Sustainable Sustworks - Tools for Internet Travel
Inspired Tools for the Mac
Search






 




Release Notes

March 9, 2004 (1.4.0a)

IPNetSentry.PPC FBA:

Feature Enhancements:

  • added payload inspection support for a second version of the SSLammer worm. This worm is a direct attack on TCP Port 443 and can be a problem for Web* and other servers which are running SSL services.

    The new payload inspection filter looks like this:

    #set\payload_inspection\tcp\443\off\10\SSL_EXPLOIT2\SSL Exploit 2\none\3600\1

    This new payload inspection command is contained within a special IPNetSentry Config file named "IPNetSentry Config Web*".

    Web* users should add the above command to their existing IPNetSentry Config file or rename the existing IPNetSentry Config file, which resides in the System Preferences folder, something else (e.g "IPNetSentry Config Old"). Then rename the "IPNetSentry Config Web*" file to "IPNetSentry Config". Turn OFF then Turn ON IPNetSentry in order to invoke the new settings.

Bug Fixes:

  • none

September 15, 2003 (1.3.9)

IPNetSentry.PPC FBA:

Feature Enhancements:

  • added payload inspection support for SSLammer worm. This worm can be a problem for Web* and other servers which are running SSL services code on TCP Port 443. There are actually two payload inspection filters added. The first filter looks for the string:

    "GET / HTTP/1.1\r\n\r\n" arriving on TCP Port 80

    The second filter looks for the string:

    "AAAAAAAAAAAAAAA" arriving on TCP Port 443

    Both of these new payload inspection commands are contained within a special IPNetSentry Config file named "IPNetSentry Config Web*".

    Web* users should rename the existing IPNetSentry Config file, which resides in the System Preferences folder, something else (e.g "IPNetSentry Config Old"). Then rename the "IPNetSentry Config Web*" file to "IPNetSentry Config" and Turn OFF then Turn ON IPNetSentry in order to invoke the new settings.

    OR

    Users can simply add the following two payload inspection commands directly to their existing IPNetSentry Config file (using SimpleText):

    #set/payload_inspection\tcp\80\off\10\SSL_EXPLOIT\SSL Exploit 1\none\3600\1
    #set/payload_inspection\tcp\443\off\10\AAAAAAAAAAAAAAA\SSL Exploit 2\none\3600\1

    After making these changes, save the file and close it. You must then Turn OFF then Turn ON IPNetSentry using the IPNetSentry Companion app.

Bug Fixes:

  • none

 

July 24, 2003 (1.3.8)

IPNetSentry.PPC FBA:

Feature Enhancements:

  • added IPNetAuthorize support. IPNetAuthorize provides IP based access control to your network (machine), even when remote users have dynamic IP addresses. IPNetAuthorize clients are freely available for Classic Mac OS, Mac OS X, and Windows platforms.

Bug Fixes:

  • none

May 14, 2002 (1.3.7)

IPNetSentry.PPC FBA:

Feature Enhancements:

  • added support for Mozilla Browser

Bug Fixes:

  • none

IPNetSentry Companion Application:

Feature Enhancements:

  • added support for Mozilla Browser

Bug Fixes:

  • none

March 28, 2002 (1.3.6)

IPNetSentry.PPC FBA:

Feature Enhancements:

  • Made the payload inspection command support both "word offset" and "length" parameters when searching incoming datagrams for specific strings. The standard payload inspection command looks similar to this:

    #set\payload_inspection\tcp\80\off\10\default.ida\Code Red Worm\none\3600\1


    where the "10" parameter in the above commands means start searching the datagram "10 four bytes words from the beginning of the datagram". By default, only the first 64 bytes of the datagram would be examined (for efficiency).

    You can now specify the word offset and length parameters with the syntax "offset:length". For example, to detect and block File Maker Pro hacker access attempts, a payload inspection command would look like this

    #set\payload_inspection\tcp\80\off\10:64\&-format=-raw&\FMP_Hack Attempt\none\3600\1

    This command will look for the string "&format=-raw&" starting at word offset 10 (40 bytes from the beginning of the datagram) and for 64 bytes following. Specifying the length is important to keep the payload inspection command efficient (you do not want to unnecessarily scan the entire datagram). This new syntax gives you more control over the payload inspection process and lets you scan more of the datagram if needed (not just the first 64 bytes).

Bug Fixes:

  • Fixed a bug where the payload inspection command did not always log the intrusion (although the intruder was always blocked).

