Socket Sentinel Pro: Bi-directional TCP traffic filtering

[novirusthanks]

NoVirusThanks Socket Sentinel Pro is an advanced, yet user-friendly, bi-directional TCP traffic filtering software application which allows you to add custom RegEx (Regular Expression) filters. Presets for filtering include: HTTP header information, POST and GET data, Domain Names or even filter for *ANY* data passed over any connection.

NoVirusThanks Socket Sentinel Pro is compatible with the following 32-bit Microsoft Windows Operating Systems: Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7

Setup file (beta version fully functional) can be downloaded from:
http://www.novirusthanks.org/product...-sentinel-pro/

Key features:

* Bi-directional TCP traffic filtering
* Block domains and URLs
* Block traffic of specific processes
* Close open ports
* Lightweight in memory
* Stealth Mode (hide form and trayicon)
* Very user-friendly GUI
* Web content filter using regular expressions

Screenshots:

http://img205.imageshack.us/img205/5...2011011557.jpg

http://img687.imageshack.us/img687/6...2011011547.jpg

This is a beta version, we have made it available for download to any user, please report us bugs and feature suggestions so we can discuss and add new features to next versions. When the final version of the program will be released, it will become 15-day trial.

[sg09]

So, it filters malicious IP? Where from the database comes? URLvoid?

[CloneRanger]

@ novirusthanks

Hi, sounds like it could be useful First off i approve of ALL these options



How about adding Permanent Block ?

Screenie taken from yours due to below

I installed it on my XP/SP2 comp & see this on launch



After that, Nothing, not running in Task Manager etc I allowed it through ProcessGuard etc, so Any ideas why it won't run ?

Also, could this be used to block scvhost.exe an individual basis ? If so =

TIA

[Tarnak]

I go to the link by OP, but I got the setup for ExeRadar Pro v1.3.4.0_Trial.

[Tarnak]

Quote:

Originally Posted by Tarnak

I go to the link by OP, but I got the setup for ExeRadar Pro v1.3.4.0_Trial.

Forget about it ....I got the right file now!...

[novirusthanks]

Released new version with few changes:

[23-11-2011] v1.1.0.0

+ Added “IPs” TAB (Blacklist IPs)
+ Added option “Load From File…” to load IPs to blacklist from a file
+ Added option “Load From File…” to load Domains to blacklist from a file
+ Added counter of items on columns of list views
+ Added “Clear All” option in all RMB of list views

Download from:
http://www.novirusthanks.org/product...-sentinel-pro/

@sg09:

Quote:

So, it filters malicious IP? Where from the database comes? URLvoid?

Not exactly, Socket Sentinel Pro (aka SSP) can block traffic by filtering it with RegEx and filters. In the image "http://img205.imageshack.us/img205/570/23112011011557.jpg" SSP blocked a domain with ".info" as TLD and that TLD was blacklisted by the RegEx rules (see "\.info$" pattern). We plan to include our own database (updated frequently) with our rules to block drive-by-downloads, exploits, hidden iframes, malicious scripts and other web threats. More we will include more filters (such as to filter only IRC traffic, etc).

@CloneRanger:

Quote:

How about adding Permanent Block ?

Yes, we plan to include option to permanent block the IP address.

Quote:

After that, Nothing, not running in Task Manager etc I allowed it through ProcessGuard etc, so Any ideas why it won't run ?

The splash screen should auto-close after 8 seconds and then it is showed the program's window. Can you retry with the new version v1.1 ?

Quote:

Also, could this be used to block scvhost.exe an individual basis ?

Yes, you can blacklist a process and so all its traffic will be blocked.

[CloneRanger]

@ novirusthanks

Just tried again with the latest V = Same result ?

8

Just to be clear about using this to block scvhost.exe on an Individual basis ?

Quote:

Yes, you can blacklist a process and so all its traffic will be blocked.

Often we have several instances of scvhost.exe running at the same time. What i'm aiming to clarify, & hope we can achieve is blocking ANY instance we desire, Without affecting Anything else, unless we choose to also block other instances as well ?

