Phantom6 Final Integrated with EnhancedRuleset

Discussion in 'LnS English Forum' started by TerryWood, Jan 17, 2006.

Thread Status:
Not open for further replies.
  1. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    703
    As per Ghosts instructions I have attempted to integrate the sets of rules.

    Could someone please look them over for duplicates and wrong positioning?

    I do not know how to configure the anti-mac spoofing rule can someone explain please?

    I have tested this on GRC passes tests. On PC Flank passes all tests

    Havn't done leal tests yet Until someone confirms I am on the Right track

    Thanks very much

    Terry

    ps have attached (I hope a copy of the combined ruleset by renaming it to a txt file for uploadingpurposes)
     

    Attached Files:

  2. Remouald

    Remouald Registered Member

    Joined:
    Dec 16, 2005
    Posts:
    99
    Hi TerryWood,
    I'll let others reply about the rulesets as I'm not an expert.

    Configuring the anti-mac spoofing rule is simple:

    1- find the physical adress of your ethernet card by entering this command into a DOS window: ipconfig/all

    look at the "physical adress" line , you'll see something like 00:00:00:00:00:00

    2- edit the Anti-Mac Spoofing rule by adding your physical adress code on the "source" section (see my attachment)


    R.
     

    Attached Files:

  3. Ghost13

    Ghost13 Guest

    Hello Terry,

    I tried your rule set it works 100% I had to chanfe it to an rls file so I could use it.


    Things to do:



    Activate: ?NetBIOS,JUST PUT A GREEN CHECK!

    Delete:DNS-Allowed-1

    Delete:All BOOTP / DHCP rules at the top,you have the rules already that auto-detect them.


    As for the rest leave as is until you need the extra rules,but I tested it at GRC.COM AND GOT
     
  4. Ghost13

    Ghost13 Guest

    Hello Terry,

    I tried your rule set it works 100% I had to change it to an rls file so I could use it.


    Things to do:



    Activate: ?NetBIOS,JUST PUT A GREEN CHECK!

    Delete:DNS-Allowed-1

    Delete:All BOOTP / DHCP rules at the top by Phant0m,you have the rules already that auto-detect them,near the bottom the ones you imported are taking over and will auto-detect any sever changes and Dns,IP,etc by itself.

    Then save you changes.

    If you every get can't connect to the internet,just reboot and the changes will take effect and you will beable to access everything,it happens when I disable my internet connection from the control panel and then enable it I get this problem,and a reboot will fix this problem.


    As for the rest leave as is until you need the extra rules,but I tested it at GRC.COM and got these results:

    Your system has achieved a perfect "TruStealth" rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system wisely remained silent in every way. Very nice.


    So your doing great Terry,its now ready to be loaded,if you can't find it? Make one a rls file and one and rie file and load it find your rls ruleset and load it,reboot just to make sure things are working at boot-up.

    Terry got to go to work,running late.....,but I will try answer all your questions tonight if nobody helps you before I get back,good job and you should have no problems,just delete the rules that I told you at the top and activate ?NetBIOS and your alll set! Is netbois needed ?I think there is a patch by Microsoft the blocks these ports 137,138,139,but just to be safe activate it,and if you don't want to see the ?NetBIOS alerts uncheck the logging on that rule,take care
     
  5. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    703
    Thanks for all your help its been a real learning exercise.

    1 Final request. I believe I have tidied up the new ruleset deleting some as you suggested and others where there appears to be duplication.

    Could you cast your expert eye over this version (Phantom'sv6Enhanced.rls.txt) and reassure me that I have not done anything stupid. Is the order OK anything missing etc

    Many thanks

    Terry
     

    Attached Files:

  6. Ghost13

    Ghost13 Guest

    Hello Terry,


    Sorry I have been busy at work,I have checked your ruleSet you have to remove All other packets right under
    ICMP : All ICMP types (nukes, ...) on your rule-set.remove all other packets rule please!



    The rule :All other packets must be at the bottom of the ruleset as you have it there already so remove that rule as above.The rest looks ok
    but I will check it again when I get back tonight.


    You must be careful where you place your rules and you did ask which is good,So I will recheck it tonight but so far it seems
    the rule All other packets you should remove and always keep it at the bottom.Its a LnS Law! if you want to call it that,but it must be there and no other place will do!unsafe!