IPNetSentry Companion Application:

Feature Enhancements:

  • none

Bug Fixes:

  • none

March 11, 2002 (1.3.5)

IPNetSentry.PPC FBA:

Feature Enhancements:

  • none

Bug Fixes:

  • none

IPNetSentry Companion Application:

Feature Enhancements:

  • none

Bug Fixes:

  • Fixed window size problem which prevented registration fields from being displayed.

March 7, 2002 (1.3.4)

IPNetSentry.PPC FBA:

Feature Enhancements:

  • Changed the Code Red and Nimda Payload inspection filter so that the inspection occurs earlier in the datagram (now starts at word offset 10 instead of word offset 11). Recent Nimda worm intrusions suggest that the inspection needs to be performed earlier in the datagram. For existing users, you may wish to edit your current IPNetSentry Config file so that the payload inspection filters now appear as follows:

    #set\payload_inspection\tcp\80\off\10\default.ida\Code Red Worm\none\3600\1
    #set\payload_inspection\tcp\80\off\10\root.exe\Nimda\none\3600\1
    #set\payload_inspection\tcp\80\off\10\scripts\Nimda\none\3600\1


    You can easily edit the IPNetSentry Config file with SimpleText. The file resides in your System Preferences folder. After making these changes, save the file, close it, and restart IPNetSentry with the IPNetSentry Companion application (turn off then turn on).

Bug Fixes:

  • None

IPNetSentry Companion Application:

Feature Enhancements:

  • Made IPNetSentry Companion Windows remember their last open positions. Upon reopening these windows, they will now be positioned where they last resided.

Bug Fixes:

  • None

January 15, 2002 (1.3.3)

IPNetSentry.PPC FBA:

Feature Enhancements:

  • None

Bug Fixes:

  • Fixed bug where IPNetSentry reported port scans from Windows machines which were just booting up. The problem is that Windows machines often perform UDP Port 137, 138, and 67 scans upon restart in order to identify other machines on the network. In a heavy Windows environment this "chatter" could have repeatedly caused IPNetSentry to incorrectly report Port Scan type trigger alerts. This has now been fixed.

IPNetSentry Companion Application:

Feature Enhancements:

  • None

Bug Fixes:

  • There was a memory leak when a user clicked either the Configure or Test buttons in the IPNetSentry Companion application. This could result in the application not being able to o retrieve the current URL from an open browser, thus apparently hanging.

December 11, 2001 (1.3.2)

IPNetSentry.PPC FBA:

Feature Enhancements:

  • Added ability to add/remove filters through AppleScript.

    An example script to add a filter which would completely block machine 192.168.0.7 from accessing a machine running IPNetSentry would be:
    tell application "IPNetSentry.PPC"
    set filter to "+filter\\Default_Interface\\Rcv\\Block\\*\\*\\192.168.0.7/32\\*\\*\\*\\"
    end tell This script will return an "OK" message from the IPNetSentry.PPC application.

    This AppleScript functionality is often desired by webmasters who wish to programatically control access to various services which are running on their machines. These services can be any IP services, including web, streaming audio or video, ftp, email, etc. For restricted access, a user would typically first invoke a static blocking filter which would block access to this service for everyone, then selectively add "Pass" filters for those IP addresses which should be given access.

Bug Fixes:

  • None

IPNetSentry Companion Application:

Feature Enhancements:

  • none

Bug Fixes:

  • none

November 20, 2001 (1.3.1)

IPNetSentry.PPC FBA:

Feature Enhancements:

  • Added full support for Opera and iCab browsers.
  • Added Windows Networking triggers to the IPNetSentry default configuration file (TCP and UDP Port 137). NOTE: Users running the DAVE PC filesharing software may have to remove these Windows triggers from their IPNetSentry Config file. This can readily be performed by editing this file with SimpleText or through our Web Configuration page.

Bug Fixes:

  • None

IPNetSentry Companion Application:

Feature Enhancements:

  • Added full support for Opera and iCab browsers.

Bug Fixes:

  • Fixed a bug which prevented the Aged Filter window from opening when run under Mac OS 8.1 or earlier.
  • Fixed a bug in the Aged Filter table which prevented selection of another entry after an entry was deleted.

October 30, 2001 (1.3)

IPNetSentry.PPC FBA:

Feature Enhancements:

  • Moved payload inspection into OTModl$Proxy module. This significantly improves packet inspection efficiency and reliability, especially for Nimda and Code Red type worm detection on machines running web servers.
  • Offers options for setting the aged filter time and to "slam shut" open TCP connections when payload inspection criteria are met. This will free TCP listeners so that worms will not eventually hang a server. (e.g. a web server). These options are part of the new payload inspection syntax:

    #set\payload_inspection\tcp\80\off\11\default.ida\Code Red\none\3600\1

  • Ability to set the interval time that the Aged Filter table is saved to disk. Useful for high-speed networks (e.g. 100 Mb/s) where disk access may impede performance.
  • Ability to turn off logging to disk. Useful for high-speed networks (e.g. 100 Mb/s) where disk access may impede performance.

