Release Notes
March 9, 2004 (1.4.0a)
IPNetSentry.PPC FBA:
Feature Enhancements:
- added payload inspection support for a second version of the
SSLammer worm. This worm is a direct attack on TCP Port 443 and
can be a problem for Web* and other servers which are running
SSL services.
The new payload inspection filter looks like this:
#set\payload_inspection\tcp\443\off\10\SSL_EXPLOIT2\SSL Exploit
2\none\3600\1
This new payload inspection command is contained within a special
IPNetSentry Config file named "IPNetSentry Config Web*".
Web* users should add the above command to their existing IPNetSentry
Config file or rename the existing IPNetSentry Config file, which
resides in the System Preferences folder, something else (e.g
"IPNetSentry Config Old"). Then rename the "IPNetSentry
Config Web*" file to "IPNetSentry Config". Turn
OFF then Turn ON IPNetSentry in order to invoke the new settings.
Bug Fixes:
September 15, 2003 (1.3.9)
IPNetSentry.PPC FBA:
Feature Enhancements:
- added payload inspection support for SSLammer worm. This worm
can be a problem for Web* and other servers which are running
SSL services code on TCP Port 443. There are actually two payload
inspection filters added. The first filter looks for the string:
"GET / HTTP/1.1\r\n\r\n" arriving on TCP Port 80
The second filter looks for the string:
"AAAAAAAAAAAAAAA" arriving on TCP Port 443
Both of these new payload inspection commands are contained within
a special IPNetSentry Config file named "IPNetSentry Config
Web*".
Web* users should rename the existing IPNetSentry Config file,
which resides in the System Preferences folder, something else
(e.g "IPNetSentry Config Old"). Then rename the "IPNetSentry
Config Web*" file to "IPNetSentry Config" and Turn
OFF then Turn ON IPNetSentry in order to invoke the new settings.
OR
Users can simply add the following two payload inspection commands
directly to their existing IPNetSentry Config file (using SimpleText):
#set/payload_inspection\tcp\80\off\10\SSL_EXPLOIT\SSL Exploit
1\none\3600\1
#set/payload_inspection\tcp\443\off\10\AAAAAAAAAAAAAAA\SSL Exploit
2\none\3600\1
After making these changes, save the file and close it. You must
then Turn OFF then Turn ON IPNetSentry using the IPNetSentry Companion
app.
Bug Fixes:
July 24, 2003 (1.3.8)
IPNetSentry.PPC FBA:
Feature Enhancements:
- added IPNetAuthorize support. IPNetAuthorize provides IP based access control to your network (machine), even when remote users have dynamic IP addresses. IPNetAuthorize clients are freely available for Classic Mac OS, Mac OS X, and Windows platforms.
Bug Fixes:
May 14, 2002 (1.3.7)
IPNetSentry.PPC FBA:
Feature Enhancements:
- added support for Mozilla Browser
Bug Fixes:
IPNetSentry Companion Application:
Feature Enhancements:
- added support for Mozilla Browser
Bug Fixes:
March 28, 2002 (1.3.6)
IPNetSentry.PPC FBA:
Feature Enhancements:
- Made the payload inspection command support both "word offset"
and "length" parameters when searching incoming datagrams for
specific strings. The standard payload inspection command looks
similar to this:
#set\payload_inspection\tcp\80\off\10\default.ida\Code Red Worm\none\3600\1
where the "10" parameter in the above commands means start searching
the datagram "10 four bytes words from the beginning of the datagram".
By default, only the first 64 bytes of the datagram would be examined
(for efficiency).
You can now specify the word offset and length parameters with
the syntax "offset:length". For example, to detect and block File
Maker Pro hacker access attempts, a payload inspection command
would look like this
#set\payload_inspection\tcp\80\off\10:64\&-format=-raw&\FMP_Hack
Attempt\none\3600\1
This command will look for the string "&format=-raw&"
starting at word offset 10 (40 bytes from the beginning of the
datagram) and for 64 bytes following. Specifying the length is
important to keep the payload inspection command efficient (you
do not want to unnecessarily scan the entire datagram). This new
syntax gives you more control over the payload inspection process
and lets you scan more of the datagram if needed (not just the
first 64 bytes).
Bug Fixes:
- Fixed a bug where the payload inspection command did not always
log the intrusion (although the intruder was always blocked).
IPNetSentry Companion Application:
Feature Enhancements:
Bug Fixes:
March 11, 2002 (1.3.5)
IPNetSentry.PPC FBA:
Feature Enhancements:
Bug Fixes:
IPNetSentry Companion Application:
Feature Enhancements:
Bug Fixes:
- Fixed window size problem which prevented registration fields
from being displayed.