    As for block all othet packets you might want to uncheck that from logging,it's really your choice totally up to you its your firewall,I just find it a pain to see stuff that is blocked by default,when I installed your ruleset I got over 200+ alerts in a minute! All other packets alerts,I think it also had to do with the fact you had two of them running and one in the wrong place.You can log to a file and not to the log viewer if you want but that up to you also.

    I will get back to you A.S.A.P. when I have tested it completley.

    Ghost13
     
  7. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    703
    Thanks for looking over my latest version.

    As requested I have removed "All other packets" under ICMP:All ICMP types (Nukes)

    Can you tell me how to uncheck " Block all other packets from logging" I know, I must be stupid. I looked in the help file but cant see any reference to the symbol for logging?

    Will await your clean bill of health

    Thanks for your help

    Terry
     
  8. storm119

    storm119 Registered Member

    Joined:
    Apr 11, 2004
    Posts:
    39
    Location:
    `Land Below The Wind'
    Hello,

    I think you only need to import 2 rules (*) from EnhancedRulesSet to integrate to Phant0m's v.6 Final rules set (free version), becoz most the other rules are already in Phantom's rules set (those included the DNS/BOOTP but you need to modify before activate). Once you import and apply you dont need to configure the DNS-Allowed-1/2 and BOOTP /DHCP anymore and become so call *autodetect* (borrowed from Ghost13 :D)

    (*) Import from EnhancedRulesSet to Phant0m rule's :-
    • UDP : Authorize name resolution (DNS)
    • UDP : BOOTP / DHCP
    Anyway since i've seen alot user had a hard times to configure the DNS-Allowed and BOOT/DHCP (in Phant0m rule's) here to make thing looks simple i attached the *autodetect* rules just import/place accordingly to Phant0m rule's and you're set to go.... :cool: (rename the file attached to autoDNSBOOTP.rie also see the "SS" )

    (Thanx to ImageShack for hosting this "SS")
    http://img44.imageshack.us/img44/7203/new14xt.gif

    HTH
     

    Attached Files:

    Last edited: Jan 22, 2006
  9. Ghost13

    Ghost13 Guest

    Hello Terry,


    And thank you Storm119 for making it more simple to do.

    Terry if you don't want to see the Block all other packets from logging
    just uncheck the the rule that warns about forbidden packets ! uncheck the[!] from the rule and that's it! you can leave the [!!] in the other part of the rule that won't show up in the active LnS log file.if you place you arrow over the ! at the top of the rule-set it will tell you what it does,it's helps you to understand more about LnS by using this feature.

    Terry the fastest way to fix your rule-set would be to do what Storm119 said and the snapshot tells you everything you really need to know,if you need any more help just ask and there is alway's somebody around to help,good luck
     
  10. storm119

    storm119 Registered Member

    Joined:
    Apr 11, 2004
    Posts:
    39
    Location:
    `Land Below The Wind'
    Re: Phant0m`s-v6F-Auto (Full Sets)

    Hi guys/gils,

    Here i attached the *fulled sets* of Phant0m`s-v6 Final (Free version released on Feb'05 ?) + the Autodetection? DNS (server) / BOOTP/DHCP rules from the EnhancedRulesSets modifications.

    The idea's just came after reading both discussion between Terry and Ghost13 also seen alots (still) of request for Phant0m`s-v6 Final Rules set's (free ver.) from L'n'S user's from time to times but had difficulty on how to configure the DNS1 / 2 and BOOTP/DHCP since the lacked of informations nowadays.Now you have Phant0m rules sets + Auto " Load it 'n' Forget it !!! "

    Anyway.. dl the attached *Phant0m`s-v6F-Auto.rls.txt* (delete the *.txt) copy to L'n'S folder's --> Load the rules sets --> reboot your machine (just incase) --> Go to Shields UP! or PC Flank ..etc..etc to test the rules sets.

    ps-
    • I never claimed as author and dont shoot me if your PC get attack by hackers becoz using this rules sets...use at your own risks... LoL!!!. And Admin/Mod/Phant0m do not hesitate to delete the attachment just incase its aginst any distribution policy.
    • Credits to Frederic (creator of awesome program L'n'S)
    • ..and both Terry and Ghost13 (original idea..hehehe ;))
    • " Load it 'n' Forget it !!! "
    enjoy .... :D

    best regards,
     

    Attached Files:

  11. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    703
    Storm

    Thanks for your hard work. As I write this I have justfinished testing Phantom's-v6F-Auto.rls ruleset on PC Flank and GRC Shields UP.