  • Filter table now capable of supporting up to 2000 entries (increased from 250).

Bug Fixes:

  • None

IPNetSentry Companion Application:

Feature Enhancements:

  • Made the Aged Filter table sortable by column. Also permits multiple deletions.

Bug Fixes:

  • None

September 11, 2001 (1.2)

IPNetSentry.PPC FBA:

Feature Enhancements:

  • Ability to do payload inspections of incoming datagrams. This capability can be used for worm and virus detection, such as the Code Red Worm. Command to detect the Code Red Worm is:

    #set\payload_inspection\tcp\80\off\11\default.ida\Code Red Worm\

Bug Fixes:

  • Fixed a bug which was interfering with IPNetMonitor.

IPNetSentry Companion Application:

Feature Enhancements:

  • Companion application now supports iCab browsers (to the best of its ability. SSL connections are not supported in the default iCab installation, so online registration must still be performed with another browser).

Bug Fixes:

  • Fixed a display bug in the Aged Filter window where an intruder's IP address would not fully be displayed if it was 15 characters (e.g. 192.168.243.212).

August 28, 2001 (1.1.6)

IPNetSentry.PPC FBA:

Feature Enhancements:

  • Ability to prohibit logging of broadcast packets. Broadcast packets can occasionally fill a log file with unnecessary entries, especially if IPNetSentry is run on the same machine as IPNetRouter. The command to disable logging of broadcast packets is:

    #set\filter_logging\on no broadcast

Bug Fixes:

  • none

IPNetSentry Companion Application:

Feature Enhancements:

  • The "Log" and "Aged Filter" windows can now be closed with the "Command - W" keys.

Bug Fixes:

  • none

August 20, 2001 (1.1.5)

IPNetSentry.PPC FBA:

Feature Enhancements:

  • none

Bug Fixes:

  • Fixed date reporting for Who's There Firewall Advisor. The IPNetSentry_FA.log file now uses the required mm/dd/yyyy format for date stamping of log entries.

IPNetSentry Companion Application:

Feature Enhancements:

  • Companion Application "About" dialog box now reports the Companion App version, the IPNetSentry FBA version, and the OTModl$Proxy extension version.

Bug Fixes:

  • none

Including OTModl$Proxy v2.1.5 with this release of IPNetSentry.

July 24, 2001 (1.1.4)

IPNetSentry.PPC FBA:

Feature Enhancements:

  • Added ip header hex dump command. (#set command). When the hex dump feature is on, and a datagram arrives which matches a filter (or trigger), the entire datagram IP header is dumped in the log file in hexadecimal format (for manaul analysis). This feature is primarily used to identify datagrams which arrive but are not automatically recognized as being IPv4 datagrams of known protocols.

Bug Fixes:

  • none

IPNetSentry Companion Application:

Feature Enhancements:

  • none

Bug Fixes:

  • Fixed version caption of IPNetSentry Extension (as shown in About dialog box).

June 26, 2001 (1.1.3)

IPNetSentry.PPC FBA:

Feature Enhancements:

  • Added lpd (TCP Port 515) and SOCKS (TCP Port 1080) triggers to default IPNetSentry Config file.

Bug Fixes:

  • Fixed version reporting bug (as displayed in Extensions Manager).

IPNetSentry Companion Application:

Feature Enhancements:

  • No need to use a browser to complete registration process. Key checking is performed directly through the Companion Application.

Bug Fixes:

  • None

June 20, 2001 (1.1.2)

IPNetSentry.PPC FBA:

Feature Enhancements:

  • None

Bug Fixes:

  • Fixed bug which removed IPNetRouter filters when IPNetSentry was turned off.

IPNetSentry Companion Application:

Feature Enhancements:

  • None

Bug Fixes:

  • Fixed log window scrolling when text exceeds 32Kbytes

June 12, 2001 (1.1.1)

IPNetSentry.PPC FBA:

Feature Enhancements:

  • Added capability to easily perform a trace route on an intruder's IP address when an intrusion alert appears. The trace route is performed through IPNetMonitor, a separate Sustworks product. See the accompanying "IPNetSentry Trace Route Read Me" for more details on setting up this functionality.

