Page 2 of 3 FirstFirst 123 LastLast
Results 16 to 30 of 31

Thread: Attack Detection appears not to be working

  1. #16
    Join Date
    Sep 2011
    Location
    (USA)
    Posts
    356

    Re: Attack Detection appears not to be working

    Thanks very much for the info, Wayne!

    I've done as you suggested and changed the port scan number to 3. Will post back at a later time after I see what the AD log shows with this change.

    Best regards,



    Dell Optiplex 755 Desktop | Win 7 Pro, SP1, 64-bit | Intel Core 2 Duo, 3.00 gHz CPU | 400 GB HDD | 8 GB RAM | Outpost Security Suite Pro (lifetime license) | MBAM Premium 2.0 (lifetime license) | SAS (on-demand) | Spywareblaster | Blocklist Pro | IE11 and FF w/ NoScript | Disconnect | Adblock Plus | MBAE (free)

  2. #17
    Join Date
    Sep 2011
    Location
    (USA)
    Posts
    356

    Re: Attack Detection appears not to be working

    Just a brief update. I've incled a screenshot of the current AD Log. You'll note the same China-based IP address has been attempting to scan only 3 ports at a time instead of the previous number of 6 & every attempted scan involves the same 3 ports.

    This IP address is one which I used to see very frequently in my AD Log. (The IP address shown for May 1st, is for my ISP).

    OSS AD LOG.JPG

    Regards everyone,



    Dell Optiplex 755 Desktop | Win 7 Pro, SP1, 64-bit | Intel Core 2 Duo, 3.00 gHz CPU | 400 GB HDD | 8 GB RAM | Outpost Security Suite Pro (lifetime license) | MBAM Premium 2.0 (lifetime license) | SAS (on-demand) | Spywareblaster | Blocklist Pro | IE11 and FF w/ NoScript | Disconnect | Adblock Plus | MBAE (free)

  3. #18
    Join Date
    Mar 2009
    Posts
    577

    Re: Attack Detection appears not to be working

    Not good thanks for asking.

    1 I'm on OP FW Pro
    2 I have extensive blocking lists some whole countries could that be why I get no scans?
    Best Regards!

    .... there is always time to do it over, but never enough to do it right the first time....

  4. #19
    Join Date
    Oct 2003
    Location
    Georgia, USA
    Posts
    12,714

    Re: Attack Detection appears not to be working

    Quote Originally Posted by spc3rd View Post
    Just a brief update. I've incled a screenshot of the current AD Log. You'll note the same China-based IP address has been attempting to scan only 3 ports at a time instead of the previous number of 6 & every attempted scan involves the same 3 ports.

    This IP address is one which I used to see very frequently in my AD Log. (The IP address shown for May 1st, is for my ISP).



    Regards everyone,
    I wonder what is concerning about the AD logs where you are really - with this - just looking at the internet equivelant of gnats. A few port scans are irrelevant. But at the same time your OSS is set for Auto-learn. While the new auto-learn is much better there's still a possibility that you could allow malware to automatically create network rules in order to do its dirty work. Wouldn't it be better to concentrate on tightening up your configuration as per our old but goodie FAQ than swatting at these minor points?
    Regards,
    Manny Carvalho
    MS-MVP Windows since 2002

  5. #20
    Join Date
    May 2003
    Location
    CSA Consulate,Rm.101,Glos. UK
    Posts
    5,852

    Re: Attack Detection appears not to be working

    the main topic here was whether or not the log was working. it is. the resetting of the parameter to a lower value just ups the odds of seeing it in the log. as can be seen in your (spc3rd's) log, it caused your isp to be blocked for 10 minutes. the parameter setting should be balanced against your local circumstances; if there is a persistent offender from china, put their IP in the ip blocklist. the default setting is a balance worked out by agnitum as offering a reasonable compromise. straying too far from it can have side effects.

    the port scans by themselves are not dangerous unless you are flooded with them. as there is another setting for the time period of the counts, i'd think maybe that increasing the time window would be more effective, ie three scans from the same ip in 1 minute is the same as 6 scans from the same ip in 2 min. and would not then block the isp's (or others) occasional legit based on a 4 or 5 port scan. the purpose of baddies scanning is to find a vulnerable port to further attack. op should block whatever attack they try if they do find a 'vulnerable' port. as op would show stealthed ports on a scan, this is unlikely anyway. as in all things a balance is best & the defaults cover most bets.

    i've reset my parameters back to what i had before now that we know logging does in fact work. the 'A Guide to Producing a Secure Configuration for Outpost' FAQ referred to by manny, while out of date, still is a master guide for tightening up your system without buggering it up too much & for explaining most of the security concerns we might have. attack detection is covered in section G4.