TIA

[novirusthanks]

@CloneRanger:

Quote:

Just tried again with the latest V = Same result ?

Will see what can cause that, working fine here (splash screen is closed after 8 seconds).

Quote:

Just to be clear about using this to block scvhost.exe on an Individual basis ?

Actually if you block C:\WINDOWS\system32\svchost.exe it will block connections of all running processes, since we use MD5 hash to check for running process, see image: http://img687.imageshack.us/img687/8...2011223745.jpg

If you want specific processes of the same file blocked on an individual basis we can implement a process id filter in the next versions.

[m00nbl00d]

Are you going to allow localization? It's something developers always tend to forget...

A few suggestions:

When loading domains or IPs to their respective blacklists, you could "support" any format by extracting simple domain names and FQDNs; and, obviously to extract IPs from a given file, ignoring the other crap.

I added a hosts file to the domains blacklist and it loaded the full hosts file...

By the way, will the IP blacklist allow IP ranges?

Anyway, for now those are the features I'm thinking of.

[CloneRanger]

Quote:

@ novirusthanks

Will see what can cause that,

Thanks

Quote:

working fine here (splash screen is closed after 8 seconds).

The SS also closes after 8 seconds here, but after that Nothing !

Quote:

If you want specific processes of the same file blocked on an individual basis we can implement a process id filter in the next versions.

Yes that's Exactly what i was hoping for I know others on here had & have concerns about Apps etc gaining unauthorised access out via svchost.exe on numbers of occassions, even Very recently So i 'm sure they would appreciate that option as well

[novirusthanks]

@m00nbl00d:

Quote:

When loading domains or IPs to their respective blacklists, you could "support" any format by extracting simple domain names and FQDNs; and, obviously to extract IPs from a given file, ignoring the other crap.

Added this now

Quote:

By the way, will the IP blacklist allow IP ranges?

Yes, will be added in the next version.

Quote:

The SS also closes after 8 seconds here, but after that Nothing !

Really strange, I will see if I can reproduce the problem.

Quote:

Yes that's Exactly what i was hoping for I know others on here had & have concerns about Apps etc gaining unauthorised access out via svchost.exe on numbers of occassions, even Very recently So i 'm sure they would appreciate that option as well

Sure, that option will be added in the next version

Other options that have already been added:

[XX-11-2011] v1.2.0.0

+ Added proxy support (select custom IP and Port)
+ Added "Settings" -> "Threats" TAB
+ Added "Threats Detection Engine" -> Use our own rules to detect exploits, drive-by-downloads, and other threats
+ Added "Automatically Update Database" for "Threats Detection Engine"
+ Added "Manually Update Database" for "Threats Detection Engine"
+ Show database version for "Threats Detection Engine" database

In development:

* When a website is blocked, redirect to a custom HTML page (locally stored) that says why the website has been blocked
* Include in the alert dialog also "domain:" and "path:", if present
* Export/import settings
* Self defense (protect process from being terminated)
* Remote PHP Notifier (blocked events)
* Password protect viewing of specific websites
* Idle prompt options in alert dialog

[CloneRanger]

@ novirusthanks

Quote:

Really strange, I will see if I can reproduce the problem.

Quote:

Sure, that option will be added in the next version

Some nice new extra options

Do you ever sleep ?

[CloneRanger]

Just tried again with the new V = Same.

However this time i noticed ScriptDefender running in TaskManager, but it didn't visably launch & alert me as usual ?

Does SSP rely on ANY of these to Run/Work ?

.VBS,.VBE,.JS,.JSE,.HTA,.WSF,.WSH,.SHS,.SHB

And/or

wscript.exe - cscript.exe

[novirusthanks]

@CloneRanger:

Quote:

However this time i noticed ScriptDefender running in TaskManager, but it didn't visably launch & alert me as usual ?

The process name of SSP is "SCKTSentinel.exe"

Quote:

Does SSP rely on ANY of these to Run/Work ?