March 7, 2002 (1.3.4)
IPNetSentry.PPC FBA:
Feature Enhancements:
- Changed the Code Red and Nimda Payload inspection filter so
that the inspection occurs earlier in the datagram (now starts
at word offset 10 instead of word offset 11). Recent Nimda worm
intrusions suggest that the inspection needs to be performed earlier
in the datagram. For existing users, you may wish to edit your
current IPNetSentry Config file so that the payload inspection
filters now appear as follows:
#set\payload_inspection\tcp\80\off\10\default.ida\Code Red
Worm\none\3600\1
#set\payload_inspection\tcp\80\off\10\root.exe\Nimda\none\3600\1
#set\payload_inspection\tcp\80\off\10\scripts\Nimda\none\3600\1
You can easily edit the IPNetSentry Config file with SimpleText.
The file resides in your System Preferences folder. After making
these changes, save the file, close it, and restart IPNetSentry
with the IPNetSentry Companion application (turn off then turn
on).
Bug Fixes:
IPNetSentry Companion Application:
Feature Enhancements:
- Made IPNetSentry Companion Windows remember their last open
positions. Upon reopening these windows, they will now be positioned
where they last resided.
Bug Fixes:
January 15, 2002 (1.3.3)
IPNetSentry.PPC FBA:
Feature Enhancements:
Bug Fixes:
- Fixed bug where IPNetSentry reported port scans from Windows
machines which were just booting up. The problem is that Windows
machines often perform UDP Port 137, 138, and 67 scans upon restart
in order to identify other machines on the network. In a heavy
Windows environment this "chatter" could have repeatedly caused
IPNetSentry to incorrectly report Port Scan type trigger alerts.
This has now been fixed.
IPNetSentry Companion Application:
Feature Enhancements:
Bug Fixes:
- There was a memory leak when a user clicked either the Configure
or Test buttons in the IPNetSentry Companion application. This
could result in the application not being able to o retrieve the
current URL from an open browser, thus apparently hanging.
December 11, 2001 (1.3.2)
IPNetSentry.PPC FBA:
Feature Enhancements:
- Added ability to add/remove filters through AppleScript.
An example script to add a filter which would completely block
machine 192.168.0.7 from accessing a machine running IPNetSentry
would be:
tell application "IPNetSentry.PPC" set filter to "+filter\\Default_Interface\\Rcv\\Block\\*\\*\\192.168.0.7/32\\*\\*\\*\\" end tell
This script will return an "OK" message from the IPNetSentry.PPC application.
This AppleScript functionality is often desired by webmasters
who wish to programatically control access to various services
which are running on their machines. These services can be any
IP services, including web, streaming audio or video, ftp, email,
etc. For restricted access, a user would typically first invoke
a static blocking filter which would block access to this service
for everyone, then selectively add "Pass" filters for those
IP addresses which should be given access.
Bug Fixes:
IPNetSentry Companion Application:
Feature Enhancements:
Bug Fixes:
November 20, 2001 (1.3.1)
IPNetSentry.PPC FBA:
Feature Enhancements:
- Added full support for Opera and iCab browsers.
- Added Windows Networking triggers to the IPNetSentry default
configuration file (TCP and UDP Port 137). NOTE: Users running
the DAVE PC filesharing software may have to remove these Windows
triggers from their IPNetSentry Config file. This can readily
be performed by editing this file with SimpleText or through our
Web Configuration page.
Bug Fixes:
IPNetSentry Companion Application:
Feature Enhancements:
- Added full support for Opera and iCab browsers.
Bug Fixes:
- Fixed a bug which prevented the Aged Filter window from opening
when run under Mac OS 8.1 or earlier.
- Fixed a bug in the Aged Filter table which prevented selection
of another entry after an entry was deleted.
October 30, 2001 (1.3)
IPNetSentry.PPC FBA:
Feature Enhancements:
- Moved payload inspection into OTModl$Proxy module. This significantly
improves packet inspection efficiency and reliability, especially
for Nimda and Code Red type worm detection on machines running
web servers.
- Offers options for setting the aged filter time and to "slam
shut" open TCP connections when payload inspection criteria are
met. This will free TCP listeners so that worms will not eventually
hang a server. (e.g. a web server). These options are part of
the new payload inspection syntax:
#set\payload_inspection\tcp\80\off\11\default.ida\Code Red\none\3600\1
- Ability to set the interval time that the Aged Filter table
is saved to disk. Useful for high-speed networks (e.g. 100 Mb/s)
where disk access may impede performance.