    Quote Originally Posted by p2k
    G4 - Attack Detection

    The recommended settings here will depend on whether another firewall (such as that of an external router) is in use. With another firewall, a lot of the "background noise" of scans and automated attacks will be filtered - and those that do reach Outpost should then be noted.

    Alert Level:

    Maximum

    Report Detected Attacks (Outpost 2.1 and later):

    Enable if another firewall is in use.
    Disable otherwise to avoid frequent popups.

    Block Intruders:

    Enable if persistent attack reports are received. Use this setting with caution however since it can cause legitimate traffic to be blocked also.

    Denial of Service Attacks:

    Enable only if on a LAN.

    Ignoring Attacks from Trusted Hosts
    It is possible for the Attack Detection plugin to misinterpret repeated connection attempts as an attack. This can happen with Browse Master and Domain Controller hosts on a Windows LAN which periodically connect to all other machines. To prevent this, either Disable the Attack Detection plugin or disconnect from the network, shutdown Outpost and edit the protect.lst file in the Outpost program folder.

    Benefits: Avoids routine network connections from being treated as an attack and blocked.
    Costs: Real attacks from these machines will no longer be detected or reported. Extra care should be taken to keep them secure.
    note the bit (shown after the above in the main faq) on protect.lst no longer applies. 'trusted' is set from the main gui in a lan settings tick box.
    Last edited by KronckeW; 05-05-2012 at 19:11.
    Regards,

    CAVE CANEM
    ET SEMPER PARATUS

    Win7 x64 SP1, i7 quad core 3770k, 16GB ram, Custom build PC wi. Asus P8Z77-I MB, nVidia GTX650, Firefox 34.0a1 x64,
    Thunderbird 34.0a1 x64, IE10, Asus DSL-N55U router, Outpost Security Suite9.1 (4562.701.1951),
    in-house IT Support Dept. consisting of two Greyhounds, both of which are now very fast angels, and one Saluki Lurcher



  6. #21
    Join Date
    Sep 2011
    Location
    (USA)
    Posts
    356

    Re: Attack Detection appears not to be working

    I appreciate all the additional info and references, Manny & Wayne.

    I had not seen these before.

    (For Manny): I had set the firewall to the "auto-rules creation" temporarily at the time I posted here. I'm still not very attuned to just how to adequately create rules myself, and since I was going to use some programs I have not used since acquiring OSS...I thought the "auto-rules creation" mode would be appropriate. (It's back to "block most" now)

    Thanks again for the info...it'll take me a while to read through it all!



    Dell Optiplex 755 Desktop | Win 7 Pro, SP1, 64-bit | Intel Core 2 Duo, 3.00 gHz CPU | 400 GB HDD | 8 GB RAM | Outpost Security Suite Pro (lifetime license) | MBAM Premium 2.0 (lifetime license) | SAS (on-demand) | Spywareblaster | Blocklist Pro | IE11 and FF w/ NoScript | Disconnect | Adblock Plus | MBAE (free)

  7. #22
    Join Date
    Sep 2011
    Location
    (USA)
    Posts
    356

    Re: Attack Detection appears not to be working

    (For Wayne): I neglected to inquire further about the port scanning comparison you made; how & WHICH adjustments to make. I've pasted below my current AD settings. Would you suggest any changes to it...mainly so it doesn't block my ISP or record their multiple port scans as an attack? BTW, I don't know if this is of any consequence, but...of the 3 IP ranges I see displayed in my LAN settings, NONE of the boxes are checked & the "Log new networks" box is also not checked. (My computer is a standalone...no others in the house; I'm the sole user & no router is in use here. Internet connection is via cable modem). If I'm interpreting what I've read here thus far correctly...this would seem to be the way the LAN settings should be for my computer???

    Thanks very much again!

    OSS AD SETTINGS.JPG



    Dell Optiplex 755 Desktop | Win 7 Pro, SP1, 64-bit | Intel Core 2 Duo, 3.00 gHz CPU | 400 GB HDD | 8 GB RAM | Outpost Security Suite Pro (lifetime license) | MBAM Premium 2.0 (lifetime license) | SAS (on-demand) | Spywareblaster | Blocklist Pro | IE11 and FF w/ NoScript | Disconnect | Adblock Plus | MBAE (free)

  8. #23
    Join Date
    Mar 2009
    Posts
    577

    Re: Attack Detection appears not to be working

    Well I think I need to leave this thread guys. You get entries in your attack detection log and I don't. Reason unknown.