.VBS,.VBE,.JS,.JSE,.HTA,.WSF,.WSH,.SHS,.SHB

And/or

wscript.exe - cscript.exe

No, it doesn't reply on that to run, make sure it is not blacklisted/detected by other programs, I tried it again in two VMs and it works correctly, very strange, trying to reproduce the problem

[CloneRanger]

@ novirusthanks

Quote:

The process name of SSP is "SCKTSentinel.exe"

Hi, yes i realise that, it just saved my fingers

Quote:

No, it doesn't reply on that to run,

Quote:

make sure it is not blacklisted/detected by other programs,

It isn't, that's the 1st thing i checked.

Quote:

I tried it again in two VMs and it works correctly, very strange, trying to reproduce the problem

Thanks

[sg09]

@NVT: Thanks for replying...

Quote:

Originally Posted by CloneRanger

Do you ever sleep ?

I doubt the same...

[CloneRanger]

@ novirusthanks

I think you've had enough sleep now What's the latest ?

TIA

[Tarnak]

I have this installed in one of my snapshots.

So far, I have left it at it's default settings. I am not sure what else to do with it. When I check the tray icon, it says protection enabled.

[novirusthanks]

New version will be released in few hours:

[24-11-2011] v1.2.0.0

+ Added proxy support (select custom IP and Port)
+ Added "Settings" -> "Threats" TAB
+ Added "Threats Detection Engine" -> Use our own rules to detect exploits, drive-by-downloads, and other threats
+ Added "Automatically Update Database" for "Threats Detection Engine"
+ Added "Manually Update Database" for "Threats Detection Engine"
+ Show database version for "Threats Detection Engine" database
+ Extract real IP addresses in "IPs" -> "Load From File..."
+ Block Blackhole Exploit Kit payloads
+ Optimized filtering options

[atomomega]

Please correct me if I'm wrong. Will this work as a broad-spectrum web filter? Like... multibrowser support?

[Tarnak]

I have tried to install over-the-top, and uninstall, then reinstall.

However, i just get this error...

[novirusthanks]

@Tarnak:

Click on "Ignore".

@atomomega:

Quote:

Please correct me if I'm wrong. Will this work as a broad-spectrum web filter? Like... multibrowser support?

Socket Sentinel does not only support specific applications, it operates at the winsock level so any application that uses Winsock and negotiates TCP data in/outbound can be filtered. So basically Socket Sentinel is not browser dependent, it's a generic framework allowing for all winsock TCP data to be filtered.

Released a video:
NoVirusThanks Socket Sentinel Pro: Testing Threats Detection Engine v1.0
-http://www.youtube.com/watch?v=Pru7TA9Ia5I-

[CloneRanger]

@ novirusthanks

Hi, i'm sorry to report that i'm still experiencing the Exact same issues with v1.2 as before Have you been able to establish Any reasons why this should be ?

TIA

[SweX]

@novirusthanks.

I'm just wondering about the IP Blocker (shown in your video) if we can call it that.

Does the updates come from URLVoid.com or IPVoid.com? Or both?
If yes. Then do you use data from ALL the services that you check against on the sites above?

Thanks

[novirusthanks]

@CloneRanger:

Quote:

Hi, i'm sorry to report that i'm still experiencing the Exact same issues with v1.2 as before Have you been able to establish Any reasons why this should be ?

It looks very strange, it works fine in all my VMs, I should send you a PM in few hours to ask you few details about your installed applications.

@SweX:

Quote:

I'm just wondering about the IP Blocker (shown in your video) if we can call it that.

That in the video is not an IP Blocker but the "Threats Detection Engine": we use our own signatures to detect 0-day exploits, blackhole exploit kit payloads and other threats. So we do not rely in any IP blacklist but only in our custom signatures.

Quote:

Does the updates come from URLVoid.com or IPVoid.com? Or both?
If yes. Then do you use data from ALL the services that you check against on the sites above?

As said before, we do not reply in any IP blacklist service for now

The popup window receives as parameter only the IP address of the remote connection blocked, in the next version it will show also domain (if present), URL path (if present) and remote port.

Here is an example of "Events" TAB that shows logs of blocked events (all exploit kits):

http://img850.imageshack.us/img850/7...2011124657.jpg

As you can see, all threats are detected by "Threats Engine".