Hi Frederic/others,
I used LnS before but I always couldn't fully understand how the writing of rules works and understanding what they do.
Now, before I buy LnS I want to fully understand the rules.
Is there some guide that deeply explains?

regards

Hi Bovisa

I have 6 pages about Internet Protocols and LnS.
The site is in french but you can used the Google Translate (with Google Toolbar for example...)
to have these pages in english.

http://climenole.wordpress.com/

Hope this help. Let us know.

Further questions welcome!

:)

Hi Bovisa,

If you want to "fully understand" the rules, then you would need first to understand internet protocols (ports, address,...).
Of course this is not required to use Look 'n' Stop, and even to create simple rules you don't need to understand that "fully".
For instance, you can create rule directly with a right click on a log entry, and there are also generic rules (to open a particular port/address for instance) here:
http://www.looknstop.com/En/rules/rules.htm#serverFTP
Looking at this kind of generic rule may also help you.

Regards,

Frederic

Hi Climenole,

I read your articles, but how do I make a rule for this ''TCP without any flag, with all the flags or absurd combinations such as SYN-FIN, PSH-URG-FIN, etc''
I want to make an incoming TCP rule for browser/port 80, prohibit TCP packets send by servers that are send directly, so without the flags. because those are the trojans mostly. I also want the rule for the prohibit incorrect order of the flags on port 80.

regards,

Hi Bovisa


There is an "experimental" rules set posted by me last year...

(They are not perfects, not pretending to be "ultimate" [this do not exist except for Fools'n'Suckers]
and they are published under a Common Creative licence (http://creativecommons.org/licenses/by-nc-sa/2.5/ca/) [which is not respected by crooks...], etc.)

http://www.wilderssecurity.com/showthread.php?p=1032531#post1032531

Check the thread, check the rules and be inspired by this strange "poem"...

Then create your own Bovisa RulZ!

Have fun.

;D

What are the 'Frag. Offset' and 'Frag. Flags'?

-{ Quote: "What are the 'Frag. Offset' and 'Frag. Flags'?" }-

Hi Bovisa

Please see here for details of Internet Protocol version 4 (IPv4):
http://en.wikipedia.org/wiki/IPv4
http://www.networksorcery.com/enp/protocol/ip.htm

What does the 'masking' of flags: URG, ACK, PSH etc. mean?

Thanks in advance.

Hi Bovisa


Check this thread (discussions, explanations and screen captures).
Hope this help. Let us know.

Blocking Incoming Connections with Nuser and Climenole (http://www.wilderssecurity.com/showthread.php?p=1017388&highlight=mask#post1017388)

:)

Ok tell me if I'm correct.

flag with 'mask' unchecked means that the flag doesn't get used by your pc?

So if you want to make a rule to block TCP packets without flags, it's safest to do: All flags MASK unchecked and SET/CLEAR unchecked, instead of all flags MASK checked and SET/CLEAR unchecked, which is done standard by Frederic in the EnhancedRulesSet, to block all TCP packets without flags.

Thanks for your help Climenole.

Hi Bovisa
-{ Quote: "
So if you want to make a rule to block TCP packets without flags, it's safest to do: All flags MASK unchecked and SET/CLEAR unchecked, instead of all flags MASK checked and SET/CLEAR unchecked, which is done standard by Frederic in the EnhancedRulesSet, to block all TCP packets without flags." }-

The mentioned rule blocks all TCP packets with or without flags.

Hi Bovisa,
-{ Quote: "flag with 'mask' unchecked means that the flag doesn't get used by your pc?
" }-
Not by the pc, but by Look 'n' Stop when the considered flag is verified in the packet under analyzis.
The "Mask" column simply indicates which flags to consider when analyzing the packet. If it is checked the flag is compared to the Set/Cleared information, if it is not, the flag is not examined (and thus any value is accepted for that flag).

-{ Quote: "
So if you want to make a rule to block TCP packets without flags, it's safest to do: All flags MASK unchecked and SET/CLEAR unchecked, instead of all flags MASK checked and SET/CLEAR unchecked, which is done standard by Frederic in the EnhancedRulesSet, to block all TCP packets without flags." }-

No, if you want to verify all flags are cleared, you need to indicate all flags have to be examined and therefore you have to check all the masks.

Regards,

Frederic

Ok I understand; thanks for the explanation Frederic. But however, I find the description 'mask' a bit obscure, why not name 'examine' or 'analyse'.

Hi Bovisa :)

Masking is a computer science concept widely used in programming.

Check this:
Wikipedia: Mask (http://en.wikipedia.org/wiki/Mask_(computing))

(But I'm not sure it's less obscure... :-\ )

:)

Hey Climenole :D ,
In your extended ruleset do you incorporate also the default rules?
Like the 'Block Land Attack', 'Block WinNuke' and the like?

Ah, I see, in your ´experimental´ ruleset: ''[G/Recommended] Looping on @ IP:
"Land attack"!''

But where is the 'Block WinNuke'?

Hi Bovisa

WinNuke is blocked by this rule:

{Q. 999}; [TCP] << SYN ! >

All default rules was added or included in this experimental rule set...

