloud provider may be a dev committing code. 100 connections suggests a scan or brute force.

Active Directory Basics — covers the active directory basics concepts
DNS — detection and response for T1572, T1568 techniques
Kerberoasting — detection and response for T1558.003 techniques
Cobalt Strike — Detection and Beacon Analysis — detection and response for T1055, T1572, T1071 techniques
Metasploit — detection and response for T1203 techniques