Socket Sentinel Pro: Bi-directional TCP traffic filtering

Discussion in 'other anti-malware software' started by novirusthanks, Nov 22, 2011.

Thread Status:
Not open for further replies.
  1. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,358
    Location:
    Italy
    NoVirusThanks Socket Sentinel Pro is an advanced, yet user-friendly, bi-directional TCP traffic filtering software application which allows you to add custom RegEx (Regular Expression) filters. Presets for filtering include: HTTP header information, POST and GET data, Domain Names or even filter for *ANY* data passed over any connection.

    NoVirusThanks Socket Sentinel Pro is compatible with the following 32-bit Microsoft Windows Operating Systems: Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7

    Setup file (beta version fully functional) can be downloaded from:
    http://www.novirusthanks.org/product/socket-sentinel-pro/

    Key features:

    * Bi-directional TCP traffic filtering
    * Block domains and URLs
    * Block traffic of specific processes
    * Close open ports
    * Lightweight in memory
    * Stealth Mode (hide form and trayicon)
    * Very user-friendly GUI
    * Web content filter using regular expressions

    Screenshots:

    http://img205.imageshack.us/img205/570/23112011011557.jpg

    http://img687.imageshack.us/img687/6559/23112011011547.jpg

    This is a beta version, we have made it available for download to any user, please report us bugs and feature suggestions so we can discuss and add new features to next versions. When the final version of the program will be released, it will become 15-day trial.
     
  2. sg09

    sg09 Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    2,811
    Location:
    Kolkata, India
    So, it filters malicious IP? Where from the database comes? URLvoid?
     
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    @ novirusthanks

    Hi, sounds like it could be useful :) First off i approve of ALL these options :thumb:

    perm.gif

    How about adding Permanent Block ?

    Screenie taken from yours due to below ;)

    I installed it on my XP/SP2 comp & see this on launch

    ssp.gif

    After that, Nothing, not running in Task Manager etc :( I allowed it through ProcessGuard etc, so Any ideas why it won't run ?

    Also, could this be used to block scvhost.exe an individual basis ? If so = :thumb:

    TIA
     
  4. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,274
    I go to the link by OP, but I got the setup for ExeRadar Pro v1.3.4.0_Trial. o_O
     
  5. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,274
    Forget about it ....I got the right file now!... ;)
     
  6. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,358
    Location:
    Italy
    Released new version with few changes:

    [23-11-2011] v1.1.0.0

    + Added “IPs” TAB (Blacklist IPs)
    + Added option “Load From File…” to load IPs to blacklist from a file
    + Added option “Load From File…” to load Domains to blacklist from a file
    + Added counter of items on columns of list views
    + Added “Clear All” option in all RMB of list views

    Download from:
    http://www.novirusthanks.org/product/socket-sentinel-pro/

    @sg09:

    Not exactly, Socket Sentinel Pro (aka SSP) can block traffic by filtering it with RegEx and filters. In the image "http://img205.imageshack.us/img205/570/23112011011557.jpg" SSP blocked a domain with ".info" as TLD and that TLD was blacklisted by the RegEx rules (see "\.info$" pattern). We plan to include our own database (updated frequently) with our rules to block drive-by-downloads, exploits, hidden iframes, malicious scripts and other web threats. More we will include more filters (such as to filter only IRC traffic, etc).

    @CloneRanger:

    Yes, we plan to include option to permanent block the IP address.

    The splash screen should auto-close after 8 seconds and then it is showed the program's window. Can you retry with the new version v1.1 ?

    Yes, you can blacklist a process and so all its traffic will be blocked.
     
  7. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    @ novirusthanks

    Just tried again with the latest V = Same result ? :(

    8

    Just to be clear about using this to block scvhost.exe on an Individual basis ?

    Often we have several instances of scvhost.exe running at the same time. What i'm aiming to clarify, & hope we can achieve :thumb: is blocking ANY instance we desire, Without affecting Anything else, unless we choose to also block other instances as well ?

    TIA
     
  8. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,358
    Location:
    Italy
    @CloneRanger:

    Will see what can cause that, working fine here (splash screen is closed after 8 seconds).

    Actually if you block C:\WINDOWS\system32\svchost.exe it will block connections of all running processes, since we use MD5 hash to check for running process, see image: http://img687.imageshack.us/img687/8764/23112011223745.jpg

    If you want specific processes of the same file blocked on an individual basis we can implement a process id filter in the next versions.
     
  9. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Are you going to allow localization? It's something developers always tend to forget... :D

    A few suggestions:

    When loading domains or IPs to their respective blacklists, you could "support" any format by extracting simple domain names and FQDNs; and, obviously to extract IPs from a given file, ignoring the other crap.

    I added a hosts file to the domains blacklist and it loaded the full hosts file... :D

    By the way, will the IP blacklist allow IP ranges?

    Anyway, for now those are the features I'm thinking of.
     
  10. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Thanks :thumb:

    The SS also closes after 8 seconds here, but after that Nothing !

    Yes that's Exactly what i was hoping for :) I know others on here had & have concerns about Apps etc gaining unauthorised access out via svchost.exe on numbers of occassions, even Very recently :eek: So i 'm sure they would appreciate that option as well ;)
     
  11. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,358
    Location:
    Italy
    @m00nbl00d:

    Added this now :)

    Yes, will be added in the next version.

    Really strange, I will see if I can reproduce the problem.