Bug Fixes:

  • None

IPNetSentry Companion Application:

Feature Enhancements:

  • Added capability to easily perform a trace route on an intruder's IP address through the Aged Filter window. The trace route is performed through IPNetMonitor, a separate Sustworks product. See the accompanying "IPNetSentry Trace Route Read Me" for more details on setting up this functionality.
  • The "Log" button now opens a separate Log window within the IPNetSentry Companion application. This Log window displays the last 32Kbytes of the IPNetSentry.log file and displays IPNetSentry events as they occur in real-time.

    Users can still open the entire IPNetSentry.log file with a default text editor by holding down the "Shift" key while clicking the Log button.
  • Holding down the "Command" key while launching the application will bypass the splash screen.

Bug Fixes:

  • None

May 15, 2001 (1.1)

Released as version 1.1

May 2, 2001 (1.1c4)

IPNetSentry.PPC FBA:

Feature Enhancements:

  • Added capability to record messages from "Log" filters. A "Log" filter is typically added to watch for specific activity on a port or protocol. With Log filters, NO action is taken. A Log filter simply passes notification to IPNetSentry. IPNetSentry then records this notification message.

    For example, log all incoming ICMP (Ping type) activity:

    +filter\Default_Interface\Rcv\Log\icmp\*\*\*\*\*\

    This Log filter will let IPNetSentry simply log all incoming ICMP datagrams on a machine's active Internet port.

    Log filters are especially useful when used with IPNetRouter. For example, you could log all HTTP activity on the clients attached to your private LAN with the following filter configured within IPNetRouter:

    +filter\Ethernet Slot 1\Rcv\Log\tcp\*\192.168.0.1/24\*\*\80\

    The above filter assumes your clients are connected via the Ethernet Slot 1 port and configured for the 192.168.0.x subnet.

    IPNetRouter (v1.6c8 and later) provides a very simple way to configure a Log filter through the Filtering window.

Bug Fixes:

  • None

IPNetSentry Companion Application:

No Feature Enhancements

Bug Fixes:

  • Fixed the method that the companion application uses to determine a PPP interface IP address. This is ONLY important IF you are running the companion application on a machine which is sharing a PPP type connection with IPNetRouter.

April 24, 2001 (1.1c3)

IPNetSentry.PPC FBA:

Bug Fix:

Fixed the #set\excluded_subnet feature. This is particularly important for IPNetSentry users who are also running IPNetRouter on the same Macintosh and which is setup to share a cable/DSL/ADSL modem using the single ethernet configuration. In this case, a user must use the #set\excluded_subnet command to ensure that their client machines do not unnecessarily trigger IPNetSentry.

IPNetSentry Companion Application:

No Feature Enhancements nor Bug Fixes

April 19, 2001 (1.1c2)

IPNetSentry.PPC FBA:

Feature Enhancements:

The IPNetSentry FBA has been nearly completely rewritten. This new version provides:

  • stealth scan detection
  • icmp protocol triggers (i.e. detection when someone Pings you).
  • continued filter logging when packets arrive which match an existing filter
  • port scan detection
  • denial of service (DoS) attack detection
  • creation of an event log compatible with Open Door Networks "Who's There" Firewall Advisor

These are signifcant enhancements. Currrent IPNetSentry users are advised to upgrade to this latest candidate version of IPNetSentry.

Stealth scan detection permits IPNetSentry to detect any type of remote TCP port scan. A remote user does not have to directly connect to your machine. Just someone port scanning your Mac can cause a trigger to occur.

Continued filter logging lets you see if an intruder keeps hitting your machine even after a filter is applied to ban them.

You can see if a trigger was set by a one time event (perhaps someone mistaking your IP address for some other IP address) or if the intrusion was by a deliberate port scan.

IPNetSentry can now build a separate log file which is compatible with Open Door Networks "Who's There" Firewall Advisor. Note: icmp events are not correctly identified with "Who's There" v1.0.1 or earlier.

IPNetSentry Companion Application:

Feature Enhancements:

  • Due to the addition of several new features, the IPNetSentry Companion Application now uses a different URL for configuration. There are several new options available on this new configuration page.

April 5, 2001 (1.1c1)

IPNetSentry.PPC FBA:

Bug Fixes:

  • The logging function has been modified so that it will not fill up the log with repeating entries (such as detecting an interface is not yet up). This will prevent the log from being filled with redundant entries.

IPNetSentry Companion Application:

Bug Fixes:

  • Modified the Configure, Test, and Save Registration routines so that they now should work more reliably under Mac OS 9.1.

March 12, 2001 (1.0)

Released as version 1.0

February 27, 2001 (1.0c7)

IPNetSentry.PPC FBA:

Feature Enhancements:

  • The IPNetSentry Log file is now checked against a maximum size. When this size is exceeded the user is notified.
    The maximum log file size can be set in the IPNetSentry configuration file. If it is not set in this file, the maximum log file size defaults to 1000 KBytes. The log file size is checked each time IPNetSentry restarts.