    So as I'm on different software I can only cause confushion with my OP FW pro version and you guys are all on the suite OSS.

    I know I know it should be the same for both but for me it isn't.

    Today I removed OP FW Pro and for one day I'll run naked behind a router with Nod32 on real time scan mode and it's HIPS now engaged. So I should be 90% okay.


    Tommow I'll reinstall OP FW pro and NOT bring back my hard won configuartion settings. I'll run it in default mode and learning mode letting it do what it wants for 1 day and see if the attack log comes back to life.

    If that fails (hope it doesn't) I'll remove that version and revert to previous OP FW Pro version and let it do it's own thing and learning mode for 1 day.

    If that fails I will know I've got a more serious issue on this PC. That has zip to do with OP.

    Does anybody here see a flaw in this debug plan? Fire at will be blunt I can deal with that!
    Best Regards!

    .... there is always time to do it over, but never enough to do it right the first time....

  9. #24
    Join Date
    Oct 2003
    Location
    Georgia, USA
    Posts
    12,714

    Re: Attack Detection appears not to be working

    Quote Originally Posted by spc3rd View Post
    I appreciate all the additional info and references, Manny & Wayne.

    I had not seen these before.

    (For Manny): I had set the firewall to the "auto-rules creation" temporarily at the time I posted here. I'm still not very attuned to just how to adequately create rules myself, and since I was going to use some programs I have not used since acquiring OSS...I thought the "auto-rules creation" mode would be appropriate. (It's back to "block most" now)

    Thanks again for the info...it'll take me a while to read through it all!
    You have to excuse me for giving you a little jazz. This product is about the best in the market in my opinion. It lets you thinker with just about everything you want. Auto-learn as it now exists is really very good and I wish it was around with OP v1 when I first started. But you know I learned about making rules the old way and I still think that's the right way. Anything done automatically will always tend to be a little loose because, while you want your customers safe, you don't want to be blocking them. Personally, I tend to shy away from making rules this way but I must admit when I'm in a hurry with a known safe program and I just want to go then Auto-learn really moves the process along.

    My point was that a few port scans here and there are no big deal. The default values really are reasonable and I just don't touch them. Making tight rules on the other hand is something that can be really valuable.
    Regards,
    Manny Carvalho
    MS-MVP Windows since 2002

  10. #25
    Join Date
    Oct 2003
    Location
    Georgia, USA
    Posts
    12,714

    Re: Attack Detection appears not to be working

    Quote Originally Posted by Escalader View Post
    Well I think I need to leave this thread guys. You get entries in your attack detection log and I don't. Reason unknown.

    So as I'm on different software I can only cause confushion with my OP FW pro version and you guys are all on the suite OSS.

    I know I know it should be the same for both but for me it isn't.

    Today I removed OP FW Pro and for one day I'll run naked behind a router with Nod32 on real time scan mode and it's HIPS now engaged. So I should be 90% okay.


    Tommow I'll reinstall OP FW pro and NOT bring back my hard won configuartion settings. I'll run it in default mode and learning mode letting it do what it wants for 1 day and see if the attack log comes back to life.

    If that fails (hope it doesn't) I'll remove that version and revert to previous OP FW Pro version and let it do it's own thing and learning mode for 1 day.

    If that fails I will know I've got a more serious issue on this PC. That has zip to do with OP.

    Does anybody here see a flaw in this debug plan? Fire at will be blunt I can deal with that!
    There's no difference in functionality between OSS and OP for most things. The topic of this thread - AD - is identical in both so which product you have makes no difference here.

    You probably have nothing in your AD logs - like me - most likely because your hardware is doing the blocking and there's nothing for OP to block. Reinstalling OP is likely to make no difference so save your configuration so you can bring it back when that happens.
    Regards,
    Manny Carvalho
    MS-MVP Windows since 2002

  11. #26
    Join Date
    May 2003
    Location
    CSA Consulate,Rm.101,Glos. UK
    Posts
    5,852

    Re: Attack Detection appears not to be working

    spc3rd, you now have the same setting i do (default). that should be OK.
    Regards,

    CAVE CANEM
    ET SEMPER PARATUS

    Win7 x64 SP1, i7 quad core 3770k, 16GB ram, Custom build PC wi. Asus P8Z77-I MB, nVidia GTX650, Firefox 34.0a1 x64,
    Thunderbird 34.0a1 x64, IE10, Asus DSL-N55U router, Outpost Security Suite9.1 (4562.701.1951),
    in-house IT Support Dept. consisting of two Greyhounds, both of which are now very fast angels, and one Saluki Lurcher



  12. #27
    Join Date
    Sep 2011
    Location
    (USA)
    Posts
    356

    Re: Attack Detection appears not to be working

    I appreciate all the additional info you've each provided, Manny & Wayne!



