Socket Sentinel Pro: Bi-directional TCP traffic filtering

Discussion in 'other anti-malware software' started by novirusthanks, Nov 22, 2011.

Thread Status:
Not open for further replies.
  1. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    426
    in reference to this UI panel:
    http://blog.novirusthanks.org/wp-content/uploads/2012/01/11_01_2012-20_26_31.jpeg

    Is the Sentinel sniffing the mimetype, or just matching file extension against rule patterns?

    Perhaps the app needs to accomodate additional user-supplied file extensions.
    Personally, offhand I might wish to block *.hta , *.wsh , *.vbs , *.wma , *.ra ...
    ...and I might begrudge the current "all or nothing" condition regarding the AVI/MOV/FLV rule.

    This UI panel would serve better if, like the other panels, it is presented in a gridview.
    leftColumn==pattern; rightColumn==optional text describing the filetype

    ^---- Here again, please don't require user to DELETE a given rule in order to create a temporary allowance condition. The gridview (this pane, all panes) needs an additional checkbox column, so the user can toggle (enable/disable) each individual rule.

    =========================

    "Block download of PDF files with javascript"
    suggest, instead:
    "Block PDF files which contain javascript"

    =======================
     
  2. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    426
    regarding "IPs tab":
    One IP address per line... ain't gonna fly.
    Need ability to also block per-netrange
    (expect to import from blocklist which is in moblock/peerguardian format)

    =================

    What is the most expedient way to craft a single rule which will block:
    cometcursor.com
    cometcursor.net
    comet-cursor.co.uk
    Would it be the following, entered via the the SocketSentinel RegEx tab?
    \.comet(-|)cursor\.
     
  3. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    426
    Domains }} Protected }} set password

    after clicking the "disk" icon to set the password, there's no confirmation the password has indeed been set. User is left wondering "what am I expected to do now?"

    =============

    Really, does "ADS" merit a separate tab?
    Based on the example given (in the "add" dialog window), the pattern MIGHT represent a start-of-FQDN substring. Perhaps "ADS" and "TLDs" should be managed from a single tab ("hostname"? b/c "domains" is already used elsewhere as a label)

    =============

    Where to enter a rule which would block a given partial pathname, regardless of domain?
    */track(er|ing|)\.(cgi|php)

    ? Rules }} RegEx }} Add }} direction:both type:ANY_DATA

    ? URLs }} Blacklist
     
  4. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    426
    Hello?
    More than a month has passed. Any news or progress?
     
  5. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    Is Socket Sentinel Pro dead, or ?

    Hope not, as i was expecting to be able to use a newer version that " might" work on my PC :) The others did not :(
     
  6. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Does that regex work? o_O I only recently started to learn regular expressions, but in my short test, the one you have here doesn't match any of the domains. You may want to give this one a try:

    Code:
    (comet|comet-)(cursor)\.(com|net|co\.uk)
    -edit-

    You may also want to lose the */ in */track(er|ing|)\.(cgi|php)
     
    Last edited: May 3, 2012
  7. kupo

    kupo Registered Member

    Joined:
    Jan 25, 2011
    Posts:
    1,121
    The devs are busy in developing the 64-bit version of EXE Radar Pro, don't bug them! lol, JOKE :D.
     
  8. kupo

    kupo Registered Member

    Joined:
    Jan 25, 2011
    Posts:
    1,121
    m00nbl00d, is there a specific website in which you are studying regex? Or do you go all over the web? I also like to study it :D
     
  9. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,067
    Location:
    Italy
    @inka

    Sorry for the delay, we are working on ERP x64 and could not touch Socket Sentinel for fixes/additions until now, scroll down for the main changelog.

    It will be added in the next version.

    For now yes, few users have asked to separate main regex (they use them to block malicious content) and regex to block advertisements.

    Regex:
    comet(\-|)cursor\.([a-z]{3}$|[a-z]{2}\.[a-z]{2}$)
    or
    comet(\-|)cursor\.(com|net|co\.uk)$

    Direction:
    OUT

    Type:
    HTTP_HOST

    In the next version we should include a regex-tester for testing regex matching and probably also a tutorial with regex examples used to block urls, websites and content.

    Or you can block the domain in Rules=>Domains=>Blacklist and add:
    cometcursor.com
    cometcursor.net
    comet-cursor.co.uk

    We mix filtering of content-type and url extension.

    Sure, that will be added in the next version.

    @CloneRanger

    In the new version I have removed the Splash Screen, let me know if now it works fine for you.

    Changelog for version 1.4.2.0:

    [04-05-2012] v1.4.2.0

    + Added message when password is saved/removed (password protected websites)
    + Added message when password is saved/removed (stealth mode)
    + Added message when hotkey is saved/removed (stealth mode)
    + Added ability to edit patterns in "Rules"->"RegEx" TAB
    + Fixed "Status" TAB -> "Process Behavioral Analysis" -> "ENABLED/DISABLED" status
    + Fixed text for "Block PDF files which contain JavaScript"
    + Added option to enable/disable a specific rule in RegEx TAB
    + Added option to sort items in "RegEx" TAB
    + Added option to block upload of PE files to remote hosts
    + Removed the "Set Options" for RegEx Rules (now connection is always blocked if regex is matched)
    + Removed splash screen
    + All PE files are now signed

    Download setup file from:
    http://www.novirusthanks.org/product/socket-sentinel-pro/
     
  10. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Your second one is a bit more elegant than the one I previously provided. But, you don't need to escape the hyfen, when within ().

