Sniffers

Discussion in 'other firewalls' started by Silivren Eryn-Duin, Dec 1, 2003.

Thread Status:
Not open for further replies.
  1. Silivren Eryn-Duin

    Silivren Eryn-Duin Registered Member

    Joined:
    Dec 1, 2003
    Posts:
    3
    Hi,

    I have NOD32 and I like it a lot. Anybody knows of a good firewall + sniffer I can use to protect me even better against attacks?

    Thanks
     
  2. Morgoth

    Morgoth Guest

    I dunno what U mean by "sniffer", but as for an efficient firewall, here's my take on the situation:

    I'll only mention the downloadable firewalls, which are also cheaper. Norton, McAfee, BlackIce & others may be just as efficient, but are somewhat more expen$ive -besides, I know little about them, although I do know that Norton products are supposed to hog a lot of RAM and CPU resources, and leave loads of registry traces even after uninstalling... :mad:

    All recent top-of-the-line firewalls (ZA, Outpost, LnS, Sygate, Kerio, TPF) have equivalent - and efficient - inbound protection (ie stealth shielding, ...).

    So what makes a difference is
    1) The extra features included in the firewall (cookie killers, popup & script blockers, etc..
    2) Its outbound protection, or leak protection, which blocks trojan activity).

    ZA (Zonealarm) Pro 4.xx and Agnitum Outpost are the 2 firewalls with the most features: anti-cookie, anti-popup, script-blocking. In fact, Outpost has a slight edge in this matter as it can also block flash popups. It also has, together with Sygate, a much more detailed & configurable firewall log.

    Up to now, LnS (Look'n'Stop), Outpost and ZA were pretty much on a par concerning leak protection: all 3 can guard against application hijacking, application/component modification (using MD5 authentificationand component control) and DLL-injection. But the latest version of Zonealarm 4 Pro (version 4.5.530) seems to have "open protection protection" which prevents direct EXE injection (most sophisticated technique used by trojans), making it impervious to leak tests such as Thermite & Copycat, and to the recent Beast trojan, giving it a definite headstart over its competitors when it comes to outbound protection. ZA also blocks the 2nd Wallbreaker leak test, which Outpost can't (I don't know about LnS, but it probably passes the test). To this day, no firewall can block the 1st Wallbreaker test (calling Explorer and making it call Internet Explorer, ie. multiple level application hijacking)

    On the other hand, ZA (and Outpost, btw) is known to have a bug that causes it to swell in RAM over time, and although in v4.5.530 the problem is supposed to have been lessened, it still persists. Kerio, TPF and LnS on the other hand use relatively few resources.

    Oh, and Sygate has an extra 'OS and Browser masquerading' feature which allows you to hide your browser and OS version from MOST (but not all) sites, which can be usefull if U don't want anyone to know you're using Microsh*t Windows... :D. On the other hand, no firewall can hide your IP address, in fact no power in the universe can allow a machine to hide its IP all by itself , and yet the IP is also the most vital info. Knowing a system's IP is like knowing 99% of that system, so the OS and browser used are but mere details in comparison...

    Ergonomy (user-friendliness) might also be an important factor. Outpost, Kerio and ZA are better in this regard. Be careful about Outpost & ZA though - they need to be reconfigured, as their default "out-of-the-box" settings are insufficient, esp. when it comes to leak protection.

    So there U go, that's my take on the situation. Each product has its own strong & weak points. I personally favour outbound protection, since trojans are a threat not to be taken lightly. Even so, no firewall can detect a trojan itself, be it by its signature or using heuristics. Some AVs (Antiviruses) can also detect known trojans through their signatures, but none of them comprise "trojan-heuristics". So whatever antivirus & firewall U have, a good AT (Anti-Trojan) capable of detecting unknown/modified trojans is also recommended. There are 2 such ATs I know of: TDS and TH (Trojan Hunter). There may be others...
     
  3. Silivren Eryn-Duin

    Silivren Eryn-Duin Registered Member

    Joined:
    Dec 1, 2003
    Posts:
    3
    I'll try to explain a "sniffer".
    It's a software which tracks down intrusion on our computer and log informations about the intruder.

    But sometimes I wonder if I really need such a software. Behind my routeur I am stealth. I have tried with grc, and it detects no port, as if my computer does not exist. Not even a closed port, but no port at all. Kinda strange, as I have a port opened for a p2p application...