No Bug Fixes

IPNetSentry Companion Application:

No Feature Enhancements

Bug Fixes:

  • Fixed a bug which left a TCP port open when a connection was attempted but could not be made to the Companion Application.

February 13, 2001 (1.0c6)

IPNetSentry.PPC FBA:

Reverted to an older version of the Installation package maker. Appeared to be some problems installing IPNetSentry on machines running MacOS 8.1 or earlier and the new installation package.

No Feature Enhancements nor Bug Fixes

IPNetSentry Companion Application:

No Feature Enhancements nor Bug Fixes

February 12, 2001 (1.0c5)

IPNetSentry.PPC FBA:

Feature Enhancements:

  • - Notification type can be set on a per trigger basis.

    For example, consider the situation where you might be protecting your Mac which has a DHCP type cable modem connection. You may wish to have incoming DHCP requests from your neighbors (UDP Port 67) trigger IPNetSentry BUT not alert you. This would offer you the security of your neighbors not being able to access your machine (a filter would automatically be added), but you would not be disturbed by these frequent DHCP requests. The other triggers you set, however, would perform the default notification as set in the configuration file. The command lines to do this would look similar to this:

    #set\notification_type\alert
    ....
    +trigger\tcp\25\smtp
    +trigger\tcp\161\snmp
    +trigger\tcp\23\telnet
    +trigger\udp\53\dns
    ....
    +trigger\udp\67\dhcp\none
    .....
    +trigger\tcp\79\finger
    +trigger\tcp\110\pop3

    Note that the dhcp trigger has a "none" option set. This will cause IPNetSentry to log any trigger events for DHCP intrusions, add the appropriate filter, but not alert the user. All other triggers will cause an alert to appear (since the default notification type has been set to alert).

IPNetSentry Companion Application:

No Feature Enhancements nor Bug Fixes

January 29, 2001 (1.0c4)

IPNetSentry.PPC FBA:

Bug Fixes:

  • Fixed notification bugs (including AppleScript file error -43 )

IPNetSentry Companion Application:

No Feature Enhancements nor Bug Fixes

January 20, 2001 (1.0c3)

IPNetSentry.PPC FBA:

Feature Enhancements:

  • Added Syslog notification. This will send the log message to a designated Syslog server via UDP Port 514.
  • Multiple notification methods can now be enabled (e.g. alert, applescript, and syslog can all be chosen as notification methods if desired, etc.).

Bug Fixes:

  • Fixed a bug when reloading interface data.

IPNetSentry Companion Application:

Bug Fixes:

  • Fixed problem of Configuring and/or Testing IPNetSentry when ISP uses a Proxy server. True IP address of machine running IPNetSentry is sent to and used by Sustworks server for configuration and testing.
  • Fixed problem where the previous IP address was used when retrieving IPNetSentry configuration information. Companion application now waits for interface to come completely up before retrieving IP address of local machine (mainly a dialup PPP issue).

December 22, 2000 (1.0c2)

IPNetSentry.PPC FBA:

Feature Enhancements:

  • Added feature for AppleScript notification. IPNetSentry can now launch an AppleScript when a trigger is hit (script saved as a runable application in Preferences folder) . A typical use of this feature is to send an administrator an email message with the details of the intrusion. Example scripts for sending mail through Eudora and Outlook Express are provided.
  • Added feature to specify the public port (on which Aged Filters will be applied). This is important for IPNetRouter users who are sharing a dialup PPP connection. In this case the public interface is NOT the primary interface (the local private interface is the primary interface as setup in the TCP/IP control panel).
  • Added feature to exclude specified subnets from causing IPNetSentry to trigger. Examples where this may be desired:
    • You do not want client machines on your private IPNetRouter subnet to cause unnecessary triggers.
    • There is a remote machine (e.g. office) with a static IP address for which you always want to give access to your home machine. You do not want this office machine to accidently hit a trigger on the home machine, thereby banning this remote machine from any access.
  • Added feature to record the protocol and service of the trigger in the IPNetSentry Aged Filter file.

Bug Fixes:

  • - Fixed loading access (static) filters
  • - Fixed closing FBA resource fork (so companion application can write to it when registering).

IPNetSentry Companion Application:

Feature Enhancements:

  • Added feature to display protocol and service of trigger in Aged Filter window.

Bug Fixes:

  • Fixed restart of IPNetSentry FBA after an Aged Filter has been modified or deleted or the IPNetSentry configuration file has been modified.

December 8, 2000 (1.0c1)

First final candidate posted.

Top