Port 3313: Unify Object Broker — A Ghost Registration

What Port 3313 Is

Port 3313 sits in the registered port range (1024–49151). These ports aren't free-for-all like the ephemeral ports above 49151, and they're not the closely-guarded well-known ports below 1024. They're the middle ground: officially registered with IANA, but used by applications and services that vary widely in how well-known they are.

Port 3313 is technically registered. IANA assigned it on July 31, 2012, to Unify Object Broker (service name: uorb), registered by Daegis, Inc.¹ Both TCP and UDP are listed.

In practice, almost nobody runs Unify Object Broker. Unify Corporation merged with Daegis, an eDiscovery solutions company, and the protocol never achieved meaningful adoption.² The registration exists. The software largely doesn't, at least not in any active form.

Who Actually Uses This Port

The most commonly observed real-world use is Verisys, a file integrity monitoring (FIM) tool developed by Ionx Solutions. Verisys uses TCP 3313 for its agent communication, watching files and directories for unauthorized changes on Windows and Linux systems.³

File integrity monitoring is a security discipline — PCI DSS and other compliance frameworks require knowing when critical system files change. Verisys sits in that space, and port 3313 is how its components talk to each other.

Security Notes

Some older security databases flag port 3313 as having been used by malware historically.⁴ The specific lineage is unclear — it appears on various "suspicious ports" lists without strong attribution to a named trojan. This is worth knowing but shouldn't cause alarm on its own. Many ports cycle through legitimate use, incidental misuse, and eventual obscurity.

If you see port 3313 open on a system that isn't running Verisys, investigate.

How to Check What's Listening

On Linux/macOS:

ss -tlnp | grep 3313
# or
lsof -i :3313

On Windows:

netstat -ano | findstr :3313

The process ID in the output maps to a running service — cross-reference it in Task Manager or Get-Process to identify what's actually there.

Why This Matters

The registered port range contains thousands of entries like port 3313 — services that were assigned, then went quiet. These ghost registrations aren't wasted space, exactly, but they create ambiguity. When a port appears in a scan, you can't simply look it up and trust the answer. The official registration may describe software nobody runs. The actual traffic may be something else entirely.

That gap between what a port is registered for and what it's actually used for is a reason network administrators scan their own systems rather than relying on port lists. Port numbers describe intent. Traffic analysis describes reality.