- Ability to turn off logging to disk. Useful for high-speed networks
(e.g. 100 Mb/s) where disk access may impede performance.
- Filter table now capable of supporting up to 2000 entries (increased
from 250).
Bug Fixes:
IPNetSentry Companion Application:
Feature Enhancements:
- Made the Aged Filter table sortable by column. Also permits
multiple deletions.
Bug Fixes:
September 11, 2001 (1.2)
IPNetSentry.PPC FBA:
Feature Enhancements:
- Ability to do payload inspections of incoming datagrams. This
capability can be used for worm and virus detection, such as the
Code Red Worm. Command to detect the Code Red Worm is:
#set\payload_inspection\tcp\80\off\11\default.ida\Code Red
Worm\
Bug Fixes:
- Fixed a bug which was interfering with IPNetMonitor.
IPNetSentry Companion Application:
Feature Enhancements:
- Companion application now supports iCab browsers (to the best
of its ability. SSL connections are not supported in the default
iCab installation, so online registration must still be performed
with another browser).
Bug Fixes:
- Fixed a display bug in the Aged Filter window where an intruder's
IP address would not fully be displayed if it was 15 characters
(e.g. 192.168.243.212).
August 28, 2001 (1.1.6)
IPNetSentry.PPC FBA:
Feature Enhancements:
Bug Fixes:
IPNetSentry Companion Application:
Feature Enhancements:
- The "Log" and "Aged Filter" windows can now be closed with the
"Command - W" keys.
Bug Fixes:
August 20, 2001 (1.1.5)
IPNetSentry.PPC FBA:
Feature Enhancements:
Bug Fixes:
- Fixed date reporting for Who's There Firewall Advisor. The IPNetSentry_FA.log
file now uses the required mm/dd/yyyy format for date stamping
of log entries.
IPNetSentry Companion Application:
Feature Enhancements:
- Companion Application "About" dialog box now reports the Companion
App version, the IPNetSentry FBA version, and the OTModl$Proxy
extension version.
Bug Fixes:
Including OTModl$Proxy v2.1.5 with this release of IPNetSentry.
July 24, 2001 (1.1.4)
IPNetSentry.PPC FBA:
Feature Enhancements:
- Added ip header hex dump command. (#set command). When the hex
dump feature is on, and a datagram arrives which matches a filter
(or trigger), the entire datagram IP header is dumped in the log
file in hexadecimal format (for manaul analysis). This feature
is primarily used to identify datagrams which arrive but are not
automatically recognized as being IPv4 datagrams of known protocols.
Bug Fixes:
IPNetSentry Companion Application:
Feature Enhancements:
Bug Fixes:
- Fixed version caption of IPNetSentry Extension (as shown in
About dialog box).
June 26, 2001 (1.1.3)
IPNetSentry.PPC FBA:
Feature Enhancements:
- Added lpd (TCP Port 515) and SOCKS (TCP Port 1080) triggers
to default IPNetSentry Config file.
Bug Fixes:
- Fixed version reporting bug (as displayed in Extensions Manager).
IPNetSentry Companion Application:
Feature Enhancements:
- No need to use a browser to complete registration process. Key
checking is performed directly through the Companion Application.
Bug Fixes:
June 20, 2001 (1.1.2)
IPNetSentry.PPC FBA:
Feature Enhancements:
Bug Fixes:
- Fixed bug which removed IPNetRouter filters when IPNetSentry
was turned off.
IPNetSentry Companion Application:
Feature Enhancements:
Bug Fixes:
- Fixed log window scrolling when text exceeds 32Kbytes
June 12, 2001 (1.1.1)
IPNetSentry.PPC FBA:
Feature Enhancements:
- Added capability to easily perform a trace route on an intruder's
IP address when an intrusion alert appears. The trace route is
performed through IPNetMonitor, a separate Sustworks product.
See the accompanying "IPNetSentry Trace Route Read Me" for more
details on setting up this functionality.
Bug Fixes:
IPNetSentry Companion Application:
Feature Enhancements:
- Added capability to easily perform a trace route on an intruder's
IP address through the Aged Filter window. The trace route is
performed through IPNetMonitor, a separate Sustworks product.
See the accompanying "IPNetSentry Trace Route Read Me" for more
details on setting up this functionality.
- The "Log" button now opens a separate Log window within the
IPNetSentry Companion application. This Log window displays the
last 32Kbytes of the IPNetSentry.log file and displays IPNetSentry
events as they occur in real-time.