    Sure, that option will be added in the next version ;)

    Other options that have already been added:

    [XX-11-2011] v1.2.0.0

    + Added proxy support (select custom IP and Port)
    + Added "Settings" -> "Threats" TAB
    + Added "Threats Detection Engine" -> Use our own rules to detect exploits, drive-by-downloads, and other threats
    + Added "Automatically Update Database" for "Threats Detection Engine"
    + Added "Manually Update Database" for "Threats Detection Engine"
    + Show database version for "Threats Detection Engine" database

    In development:

    * When a website is blocked, redirect to a custom HTML page (locally stored) that says why the website has been blocked
    * Include in the alert dialog also "domain:" and "path:", if present
    * Export/import settings
    * Self defense (protect process from being terminated)
    * Remote PHP Notifier (blocked events)
    * Password protect viewing of specific websites
    * Idle prompt options in alert dialog
     
  12. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    @ novirusthanks

    :thumb: :)

    :thumb: :thumb: :thumb:

    Some nice new extra options :)

    Do you ever sleep ? :D
     
  13. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Just tried again with the new V = Same.

    However this time i noticed ScriptDefender running in TaskManager, but it didn't visably launch & alert me as usual ?

    Does SSP rely on ANY of these to Run/Work ?

    .VBS,.VBE,.JS,.JSE,.HTA,.WSF,.WSH,.SHS,.SHB

    And/or

    wscript.exe - cscript.exe
     
  14. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,358
    Location:
    Italy
    @CloneRanger:

    The process name of SSP is "SCKTSentinel.exe"

    No, it doesn't reply on that to run, make sure it is not blacklisted/detected by other programs, I tried it again in two VMs and it works correctly, very strange, trying to reproduce the problem
     
  15. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    @ novirusthanks

    Hi, yes i realise that, it just saved my fingers ;)

    :thumb:

    It isn't, that's the 1st thing i checked.

    Thanks :)
     
  16. sg09

    sg09 Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    2,811
    Location:
    Kolkata, India
    @NVT: Thanks for replying...:)

    I doubt the same...;)
     
  17. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    @ novirusthanks

    I think you've had enough sleep now ;) What's the latest ?

    TIA
     
  18. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,274
    I have this installed in one of my snapshots.

    So far, I have left it at it's default settings. I am not sure what else to do with it. When I check the tray icon, it says protection enabled. ;)
     
  19. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,358
    Location:
    Italy
    New version will be released in few hours:

    [24-11-2011] v1.2.0.0

    + Added proxy support (select custom IP and Port)
    + Added "Settings" -> "Threats" TAB
    + Added "Threats Detection Engine" -> Use our own rules to detect exploits, drive-by-downloads, and other threats
    + Added "Automatically Update Database" for "Threats Detection Engine"
    + Added "Manually Update Database" for "Threats Detection Engine"
    + Show database version for "Threats Detection Engine" database
    + Extract real IP addresses in "IPs" -> "Load From File..."
    + Block Blackhole Exploit Kit payloads
    + Optimized filtering options
     
  20. atomomega

    atomomega Registered Member

    Joined:
    Jul 27, 2010
    Posts:
    1,292
    Please correct me if I'm wrong. Will this work as a broad-spectrum web filter? Like... multibrowser support?
     
  21. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,274
    I have tried to install over-the-top, and uninstall, then reinstall.

    However, i just get this error...

    ScreenShot_NVT_SSPv1.1_install_error_01.jpg
     
  22. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,358
    Location:
    Italy
    @Tarnak:

    Click on "Ignore".

    @atomomega:

    Socket Sentinel does not only support specific applications, it operates at the winsock level so any application that uses Winsock and negotiates TCP data in/outbound can be filtered. So basically Socket Sentinel is not browser dependent, it's a generic framework allowing for all winsock TCP data to be filtered.

    Released a video:
    NoVirusThanks Socket Sentinel Pro: Testing Threats Detection Engine v1.0
    http://www.youtube.com/watch?v=Pru7TA9Ia5I
     
    Last edited: Nov 29, 2011
  23. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    @ novirusthanks

    Hi, i'm sorry to report that i'm still experiencing the Exact same issues with v1.2 as before Have you been able to establish Any reasons why this should be ?

    TIA
     
  24. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    @novirusthanks.

    I'm just wondering about the IP Blocker (shown in your video) if we can call it that. ;)

    Does the updates come from URLVoid.com or IPVoid.com? Or both?
    If yes. Then do you use data from ALL the services that you check against on the sites above?

    Thanks :)
     
  25. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,358
    Location:
    Italy
    @CloneRanger:

    It looks very strange, it works fine in all my VMs, I should send you a PM in few hours to ask you few details about your installed applications.

    @SweX:

    That in the video is not an IP Blocker but the "Threats Detection Engine": we use our own signatures to detect 0-day exploits, blackhole exploit kit payloads and other threats. So we do not rely in any IP blacklist but only in our custom signatures.

    As said before, we do not reply in any IP blacklist service for now :)

    The popup window receives as parameter only the IP address of the remote connection blocked, in the next version it will show also domain (if present), URL path (if present) and remote port.

    Here is an example of "Events" TAB that shows logs of blocked events (all exploit kits):

    http://img850.imageshack.us/img850/7458/30112011124657.jpg

    As you can see, all threats are detected by "Threats Engine".
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.