Socket Sentinel Pro: Bi-directional TCP traffic filtering

Discussion in 'other anti-malware software' started by novirusthanks, Nov 22, 2011.

Thread Status:
Not open for further replies.
  1. novirusthanks
    Offline

    novirusthanks Developer

    NoVirusThanks Socket Sentinel Pro is an advanced, yet user-friendly, bi-directional TCP traffic filtering software application which allows you to add custom RegEx (Regular Expression) filters. Presets for filtering include: HTTP header information, POST and GET data, Domain Names or even filter for *ANY* data passed over any connection.

    NoVirusThanks Socket Sentinel Pro is compatible with the following 32-bit Microsoft Windows Operating Systems: Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7

    Setup file (beta version fully functional) can be downloaded from:
    http://www.novirusthanks.org/product/socket-sentinel-pro/

    Key features:

    * Bi-directional TCP traffic filtering
    * Block domains and URLs
    * Block traffic of specific processes
    * Close open ports
    * Lightweight in memory
    * Stealth Mode (hide form and trayicon)
    * Very user-friendly GUI
    * Web content filter using regular expressions

    Screenshots:

    http://img205.imageshack.us/img205/570/23112011011557.jpg

    http://img687.imageshack.us/img687/6559/23112011011547.jpg

    This is a beta version, we have made it available for download to any user, please report us bugs and feature suggestions so we can discuss and add new features to next versions. When the final version of the program will be released, it will become 15-day trial.
  2. sg09
    Offline

    sg09 Registered Member

    So, it filters malicious IP? Where from the database comes? URLvoid?
  3. CloneRanger
    Offline

    CloneRanger Registered Member

    @ novirusthanks

    Hi, sounds like it could be useful :) First off i approve of ALL these options :thumb:

    perm.gif

    How about adding Permanent Block ?

    Screenie taken from yours due to below ;)

    I installed it on my XP/SP2 comp & see this on launch

    ssp.gif

    After that, Nothing, not running in Task Manager etc :( I allowed it through ProcessGuard etc, so Any ideas why it won't run ?

    Also, could this be used to block scvhost.exe an individual basis ? If so = :thumb:

    TIA
  4. Tarnak
    Online

    Tarnak Registered Member

    I go to the link by OP, but I got the setup for ExeRadar Pro v1.3.4.0_Trial. o_O
  5. Tarnak
    Online

    Tarnak Registered Member

    Forget about it ....I got the right file now!... ;)
  6. novirusthanks
    Offline

    novirusthanks Developer

    Released new version with few changes:

    [23-11-2011] v1.1.0.0

    + Added “IPs” TAB (Blacklist IPs)
    + Added option “Load From File…” to load IPs to blacklist from a file
    + Added option “Load From File…” to load Domains to blacklist from a file
    + Added counter of items on columns of list views
    + Added “Clear All” option in all RMB of list views

    Download from:
    http://www.novirusthanks.org/product/socket-sentinel-pro/

    @sg09:

    Not exactly, Socket Sentinel Pro (aka SSP) can block traffic by filtering it with RegEx and filters. In the image "http://img205.imageshack.us/img205/570/23112011011557.jpg" SSP blocked a domain with ".info" as TLD and that TLD was blacklisted by the RegEx rules (see "\.info$" pattern). We plan to include our own database (updated frequently) with our rules to block drive-by-downloads, exploits, hidden iframes, malicious scripts and other web threats. More we will include more filters (such as to filter only IRC traffic, etc).

    @CloneRanger:

    Yes, we plan to include option to permanent block the IP address.

    The splash screen should auto-close after 8 seconds and then it is showed the program's window. Can you retry with the new version v1.1 ?

    Yes, you can blacklist a process and so all its traffic will be blocked.
  7. CloneRanger
    Offline

    CloneRanger Registered Member

    @ novirusthanks

    Just tried again with the latest V = Same result ? :(

    8

    Just to be clear about using this to block scvhost.exe on an Individual basis ?

    Often we have several instances of scvhost.exe running at the same time. What i'm aiming to clarify, & hope we can achieve :thumb: is blocking ANY instance we desire, Without affecting Anything else, unless we choose to also block other instances as well ?

    TIA
  8. novirusthanks
    Offline

    novirusthanks Developer

    @CloneRanger:

    Will see what can cause that, working fine here (splash screen is closed after 8 seconds).

    Actually if you block C:\WINDOWS\system32\svchost.exe it will block connections of all running processes, since we use MD5 hash to check for running process, see image: http://img687.imageshack.us/img687/8764/23112011223745.jpg

    If you want specific processes of the same file blocked on an individual basis we can implement a process id filter in the next versions.
  9. m00nbl00d
    Offline

    m00nbl00d Registered Member

    Are you going to allow localization? It's something developers always tend to forget... :D

    A few suggestions:

    When loading domains or IPs to their respective blacklists, you could "support" any format by extracting simple domain names and FQDNs; and, obviously to extract IPs from a given file, ignoring the other crap.

    I added a hosts file to the domains blacklist and it loaded the full hosts file... :D

    By the way, will the IP blacklist allow IP ranges?

    Anyway, for now those are the features I'm thinking of.
  10. CloneRanger
    Offline

    CloneRanger Registered Member

    Thanks :thumb:

    The SS also closes after 8 seconds here, but after that Nothing !

    Yes that's Exactly what i was hoping for :) I know others on here had & have concerns about Apps etc gaining unauthorised access out via svchost.exe on numbers of occassions, even Very recently :eek: So i 'm sure they would appreciate that option as well ;)
  11. novirusthanks
    Offline

    novirusthanks Developer

    @m00nbl00d:

    Added this now :)

    Yes, will be added in the next version.

    Really strange, I will see if I can reproduce the problem.