:)

So the WinNuke rule blocks access to files that are shared on your PC?

But how to prevent/block this one: reverse DNS/machine name? This mostly includes your ISP name, and also allows someone to get someone's geographic location.

Hi Bovisa :)

-{ Quote: "
But how to prevent/block this one: reverse DNS/machine name? This mostly includes your ISP name, and also allows someone to get someone's geographic location.
" }-

I think it's impossible IMHO. Internet can't exist without Ip addresses which, I presume, include the possibility of reverse DNS requests...

wikipedia: Reverse DNS lookup (http://en.wikipedia.org/wiki/Reverse_DNS_lookup)

If you want absolutly to hide your Ip address the only way I know is to used an "Anonymity" Network such as Tor (The onion router).

Tor: anonymity online (http://www.torproject.org/index.html.en)

This is quite simple (except if you want to relay traffic or used Tor as a server. Not really recommended with Windows. This works at best on Unix/Linux and alike O.S.):

1- Download the latest release of the stable Tor bundle
This bundle comes with Tor, Privoxy, the Firefox extension "Tor button"
and the Vidalia GUI.

2- Create a new profile with Firefox (you may name it "Tor" if you wish)
kb mozillazine: Command line arguments (http://kb.mozillazine.org/Command_line_arguments)

3- Install the Tor bundle.

4- Start Tor and use Firefox with your special profile for Tor
(don't forget to enable the web access of Ff via Tor with the Tor button in status bar...)
Do not install any other Ff extensions for this Ff profile because some of them generates DNS leaks...

5- check which IP address is now seeing by the sites you're visiting there (for example) :

Tor check 1 (http://check.torproject.org/)

Tor check 2 (http://torcheck.xenobite.eu/)

Tor status (http://torstatus.blutmagie.de/)

Last but not least: what you have to do with LnS in order to run Tor as client? Few things indeed: authorised Tor, Privoxy and Vidalia in Applications tab of LnS (or when LnS ask for your authorisation...).

That's all.

One important things to know is your communications over the Internet are crypted (except at the exit node where you're appear to be...)

Read the Tor documentation on their web site for more details.

Hope this help. Let us know.

:)

Thanks for the above message Climenole. Really appreciate your help. :)

I made a rule for uTorrent.
But I was thinking, is there something to be added for more security, like certain addresses that cannot be used by the Net (using ''Outside A:B'').
Maybe certain addresses (e.g. private network or other reserved) shouldn't be tolerated. Although I don't know if it is possible for hackers to use such addresses as external address?

As far as the rule, is it ok?

Where should I place it? I placed it just above (Block)''All other packets''.

Hi Bovisa :)

-{ Quote: "
As far as the rule, is it ok?

Where should I place it? I placed it just above (Block)''All other packets''." }-

No: this rule should be splitted in two rules.

1- One rule for TCP only. Place it above "TCP: Block incoming connexions"

This is a server rule. It allow other member of the network to be connected as client to your PC.

2- One rule for UDP only . Place it after or under "TCP: Block incoming connexions".
The best is to place it at the beginning of the UDP client rules such as NTP
...

3- And you must create a third rule for the infoHASH of µTorrent:
The infoHASH is used for local peer discovery.
Place it with the other µTorrrent UDP rule...

See the screen capture:


Hope this help. Let us know.

Toutes = Alle
Tous = Alle
Égale mon @ = Mijn gelijk @
Égale = gelijk

Hi Climenole, I created the rules, but may I ask why inbounds & outbounds need to be splitted? Why is the other rule not possible with ''TCP or UDP'' selected? Is splitted better because of the placement of the rules?

Hi Bovisa :)

-{ Quote: "Hi Climenole, I created the rules, but may I ask why inbounds & outbounds need to be splitted? Why is the other rule not possible with ''TCP or UDP'' selected? Is splitted better because of the placement of the rules?" }-

Both rules are inbound and outbound. The rule in TCP is for the server side of the application. The rule in UDP is for the client side of the application.

For sure you may used a combined rule with TCP and UDP but for a better control of what's happen in your system I suggest you to split that rule in two.

Try both way and choose what's better for you.

Remember: A server rule must be placed before the rule blocking the incomming connexions.

Have a nice Week-End :)

Hi Climenole, (thanks for the above).

I got some probs with LnS. I saved my (enhanced) ruleset, then I made some changes which I didn't want to save, so I shut down LnS and choose to not save. Then I restarted and the standard ruleset got loaded, application filtering tab was empty, so all the apps need to be added/authorized again.
As you know (see image) I run Vista. Maybe this is a bug.

I was busy with modifying my rules, and made a little fault, so didn't want to save changes.
(I also made a rule for ''µTorrent Port Checker''.) here I also had a question about.

The window name is now ''Look 'n' Stop #1'' normally showing ''Look 'n' Stop''.

Hi Bovisa,

It seems you have started a second instance of Look 'n' Stop.
This is the only reason for having "Look 'n' Stop #1" in the title.
The settings are saved per instance, that's why everything is reset the first time a second instance is launched.