    About trojans, so perhaps I don't really need a firewall with my routeur, but perhaps just a trojan hunter :)
     
  4. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    @Morgott

    What you said about outbound protection is partially true only.

    Read my other post titled "ZA 4.5 against copycat leaktest", all is said on it ;)
     
  5. Morgoth

    Morgoth Guest

    O, but I already read it, hehe :cool:

    The point is, open process protection is a necessary layer in the defense against trojans that hijack other apps by directly inject themselves in these (open) apps instead of just calling them. Now upon running Copycat, which (unlike Thermite) allows U to choose the target process, there are 2 possibilities:

    1) The target app is NOT allowed access to internet. Take notepad, for example. In that case, firewall will intervene both on open-process protection AND app-filtering levels: first, it will ask U if you wish Copycat to access Notepad.
    If you answer 'No', then the test stops there.
    But if you answer 'Yes', then notepad will be "patched in memory" and thus turned into an app which can now access the Net. But then firewall will step in again, ASKING YOU IF YOU WISH TO LET NOTEPAD ACCESS INTERNET, to which you can still answer 'No'. This is an example of "double-shielding" at work (sorry for the expression, couldn't help it I'm a Trekkie :D): first open-process protection, then application filtering. So in this case, the test is passed.

    2) Now there's the controversial & most interesting part - the target app IS allowed internet access, take Iexplore for example. Again, ZA will step in to complain about copycat trying to access the browser. Once again, answering 'No' closes the case.
    But if the user answers 'Yes', then indeed Copycat will access the Net (or rather, the modified "Iexplore/Copycat hybrid" will). BUT ISN'T THAT NORMAL? After all, as I said the browser IS allowed internet access! The fact that it was modified in memory is a process protection issue only, and has nothing to do with 'application filtering' since the user chose to give the browser application Net access, and also explicitly allowed Copycat to modify the open browser process!!
    So seen in this light, the firewall again passes the test..

    Sure, as U said in the other thread, some trusted applications can be required to (and must be allowed to) use other internet-accessing apps to connect to the Net. But then again, there is a difference between a program calling another app such as Iexplore and making it access the Net, and a program that injects itself directly into another app, ie. Iexplore, and thus modifies it, rather than simply call iexplore. Take explorer.exe, 4 example: it must be granted the right to use (call) other programs to access the Net (otherwise apps such as P2P, ... won't be able to connect to the Net). BUT WHAT KIND OF TRUSTED PROGRAM WOULD HAVE THE NEED TO INJECT ITSELF INTO ANOTHER?
    A program that tries to patch another trusted program instead of just calling it can only be a trojan, and thus denotes malicious intent (someone correct me if I'm wrong :eek:).

    BUT even then: suppose a program does require such "open process" privileges, in addition to having the right to use other apps to access the net. Suppose this prog is called 'Good.exe'. Now good.exe can call, for example, Iexplore, AS WELL AS patch it by injecting itself into it. OK. So? No problem! Recent firewalls (not only ZA) all have application & component control using MD5 signature authentification. Thus if the 'Good.exe' file is modified, then the firewall will pop in to advise the user that a MODIFED version of Good.exe is either trying to use Iexplore to access the Net, or trying to inject itself into Iexplore, depending on the context. In both cases, the system remains protected, and the shields hold (oops I did it again :D).

    So there U go comrade, that's my take on the situation. Application filtering (by its very definition) and application/component authentification are NOT enough to avert threats such as self-injecting hijacking. Open process protection is the necessary "third layer" to complete the protection, and ZA seems to have taken the first step. Other firewalls such as LnS and Outpost will have no choice but to implement it if they are to protect against these techniques.

    Nevertheless, I must admit that your thread got me thinking 4 some time...

    BTW, I checked about a leak test being possibly blacklisted by ZA (a dirty trick that the makers of BlackIce have already carried out in the past, cf. the grc.com 'Shields Up' site - shame on 'em!). So I renamed Copycat.exe, changed it modification date and even altered its content by changing some text within using a hex editor, thus changing its MD5 signature. ZA still passed the test...