Users can still open the entire IPNetSentry.log file with a default
text editor by holding down the "Shift" key while clicking the
Log button.
- Holding down the "Command" key while launching the application
will bypass the splash screen.
Bug Fixes:
May 15, 2001 (1.1)
Released as version 1.1
May 2, 2001 (1.1c4)
IPNetSentry.PPC FBA:
Feature Enhancements:
- Added capability to record messages from "Log" filters. A "Log"
filter is typically added to watch for specific activity on a
port or protocol. With Log filters, NO action is taken. A Log
filter simply passes notification to IPNetSentry. IPNetSentry
then records this notification message.
For example, log all incoming ICMP (Ping type) activity:
+filter\Default_Interface\Rcv\Log\icmp\*\*\*\*\*\
This Log filter will let IPNetSentry simply log all incoming
ICMP datagrams on a machine's active Internet port.
Log filters are especially useful when used with IPNetRouter.
For example, you could log all HTTP activity on the clients
attached to your private LAN with the following filter configured
within IPNetRouter:
+filter\Ethernet Slot 1\Rcv\Log\tcp\*\192.168.0.1/24\*\*\80\
The above filter assumes your clients are connected via the
Ethernet Slot 1 port and configured for the 192.168.0.x subnet.
IPNetRouter (v1.6c8 and later) provides a very simple way to
configure a Log filter through the Filtering window.
Bug Fixes:
IPNetSentry Companion Application:
No Feature Enhancements
Bug Fixes:
- Fixed the method that the companion application uses to determine
a PPP interface IP address. This is ONLY important IF you are
running the companion application on a machine which is sharing
a PPP type connection with IPNetRouter.
April 24, 2001 (1.1c3)
IPNetSentry.PPC FBA:
Bug Fix:
Fixed the #set\excluded_subnet feature. This is particularly important
for IPNetSentry users who are also running IPNetRouter on the same
Macintosh and which is setup to share a cable/DSL/ADSL modem using
the single ethernet configuration. In this case, a user must use
the #set\excluded_subnet command to ensure that their client machines
do not unnecessarily trigger IPNetSentry.
IPNetSentry Companion Application:
No Feature Enhancements nor Bug Fixes
April 19, 2001 (1.1c2)
IPNetSentry.PPC FBA:
Feature Enhancements:
The IPNetSentry FBA has been nearly completely rewritten. This
new version provides:
- stealth scan detection
- icmp protocol triggers (i.e. detection when someone Pings you).
- continued filter logging when packets arrive which match an
existing filter
- port scan detection
- denial of service (DoS) attack detection
- creation of an event log compatible with Open Door Networks
"Who's There" Firewall Advisor
These are signifcant enhancements. Currrent IPNetSentry users are
advised to upgrade to this latest candidate version of IPNetSentry.
Stealth scan detection permits IPNetSentry to detect any type of
remote TCP port scan. A remote user does not have to directly connect
to your machine. Just someone port scanning your Mac can cause a
trigger to occur.
Continued filter logging lets you see if an intruder keeps hitting
your machine even after a filter is applied to ban them.
You can see if a trigger was set by a one time event (perhaps someone
mistaking your IP address for some other IP address) or if the intrusion
was by a deliberate port scan.
IPNetSentry can now build a separate log file which is compatible
with Open Door Networks "Who's There" Firewall Advisor. Note: icmp
events are not correctly identified with "Who's There" v1.0.1 or
earlier.
IPNetSentry Companion Application:
Feature Enhancements:
- Due to the addition of several new features, the IPNetSentry
Companion Application now uses a different URL for configuration.
There are several new options available on this new configuration
page.
April 5, 2001 (1.1c1)
IPNetSentry.PPC FBA:
Bug Fixes:
- The logging function has been modified so that it will not fill
up the log with repeating entries (such as detecting an interface
is not yet up). This will prevent the log from being filled with
redundant entries.
IPNetSentry Companion Application:
Bug Fixes:
- Modified the Configure, Test, and Save Registration routines
so that they now should work more reliably under Mac OS 9.1.
March 12, 2001 (1.0)
Released as version 1.0
February 27, 2001 (1.0c7)
IPNetSentry.PPC FBA:
Feature Enhancements:
- The IPNetSentry Log file is now checked against a maximum size.
When this size is exceeded the user is notified.
The maximum log file size can be set in the IPNetSentry configuration
file. If it is not set in this file, the maximum log file size
defaults to 1000 KBytes. The log file size is checked each time
IPNetSentry restarts.