In the tray icon, you should have one Look 'n' Stop icon per instance.

Now the question is to know how you started the second instance.

Regards,

Frederic

If you have a #1 in the window title, this process was detected as the second instance.
Maybe the second instance was closed in the meantime and you no longer see it.
Anyway the fact there is a #1 in the title explains why the options are reset.
What happens if you quit this instance and you restart it manually ?

Some other questions:
Did you try to change the start option ? (sometimes when selecting the service mode, it happens two instances was started)
Are you running the 2.06p3 ?
Also it could be related to the Fast User Switching feature. Are you using it ?

Thanks,

Frederic

I'm not sure to understand properly your post.
Which version of Look 'n' Stop are you using ?

Do you mean the #1 in the title appears only when you manually quit/restart Look 'n' Stop, but it doesn't appear just after the boot for the very first time Look 'n' Stop is started for the Windows session ?

When you quit Look 'n' Stop after having modified the ruleset and not having saved it, do you have a dialog box asking you if you want to save it now ? And if you have this dialog box, what is your answer (Yes, No, or Cancel) ?

Thanks,

Frederic

-{ Quote: "I'm not sure to understand properly your post.
Which version of Look 'n' Stop are you using ?

Do you mean the #1 in the title appears only when you manually quit/restart Look 'n' Stop, but it doesn't appear just after the boot for the very first time Look 'n' Stop is started for the Windows session ?

When you quit Look 'n' Stop after having modified the ruleset and not having saved it, do you have a dialog box asking you if you want to save it now ? And if you have this dialog box, what is your answer (Yes, No, or Cancel) ?

Thanks,

Frederic" }-
I have version 2.06p3. Yes, not on boot Windows, but when I manually quit and restart. When save dialog comes up I choose NO.

I'm trying to get it now, but it doesn't happen anymore. But this morning it did happen again (2nd time).
Well let's keep it hereby, but if it happens again I will comment.

Hi Bovisa,

Best way to undo unsaved changes is to re-load the ruleset file instead of exiting and re-launching the Look 'n' Stop application.

Are you using Vista 64-bit?


Once in awhile I noticed when I manually exit out of Look 'n' Stop and re-start, it'll show #1 in the titlebar .. I'm assuming something isn't being freed fully.

Hi,

When quitting Look 'n' Stop, it can take several seconds to close the process properly (especially if there was some traffic and log processing at that time).
If you start again Look 'n' Stop during that time, maybe it is considered as a second instance and the #1 appears (however normally a second instance opens only when there is "-mult1" on the command line, so this is strange).

Next time you have to do that (stopping/restarting Look 'n' Stop manually), I suggest you look at the list of active process (with the task manager), and you check if looknstop.exe is still active. Then you can make two kind of tests:
1- start Look 'n' Stop and confirm it starts with the #1
2- wait for looknstop disappearing from the list of active process before restarting it, and confirm it starts properly

Regards,

Frederic

Hi Frederic :),

I bought 2 licenses of Look 'n' Stop for my 2 computers in my home network.
Thank you very much for this fine peace of software. :thumb:
Also thanks for the great support so far.
Of course I'll not hesitate to ask questions if needed.

Regards,
Bovisa :)

Thanks for your support :)

Frederic

Hi Frederic,

I did reboot my computer, and upon startup of Windows, I directly doubleclicked LnS icon (in system tray). Directly when Windows user environment displays and able to click, I clicked (In meantime windows is loading all apps). Then I got a BSOD immediately. Did this happen because of LnS?

Maybe I need to send the crash dump file?

Hi Bovisa,

Normally no, double-clicking the icon is Ok as soon as it is displayed, and it should not cause a system crash.
Yes, you can send the Minidump to lnssupport@soft4ever.com.

Thanks,

Frederic

Hi,

I've received the Minidump file, and Look 'n' Stop drivers are not involved in the crash. Windbg only refers to "ntkrnlpa.exe".

Regards,

Frederic

likely that some errant third-party device driver is at fault, and since it happened when trying to bring up the GUI .. I'll assume the good place to start is with the graphics drivers. Try downloading the newest graphic drivers for your computer and uninstall the previous drivers first and re-boot, .. then install the newest graphics drivers you had downloaded.

You should switch temporarily from Mini dumps to Kernel dump in 'Startup and Recovery' - System \ Advanced System Settings, 'Advanced' TAB. And reproduce the crash and e-mail out the Memory dump file (%SystemRoot%\MEMORY.DMP), should be-able to track down the problematic driver.



Regards,
Phant0m``

I installed LnS on my other computer, but at install it mentioned that the LnS driver didn't pass the Windows-logo-test, which ensures compatibility. Then I could choose to proceed or stop. It runs Windows XP Professional SP2. What I also don't understand is when installing Visual C++ Runtime Libraries it's from SP1, why doesn't LnS use SP2 runtime dlls?

Simply because Windows has SP2 doesn't mean SP2 exists for Microsoft Visual C++ 2008, .. do you have a link for Microsoft Visual C++ 2008 SP2?