    Besides, I've so far tried about 5 different firewalls. Though ZA may be my favorite for the moment because of its new features, CPU load still is an important criterion that Zonelabs (and others) doesn't seem to have really dealt with up 2 now.
    Zonealarm wallops a load of RAM over time, who knows why (from 7 Mb at startup, 'vsmon' bloats up to over 30Mb).
    LnS seems to have the edge in that matter - it uses few resources, from what I've read. On the other hand, Both LnS and Outpost fail some AWFT tests, unless Explorer is given certain restrictions... LnS is also difficult to configure and sometimes leaves port 135 open by default!!!

    Man, why does every software have to have its flaws? Can't someone just design a firewall that comprises the benefits of all the other firewalls WITHOUT their drawbackso_O :mad: :mad: :mad:
     
  6. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    Hi Silivren Eryn-Duin,

    Ah, what you are talking about is actually an IDS (intrusion detection system). A sniffer is simply a type of utility that captures packets on a network and allows you to examine them, save them and analyze them. A normal sniffer as most network techs think of them isn't an automated intrusion detector. Where the confusion comes in is that the more complex IDS systems often use network probes, which are very much like sniffers, to capture all traffic on the network segment and direct it over to an IDS component for on the fly analysis and possibly alerting.

    Generally, an IDS is of most benefit if you are running a service into which you are allowing connections from the Internet. (A webserver is the easiest example of when an IDS is helpful, but your P2P program is similar enough.) Since your router and software firewall are set to allow this traffic in on a specified port, they provide no protection to the system or P2P application if that specific port is used in an attempt to exploit the P2P application. An IDS on the other hand can examine the packets being allowed in, in-detail looking for known attack patterns within the data. If they see such an attack, they can alert you and some can block the packets.

    An IDS can be a good thing, but it is a bit more complex than just a firewall and it can give false alerts, too. These might then require you to look at the detailed data that was captured (the packets themselves) and try to make a determination yourself about whether they are good or bad. :doubt: That is not easy.

    A software firewall that is watching for outbound connection attempts is basically another layer of protection against such Trojans. You are correct though, ideally it is much better for your Anti-Trojan package to catch the Trojan before it runs then to rely on the firewall alerting you. But, all packages can miss something. A Trojan not caught by your AT might be caught by your software firewall if and when it tries to connect to the network. (That's layered protection.)
     
  7. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    @Morgott

    EDIT : i allowed me to copy past your post into the other topic (i hope you agree, unless let me know)

    http://www.wilderssecurity.com/showthread.php?t=16981&start=15

    and i answer there to.
    Indeed i have the purpose to link this thread on my next results page on my website.
     
  8. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    @LowWaterMark

    it's exactly my point of view too, an IDS is principaly usefull when you are running server/services open to the internet.
    Besides that, for a home user without running opened services, an IDS can still be interesting just by _curiosity_ to see what hint our router/firewall :)
     
  9. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    Ah, good job gkweb. [​IMG]

    Yours and Morgoth's posts are very good and would be even more valuable over in your other thread given it's topic rather than here. Thank you for carrying it over to that thread. :)
     
  10. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    thx ;)

    it's indeed a very interesting and big subject, all great stuff will be together in the other thread :)
     
  11. Silivren Eryn-Duin

    Silivren Eryn-Duin Registered Member

    Joined:
    Dec 1, 2003
    Posts:
    3
    But then... as one port is opened for my p2p app, why grc does not find any port, even this one is displayed as "stealth".

    Is it because my routeur does not answer to grc probe system?
     
  12. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    Well, have you set your router to forward that port in from the Internet to your system and confirmed that the P2P software was up and running, holding that port open (listening) at the time of the GRC scans?

    Forwarding the port from the router to system is key, but it is also important that the port is actually also open on the PC at the time of the scanning, if you expect the scan to see it.

    Edit: Oh, and the more intelligent routers (with better firewalling characteristics) might also recognise the scan as an attack, at the time it is happening and basically just start blocking everything coming from that scanner's IP address. So by the time the scan reaches the one open port, the router could be blocking everything. But, all this would depend upon the router in question, it abilities and configuration.

    And it is also possible (lots of possibilities here) that the scan just didn't work. Occasionally, some people report that they do not get accurate information from some online scanners. The new scan at GRC is one of the better ones, but it is not 100% accurate either.
     
Thread Status:
Not open for further replies.