Sniffers

Hi,

I have NOD32 and I like it a lot. Anybody knows of a good firewall + sniffer I can use to protect me even better against attacks?

Thanks

 

I dunno what U mean by "sniffer", but as for an efficient firewall, here's my take on the situation:

I'll only mention the downloadable firewalls, which are also cheaper. Norton, McAfee, BlackIce & others may be just as efficient, but are somewhat more expen$ive -besides, I know little about them, although I do know that Norton products are supposed to hog a lot of RAM and CPU resources, and leave loads of registry traces even after uninstalling...

All recent top-of-the-line firewalls (ZA, Outpost, LnS, Sygate, Kerio, TPF) have equivalent - and efficient - inbound protection (ie stealth shielding, ...).

So what makes a difference is
1) The extra features included in the firewall (cookie killers, popup & script blockers, etc..
2) Its outbound protection, or leak protection, which blocks trojan activity).

ZA (Zonealarm) Pro 4.xx and Agnitum Outpost are the 2 firewalls with the most features: anti-cookie, anti-popup, script-blocking. In fact, Outpost has a slight edge in this matter as it can also block flash popups. It also has, together with Sygate, a much more detailed & configurable firewall log.

Up to now, LnS (Look'n'Stop), Outpost and ZA were pretty much on a par concerning leak protection: all 3 can guard against application hijacking, application/component modification (using MD5 authentificationand component control) and DLL-injection. But the latest version of Zonealarm 4 Pro (version 4.5.530) seems to have "open protection protection" which prevents direct EXE injection (most sophisticated technique used by trojans), making it impervious to leak tests such as Thermite & Copycat, and to the recent Beast trojan, giving it a definite headstart over its competitors when it comes to outbound protection. ZA also blocks the 2nd Wallbreaker leak test, which Outpost can't (I don't know about LnS, but it probably passes the test). To this day, no firewall can block the 1st Wallbreaker test (calling Explorer and making it call Internet Explorer, ie. multiple level application hijacking)

On the other hand, ZA (and Outpost, btw) is known to have a bug that causes it to swell in RAM over time, and although in v4.5.530 the problem is supposed to have been lessened, it still persists. Kerio, TPF and LnS on the other hand use relatively few resources.

Oh, and Sygate has an extra 'OS and Browser masquerading' feature which allows you to hide your browser and OS version from MOST (but not all) sites, which can be usefull if U don't want anyone to know you're using Microsh*t Windows... . On the other hand, no firewall can hide your IP address, in fact no power in the universe can allow a machine to hide its IP all by itself , and yet the IP is also the most vital info. Knowing a system's IP is like knowing 99% of that system, so the OS and browser used are but mere details in comparison...

Ergonomy (user-friendliness) might also be an important factor. Outpost, Kerio and ZA are better in this regard. Be careful about Outpost & ZA though - they need to be reconfigured, as their default "out-of-the-box" settings are insufficient, esp. when it comes to leak protection.

So there U go, that's my take on the situation. Each product has its own strong & weak points. I personally favour outbound protection, since trojans are a threat not to be taken lightly. Even so, no firewall can detect a trojan itself, be it by its signature or using heuristics. Some AVs (Antiviruses) can also detect known trojans through their signatures, but none of them comprise "trojan-heuristics". So whatever antivirus & firewall U have, a good AT (Anti-Trojan) capable of detecting unknown/modified trojans is also recommended. There are 2 such ATs I know of: TDS and TH (Trojan Hunter). There may be others...

 

I'll try to explain a "sniffer".
It's a software which tracks down intrusion on our computer and log informations about the intruder.

But sometimes I wonder if I really need such a software. Behind my routeur I am stealth. I have tried with grc, and it detects no port, as if my computer does not exist. Not even a closed port, but no port at all. Kinda strange, as I have a port opened for a p2p application...

About trojans, so perhaps I don't really need a firewall with my routeur, but perhaps just a trojan hunter

 

@Morgott

What you said about outbound protection is partially true only.

Read my other post titled "ZA 4.5 against copycat leaktest", all is said on it

 

O, but I already read it, hehe

The point is, open process protection is a necessary layer in the defense against trojans that hijack other apps by directly inject themselves in these (open) apps instead of just calling them. Now upon running Copycat, which (unlike Thermite) allows U to choose the target process, there are 2 possibilities:

1) The target app is NOT allowed access to internet. Take notepad, for example. In that case, firewall will intervene both on open-process protection AND app-filtering levels: first, it will ask U if you wish Copycat to access Notepad.
If you answer 'No', then the test stops there.
But if you answer 'Yes', then notepad will be "patched in memory" and thus turned into an app which can now access the Net. But then firewall will step in again, ASKING YOU IF YOU WISH TO LET NOTEPAD ACCESS INTERNET, to which you can still answer 'No'. This is an example of "double-shielding" at work (sorry for the expression, couldn't help it I'm a Trekkie ): first open-process protection, then application filtering. So in this case, the test is passed.