    I can confirm it PASSES ALL THE TESTS so any one in my position can have confidence in using it. THANKS

    One question I NEED TO ASK and I suspect, like me, other less knowledgeable forum members also.

    This ruleset in your words is "LOAD IT n FORGET IT"

    So when I look at the actual listings in the ruleset I see a number of lines of rules such as:

    DNS Allowed 1
    DNS Allowed 2

    BOOTP/DHCP
    BOOTP/DHCP
    BOOTP/DHCP
    BOOTP/DHCP

    These are unticked but state in some cases that the rules need to be modified before activation.

    QUESTIONS

    1) If they are unticked do I need to do anything to activate them or is it as you say LOAD n Forget IT?

    2)Does the rule line with "DNS Allowed Auto" deal with the above unticked rules? Otherwise I am unclear why unticked and none activated rules are in the listing, that is if I don't have to do anything?

    Hope this is clear and your response puts this to bed once and for all.

    My final act will be to put your consummate piece of work through all the leak tests and the Hackerwatch site

    Thanks again for all your help

    Terry
     
  12. storm119

    storm119 Registered Member

    Joined:
    Apr 11, 2004
    Posts:
    39
    Location:
    `Land Below The Wind'
    Hi Terry,

    DNS-Allowed-1, DNS-Allowed-2, BOOTP / DHCP & BOOTP / DHCP (.) "rules" need to modify according to your internet configurations (IP Config @ Address). You dont need to activate those rules since its replace indirectly by both rules "DNS-Allowed-Auto" and the "BOOTP / DHCP -All".

    1- Leave it as it..dont tick. If you choose to tick (activate) you need to know/fill some IP/DNS address in appropriate field and diactivate the two rules "DNS-Allowed-Auto" and "BOOTP / DHCP -All" in this rules set..... otherwise is useless.

    2- Yes. FYI you can safely delete or just leave it as it. The reason its included in this sets becoz its came by default in Phant0m's rules sets. I'm thinking probably someone only interesting to Phant0m rules sets (not the other two rules) and knows how to configure the rules but lost the sets somewhere ..... :D.

    Note:

    1- Lemme give some hints: The reason i'm adding those two rules and diactivate the other rules becoz one dont have to worries to reconfigure the rules...just "Load it N Forget it" you're set to go ... ;) but for advance users thier always can reconfigure in anyway thier like (cuz thier know what to do).

    2- Some user like to use Phant0m's Rules sets (my respect to him), but find it very hard to configure the sets (its happens to me in year 2003 ..LoL!!) becuz you need to know some *basic* knowledge about the IP/DNS/DHCP address (bare in you mind the address may vary from one user to another - this is why Phant0m leave it blank). If you miss configure the (DNS/BOOTP/DHCP) sets you can't surf the internet anymore.

    3- Remember, You also have the better protection with EnchancedRulesSets came by default in L'n'S.

    4- Someone with keen knowledge could correct the rules if the rules will expose users to some possible exploit.

    5- Looking at this scenario note #1 and #2 ... this sets is what are thier looking for ? :rolleyes: ...."Load it N Forget it" as a bonus you have Phant0m's rules *!protection*.

    Safe 'N' Happy surfing

    HTH...
     
  13. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    703
    Brilliant response thank you very much!!!

    Terry
     
  14. storm119

    storm119 Registered Member

    Joined:
    Apr 11, 2004
    Posts:
    39
    Location:
    `Land Below The Wind'
    Hi all,

    Below (attachment) are combinations betwen the famous Phant0m`s Rules sets (v6 final free version) + the enhancedrulessets. Both rules sets integrated to one. I modified/added/deleted/trimmed/rearrange the rules sets.

    Please bare in your mind this sets NEVER test by the expert!, i'm no expert either. This set only for test purpose. So..Test it or use it at your own risks!!!. I wont responsible to any damage or whatsoever caused by using this sets... :blink: .