    I still haven't tried your app (since in a long time now), and back then I didn't know anything about regexes. About using $ in the regex, is it really needed for Socket Sentinel Pro, or won't it make a difference if it's there or not? I know what the $ is about, but I'm wondering if would make a difference in SSP?


    Thanks :)
     
  11. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    What is the conceptual difference between this product and a fully functional properly set up 2 way FW with a ip block list in say Host file?
     
  12. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    @ novirusthanks

    Hi, i'm sorry to report that now this version also failed to run, or even launch ?

    Nothing in Logs or Errors.txt either !
     
  13. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    426
    There's a HUGE difference. IMO, an IP -based blocklist is ill-advised. Consider:

    -- Blocking fails if you desire to only block dl.microshark.com and not (www|).microshark.com ...and the site is serving all those hostnames via a shared IP address.

    -- A considerable number of intensive malware purveyors continue to survive, spanning years, by repeatedly moving their malicious domain(s) to a different webhost (hence, different IP address).

    -- Malware is often served from an inexpensive (or hacked/exploited) webhosting account rather than from a dedicated server or VPS. In such cases, the "server IP" represents an IP address shared by myriad "innocent bystanders" domains.
     
  14. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    426
    Per these examples, user must supply an end-of-line anchor... or the match will fail?
    (If so, that's too unwieldy, unwelcome, and will impede usability)

    The point of my rhetorical question in the earlier post was this:
    There might not be a cometcursor.info domain in existence today, but I would want to craft a pattern so that such a domain would also be matched, and blocked.

    With that in mind, from a user standpoint I expect that an atom like this typically would be omitted
    ([a-z]{2,3})

    Optimally, SSP would achieve the desired result via a pattern as simple as
    comet(\-|)cursor
    or
    comet(-|)cursor

    As a user, I'm prepared to accept responsibility for an undesirable result if I craft a too-broad or too-greedy pattern.
    As a user, I might bother to "be more careful" and "type extra junk" (spaces added for readability, below)
    \. comet(-|)cursor \.
    but I would hope to avoid typing even that junk (in blue) wherever possible
     
  15. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    With respect my question remains unanswered. I have the 2 way FW and a loaded host file.

    In the MS host file, it stores domain site names and then loopbacks to your own PC so it never even trys to go to the bad site.

    Typical entry

    127.0.0.1 spamblockerutility.com

    It doesn't matter what site they are on or what the ip range is it is safe in the host file.

    So I'm blocking all incoming packets and controlling which applications access the www.

    I'm done.

    Again what is the difference?
     
  16. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,067
    Location:
    Italy
    @CloneRanger

    Really strange again, will try to add a debug option in the new version.

    @inka

    A simpler rule would be this:
    (.*\.|\.|)cometcursor\.
    (.*\.|\.|)comet\-cursor\.

    In this case these websites are blocked:
    cometcursor.com
    www.cometcursor.com
    www.cometcursor.info
    subdomain.subdomain.cometcursor.co.uk
    long.sub.domain.example.cometcursor.com
    etc

    I tried this rule:
    .comet(-|)cursor.

    And also that rule works, but I generally prefer to add a "\" before specific characters.

    @Escalader

    It depends from what kind of FW you use, SSP can allow you to add custom regular expressions to filter the entire web content, while FW allows you to generally only manage connections of a specific process, but not always allows you to add your own rules for block specific content.
     
  17. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    426
    An "IP-based list plus HOSTS file" approach cannot reasonably accomplish this blocking pattern, for instance:
    \.cn$

    Also consider that a few patterns like
    ^ads\.
    ^adserver\.
    ^tracking\.
    will spare you from crafting countless HOSTS domain entries
     
  18. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    TY for the response.
     
  19. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    Sorry i missed your reply ! Sounds like a good idea, let me know when it's ready :thumb:

    TIA
     
  20. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I gave a quick run to the latest available version, and I blocked by TLD, and then access one of such domains, and it allowed connect. At first, it did show an alert saying it blocked, even though it allowed the connection.

    Adding domains, etc reflects in the same scenario. Can anyone reproduce it?

    Now a suggestion. It would also be nice if we could have different profiles, for different processes (including with parameters). I may want to restrict my Youtube profile by TLD to *.com, but allow my main browser profile to connect to other TLDs/other kind of rules. Etc.

    I also think that the GUI shouldn't run with administrative privileges. The GUI should run with the same rights the user has, if UAC is enabled/standard user account - medium rights. Any configuration change could, etc., would be done using a background service, like many other security apps do... or other way, if would be better? I just don't like the GUI running with HIGH privileges.
     
  21. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,870
    @ novirusthanks

    I sent you a PM recently. Did you get it?
     
  22. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    426
  23. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
  24. StillAlive

    StillAlive Registered Member

    Joined:
    Dec 29, 2008
    Posts:
    42
    v1.4.2 is still available via direct link
    -http://downloads.novirusthanks.org/files/SCKTSentinel_Setup.exe-
     
    Last edited by a moderator: Oct 31, 2012
  25. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I wonder why no word from the developer. He's been around and answering in the NoVirusThanks EXE Radar Pro thread. It would be great to know why the developer decided to kill the project, if that was the case.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.