2) Now there's the controversial & most interesting part - the target app IS allowed internet access, take Iexplore for example. Again, ZA will step in to complain about copycat trying to access the browser. Once again, answering 'No' closes the case.
But if the user answers 'Yes', then indeed Copycat will access the Net (or rather, the modified "Iexplore/Copycat hybrid" will). BUT ISN'T THAT NORMAL? After all, as I said the browser IS allowed internet access! The fact that it was modified in memory is a process protection issue only, and has nothing to do with 'application filtering' since the user chose to give the browser application Net access, and also explicitly allowed Copycat to modify the open browser process!!
So seen in this light, the firewall again passes the test..

Sure, as U said in the other thread, some trusted applications can be required to (and must be allowed to) use other internet-accessing apps to connect to the Net. But then again, there is a difference between a program calling another app such as Iexplore and making it access the Net, and a program that injects itself directly into another app, ie. Iexplore, and thus modifies it, rather than simply call iexplore. Take explorer.exe, 4 example: it must be granted the right to use (call) other programs to access the Net (otherwise apps such as P2P, ... won't be able to connect to the Net). BUT WHAT KIND OF TRUSTED PROGRAM WOULD HAVE THE NEED TO INJECT ITSELF INTO ANOTHER?
A program that tries to patch another trusted program instead of just calling it can only be a trojan, and thus denotes malicious intent (someone correct me if I'm wrong ).

BUT even then: suppose a program does require such "open process" privileges, in addition to having the right to use other apps to access the net. Suppose this prog is called 'Good.exe'. Now good.exe can call, for example, Iexplore, AS WELL AS patch it by injecting itself into it. OK. So? No problem! Recent firewalls (not only ZA) all have application & component control using MD5 signature authentification. Thus if the 'Good.exe' file is modified, then the firewall will pop in to advise the user that a MODIFED version of Good.exe is either trying to use Iexplore to access the Net, or trying to inject itself into Iexplore, depending on the context. In both cases, the system remains protected, and the shields hold (oops I did it again ).

So there U go comrade, that's my take on the situation. Application filtering (by its very definition) and application/component authentification are NOT enough to avert threats such as self-injecting hijacking. Open process protection is the necessary "third layer" to complete the protection, and ZA seems to have taken the first step. Other firewalls such as LnS and Outpost will have no choice but to implement it if they are to protect against these techniques.

Nevertheless, I must admit that your thread got me thinking 4 some time...

BTW, I checked about a leak test being possibly blacklisted by ZA (a dirty trick that the makers of BlackIce have already carried out in the past, cf. the grc.com 'Shields Up' site - shame on 'em!). So I renamed Copycat.exe, changed it modification date and even altered its content by changing some text within using a hex editor, thus changing its MD5 signature. ZA still passed the test...

Besides, I've so far tried about 5 different firewalls. Though ZA may be my favorite for the moment because of its new features, CPU load still is an important criterion that Zonelabs (and others) doesn't seem to have really dealt with up 2 now.
Zonealarm wallops a load of RAM over time, who knows why (from 7 Mb at startup, 'vsmon' bloats up to over 30Mb).
LnS seems to have the edge in that matter - it uses few resources, from what I've read. On the other hand, Both LnS and Outpost fail some AWFT tests, unless Explorer is given certain restrictions... LnS is also difficult to configure and sometimes leaves port 135 open by default!!!

Man, why does every software have to have its flaws? Can't someone just design a firewall that comprises the benefits of all the other firewalls WITHOUT their drawbacks

 

@Morgott

EDIT : i allowed me to copy past your post into the other topic (i hope you agree, unless let me know)

http://www.wilderssecurity.com/showthread.php?t=16981&start=15

and i answer there to.
Indeed i have the purpose to link this thread on my next results page on my website.

 

@LowWaterMark

it's exactly my point of view too, an IDS is principaly usefull when you are running server/services open to the internet.
Besides that, for a home user without running opened services, an IDS can still be interesting just by _curiosity_ to see what hint our router/firewall

 

thx

it's indeed a very interesting and big subject, all great stuff will be together in the other thread

 

But then... as one port is opened for my p2p app, why grc does not find any port, even this one is displayed as "stealth".

Is it because my routeur does not answer to grc probe system?