    Sure, that option will be added in the next version ;)

    Other options that have already been added:

    [XX-11-2011] v1.2.0.0

    + Added proxy support (select custom IP and Port)
    + Added "Settings" -> "Threats" TAB
    + Added "Threats Detection Engine" -> Use our own rules to detect exploits, drive-by-downloads, and other threats
    + Added "Automatically Update Database" for "Threats Detection Engine"
    + Added "Manually Update Database" for "Threats Detection Engine"
    + Show database version for "Threats Detection Engine" database

    In development:

    * When a website is blocked, redirect to a custom HTML page (locally stored) that says why the website has been blocked
    * Include in the alert dialog also "domain:" and "path:", if present
    * Export/import settings
    * Self defense (protect process from being terminated)
    * Remote PHP Notifier (blocked events)
    * Password protect viewing of specific websites
    * Idle prompt options in alert dialog
  12. CloneRanger
    Offline

    CloneRanger Registered Member

    @ novirusthanks

    :thumb: :)

    :thumb: :thumb: :thumb:

    Some nice new extra options :)

    Do you ever sleep ? :D
  13. CloneRanger
    Offline

    CloneRanger Registered Member

    Just tried again with the new V = Same.

    However this time i noticed ScriptDefender running in TaskManager, but it didn't visably launch & alert me as usual ?

    Does SSP rely on ANY of these to Run/Work ?

    .VBS,.VBE,.JS,.JSE,.HTA,.WSF,.WSH,.SHS,.SHB

    And/or

    wscript.exe - cscript.exe
  14. novirusthanks
    Offline

    novirusthanks Developer

    @CloneRanger:

    The process name of SSP is "SCKTSentinel.exe"

    No, it doesn't reply on that to run, make sure it is not blacklisted/detected by other programs, I tried it again in two VMs and it works correctly, very strange, trying to reproduce the problem
  15. CloneRanger
    Offline

    CloneRanger Registered Member

    @ novirusthanks

    Hi, yes i realise that, it just saved my fingers ;)

    :thumb:

    It isn't, that's the 1st thing i checked.

    Thanks :)
  16. sg09
    Offline

    sg09 Registered Member

    @NVT: Thanks for replying...:)

    I doubt the same...;)
  17. CloneRanger
    Offline

    CloneRanger Registered Member

    @ novirusthanks

    I think you've had enough sleep now ;) What's the latest ?

    TIA
  18. Tarnak
    Online

    Tarnak Registered Member

    I have this installed in one of my snapshots.

    So far, I have left it at it's default settings. I am not sure what else to do with it. When I check the tray icon, it says protection enabled. ;)
  19. novirusthanks
    Offline

    novirusthanks Developer

    New version will be released in few hours:

    [24-11-2011] v1.2.0.0

    + Added proxy support (select custom IP and Port)
    + Added "Settings" -> "Threats" TAB
    + Added "Threats Detection Engine" -> Use our own rules to detect exploits, drive-by-downloads, and other threats
    + Added "Automatically Update Database" for "Threats Detection Engine"
    + Added "Manually Update Database" for "Threats Detection Engine"
    + Show database version for "Threats Detection Engine" database
    + Extract real IP addresses in "IPs" -> "Load From File..."
    + Block Blackhole Exploit Kit payloads
    + Optimized filtering options
  20. atomomega
    Offline

    atomomega Registered Member

    Please correct me if I'm wrong. Will this work as a broad-spectrum web filter? Like... multibrowser support?
  21. Tarnak
    Online

    Tarnak Registered Member

    I have tried to install over-the-top, and uninstall, then reinstall.

    However, i just get this error...

    ScreenShot_NVT_SSPv1.1_install_error_01.jpg
  22. novirusthanks
    Offline

    novirusthanks Developer

    @Tarnak:

    Click on "Ignore".

    @atomomega:

    Socket Sentinel does not only support specific applications, it operates at the winsock level so any application that uses Winsock and negotiates TCP data in/outbound can be filtered. So basically Socket Sentinel is not browser dependent, it's a generic framework allowing for all winsock TCP data to be filtered.

    Released a video:
    NoVirusThanks Socket Sentinel Pro: Testing Threats Detection Engine v1.0
    http://www.youtube.com/watch?v=Pru7TA9Ia5I
    Last edited: Nov 29, 2011
  23. CloneRanger
    Offline

    CloneRanger Registered Member

    @ novirusthanks

    Hi, i'm sorry to report that i'm still experiencing the Exact same issues with v1.2 as before Have you been able to establish Any reasons why this should be ?

    TIA
  24. SweX
    Offline

    SweX Registered Member

    @novirusthanks.

    I'm just wondering about the IP Blocker (shown in your video) if we can call it that. ;)

    Does the updates come from URLVoid.com or IPVoid.com? Or both?
    If yes. Then do you use data from ALL the services that you check against on the sites above?

    Thanks :)
  25. novirusthanks
    Offline

    novirusthanks Developer

    @CloneRanger:

    It looks very strange, it works fine in all my VMs, I should send you a PM in few hours to ask you few details about your installed applications.

    @SweX:

    That in the video is not an IP Blocker but the "Threats Detection Engine": we use our own signatures to detect 0-day exploits, blackhole exploit kit payloads and other threats. So we do not rely in any IP blacklist but only in our custom signatures.

    As said before, we do not reply in any IP blacklist service for now :)

    The popup window receives as parameter only the IP address of the remote connection blocked, in the next version it will show also domain (if present), URL path (if present) and remote port.

    Here is an example of "Events" TAB that shows logs of blocked events (all exploit kits):

    http://img850.imageshack.us/img850/7458/30112011124657.jpg

    As you can see, all threats are detected by "Threats Engine".
Thread Status:
Not open for further replies.