No Bug Fixes
IPNetSentry Companion Application:
No Feature Enhancements
Bug Fixes:
- Fixed a bug which left a TCP port open when a connection was
attempted but could not be made to the Companion Application.
February 13, 2001 (1.0c6)
IPNetSentry.PPC FBA:
Reverted to an older version of the Installation package maker.
Appeared to be some problems installing IPNetSentry on machines
running MacOS 8.1 or earlier and the new installation package.
No Feature Enhancements nor Bug Fixes
IPNetSentry Companion Application:
No Feature Enhancements nor Bug Fixes
February 12, 2001 (1.0c5)
IPNetSentry.PPC FBA:
Feature Enhancements:
- - Notification type can be set on a per trigger basis.
For example, consider the situation where you might be protecting
your Mac which has a DHCP type cable modem connection. You may
wish to have incoming DHCP requests from your neighbors (UDP
Port 67) trigger IPNetSentry BUT not alert you. This would offer
you the security of your neighbors not being able to access
your machine (a filter would automatically be added), but you
would not be disturbed by these frequent DHCP requests. The
other triggers you set, however, would perform the default notification
as set in the configuration file. The command lines to do this
would look similar to this:
#set\notification_type\alert
....
+trigger\tcp\25\smtp
+trigger\tcp\161\snmp
+trigger\tcp\23\telnet
+trigger\udp\53\dns
....
+trigger\udp\67\dhcp\none
.....
+trigger\tcp\79\finger
+trigger\tcp\110\pop3
Note that the dhcp trigger has a "none" option set. This will
cause IPNetSentry to log any trigger events for DHCP intrusions,
add the appropriate filter, but not alert the user. All other
triggers will cause an alert to appear (since the default notification
type has been set to alert).
IPNetSentry Companion Application:
No Feature Enhancements nor Bug Fixes
January 29, 2001 (1.0c4)
IPNetSentry.PPC FBA:
Bug Fixes:
- Fixed notification bugs (including AppleScript file error -43
)
IPNetSentry Companion Application:
No Feature Enhancements nor Bug Fixes
January 20, 2001 (1.0c3)
IPNetSentry.PPC FBA:
Feature Enhancements:
- Added Syslog notification. This will send the log message to
a designated Syslog server via UDP Port 514.
- Multiple notification methods can now be enabled (e.g. alert,
applescript, and syslog can all be chosen as notification methods
if desired, etc.).
Bug Fixes:
- Fixed a bug when reloading interface data.
IPNetSentry Companion Application:
Bug Fixes:
- Fixed problem of Configuring and/or Testing IPNetSentry when
ISP uses a Proxy server. True IP address of machine running IPNetSentry
is sent to and used by Sustworks server for configuration and
testing.
- Fixed problem where the previous IP address was used when retrieving
IPNetSentry configuration information. Companion application now
waits for interface to come completely up before retrieving IP
address of local machine (mainly a dialup PPP issue).
December 22, 2000 (1.0c2)
IPNetSentry.PPC FBA:
Feature Enhancements:
- Added feature for AppleScript notification. IPNetSentry can
now launch an AppleScript when a trigger is hit (script saved
as a runable application in Preferences folder) . A typical use
of this feature is to send an administrator an email message with
the details of the intrusion. Example scripts for sending mail
through Eudora and Outlook Express are provided.
- Added feature to specify the public port (on which Aged Filters
will be applied). This is important for IPNetRouter users who
are sharing a dialup PPP connection. In this case the public interface
is NOT the primary interface (the local private interface is the
primary interface as setup in the TCP/IP control panel).
- Added feature to exclude specified subnets from causing IPNetSentry
to trigger. Examples where this may be desired:
- You do not want client machines on your private IPNetRouter
subnet to cause unnecessary triggers.
- There is a remote machine (e.g. office) with a static IP
address for which you always want to give access to your home
machine. You do not want this office machine to accidently
hit a trigger on the home machine, thereby banning this remote
machine from any access.
- Added feature to record the protocol and service of the trigger
in the IPNetSentry Aged Filter file.
Bug Fixes:
- - Fixed loading access (static) filters
- - Fixed closing FBA resource fork (so companion application
can write to it when registering).
IPNetSentry Companion Application:
Feature Enhancements:
- Added feature to display protocol and service of trigger in
Aged Filter window.
Bug Fixes:
- Fixed restart of IPNetSentry FBA after an Aged Filter has been
modified or deleted or the IPNetSentry configuration file has
been modified.
December 8, 2000 (1.0c1)
First final candidate posted.
Top
|