    Just "Load it N Forget it!!!"

    Cheers...

    Edit: Attachment remove due to bad modifications ...:p
     
    Last edited: Jan 24, 2006
  15. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    703
    Storm

    Whats the difference between this latest version & Phantom + Auto (Your last one) de we ditch the former or what?

    Terry

    ps keep em coming
     
  16. storm119

    storm119 Registered Member

    Joined:
    Apr 11, 2004
    Posts:
    39
    Location:
    `Land Below The Wind'
    Hi Terry,

    The first one "Phant0m+Auto" i only added two rules (auto detections DNS/BOOTP/DHCP) + the virgin set from Phant0m rules sets. The "Storm119+PE" would be integrated rules sets from both Phant0m + EhancedRulesSets but trimmed/rearrange and some i deleted or added the rules (avoiding from duplications rules). This set contained flavor from two rules sets.... :D

    You could test it...or you can sticked with the previous one. Currently i'm running/testing this sets for more than 14++ hours without problems (touch wood). You dont have to do anything just load it and start to banging LnS with Firewall test.

    You could test here SecuritySpace and see what its come up with ?
     
  17. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    I see duplications, impropriate/bad modifications throughout different rulesets being relabelled and redistributed on here.

    As for DHCP and DNS rules, it is fair to correct a mislead on here, there is use of the word ‘auto-detect’ for DHCP and DNS, correct term I’d use is ‘Permit ALL’ and not auto-detection of user’s specific DHCP and DNS servers. What you see here is the very thing available for EnhancedRulesSet.


    Regards,
    Phant0m``
     
  18. storm119

    storm119 Registered Member

    Joined:
    Apr 11, 2004
    Posts:
    39
    Location:
    `Land Below The Wind'
    You just heard from the expert .. :oops: (Thank you for Clarified)

    I dont have any attentioned to relabelled/redistributed any rules sets. If you think this will against any "Distribution Policy" or any whatever policy, Admin/Mod/You can delete any attachment attached like i mentioned in my previous post or ....

    This topic header as i see mentioned about " Phantom6 Final Integrated with EnhancedRuleset ? " ... most of the rules came from both rules sets, i assumed and of cuz we never claimed as authourised author. Just playing around and see if the rules sets ..... never mind,forget it.


    ...peace
     
  19. JohnnyBravo

    JohnnyBravo Registered Member

    Joined:
    Jan 26, 2006
    Posts:
    82
    Ok, if I want to apply these phant0m rules sets posted here,but I've already configured LnS with enchansed rules sets + SP2 internet sharing , DC++ , FTP...rules sets( I'm not satisfied with this)
    what to do ?Delete all existed rules sets -> save and than load phant0m rules sets or what?
    Can you help me with this ,I just hope that I don't have to reinstal

    what I need to do with this attachment file with .txt extension so I can load it as a rules set
     
    Last edited: Jan 26, 2006
  20. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    So then, no more custom rules posting? After the bad modification edited posting, which one are you guys using?

    As for JohnnyBravo, there is an export button where you pick the rules you want to save. Do a file with only the ones you imported yourself, then save it somewhere you know, load the new Phantom6+EnhancedRuleset and finally just import the rules on file you exported.

    dja2k
     
  21. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    just remove the ".txt" from teh end of the file name so its like ruleset.rls
     
  22. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Hi Phantom,

    is it possible you could edit to make the right changes so people could use this ruleset? I know myself and a lot of others out there don't have the knowledge to set this FW up properly and I'm sure you would have a lot more users then.

    I purchased that FW in early Nov and couldn't get the help when I needed it, so I had to uninstall and go with something else. I didn't want to, but I had no choice.

    I thought Ghost and Storm were doing a great thing for the forum users;)
     
  23. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hi Rilla927

    Their attentions are very good; I’ll leave it to that.

    Rilla927, I’ve already taken a step with the latest release, I’ve made an Installer that’ll automatically detected appropriate user’s connection information and apply to rule-set, and with some the only problem with that is that I’m charging.


    Regards,
     
  24. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Do you mean it's a complete load'n forget, no fooling around trying to configure anything at all, rules are all in the proper order etc.
     
  25. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    of course.
     
Thread Status:
Not open for further replies.