    Dell Optiplex 755 Desktop | Win 7 Pro, SP1, 64-bit | Intel Core 2 Duo, 3.00 gHz CPU | 400 GB HDD | 8 GB RAM | Outpost Security Suite Pro (lifetime license) | MBAM Premium 2.0 (lifetime license) | SAS (on-demand) | Spywareblaster | Blocklist Pro | IE11 and FF w/ NoScript | Disconnect | Adblock Plus | MBAE (free)

  13. #28
    Join Date
    Mar 2009
    Posts
    577

    Re: Attack Detection appears not to be working

    Thing is Manny it may be functionally the same BUT the code is potentially different.

    But if you want to leave my posts in OSS that's fine with me!

    As well, I here you that your ad log is empty but in the earler version I did get scanning IP logged in and my router hardware as not changed in years.

    Thus I hope you see my point. I sometimes have trouble making my thinking clear in writing.

    I will post back my findings in due course.
    Best Regards!

    .... there is always time to do it over, but never enough to do it right the first time....

  14. #29
    Join Date
    Mar 2009
    Posts
    577

    Re: Attack Detection appears not to be working

    Okay, what I did was reinstalled OP FW Pro 7.5.2 in learning mode with all their default settings AND still the AD log was empty.

    So being an experimenter at heart I removed the router from the experiment connected directly to the cable modem and rebooted.

    Well Manny you were right (not a surprise) my AD log came to life! A series of single port scans occured, here they are:

    SINGLE_SCAN_PORT (53764) 108.167.133.26 Detected attack, host not blocked 08/05/2012 12:24:52 PM
    SINGLE_SCAN_PORT (10779) 69.162.100.42 Detected attack, host not blocked 08/05/2012 12:21:59 PM
    SINGLE_SCAN_PORT (59916) 61.129.15.4 Detected attack, host not blocked 08/05/2012 12:18:24 PM
    SINGLE_SCAN_PORT (16940) 173.192.67.74 Detected attack, host not blocked 08/05/2012 12:15:35 PM
    SINGLE_SCAN_PORT (15629) 125.93.83.106 Detected attack, host not blocked 08/05/2012 12:02:25 PM
    SINGLE_SCAN_PORT (16940) 173.192.67.74 Detected attack, host not blocked 08/05/2012 11:58:17 AM
    SINGLE_SCAN_PORT (16940) 173.192.67.74 Detected attack, host not blocked 08/05/2012 11:43:55 AM


    Being a shade on the paranoid level in IT security, I checked who these guys are ie what countries they were from. One was a China based ip.

    So I concluded that the router was the filter for these over the past. AND that the AD log does work. Very effective. Get a router if nothing else.

    So again as you suggested Manny, I brought back my rules and block lists and I'm behind the router again. Oh yeah I disabled Nod32 V5 HIPS since OP does that function. ( no double Hips'ing allowed)

    Later I will try the modem alone again this time with the fully armed OP in place and see if over a day it logs any attacks. Ie does the router leak.
    Best Regards!

    .... there is always time to do it over, but never enough to do it right the first time....

  15. #30
    Join Date
    Oct 2003
    Location
    Georgia, USA
    Posts
    12,714

    Re: Attack Detection appears not to be working

    There's nothing like trying things out for yourself and getting direct experimental evidence. Good for you.

    Those single scans are just internet flotsam and although AD can handle them, it's just a good practice if the router handles it and you never have to bother with them. A router is one of the best things a person can buy for their home network. Right out of the box it's helpful. In fact, my 10 year old router just died and I replaced with a brand new one. It was the most painless computer thing I've done in a long time. Plug everything in and turn it on. It all worked right away. Being a tinkerer I couldn't leave at default values but they were pretty darn good. I was actually amazed at how easy it all was. It's well worth the money.
    Regards,
    Manny Carvalho
    MS-MVP Windows since 2002

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Attack Detection Suddenly Stops Working
    By asloane in forum General Plug-In Discussions
    Replies: 7
    Last Post: 03-22-2007, 10:29
  2. Attack Detection Plugin portscan detection failure
    By BAM in forum General Plug-In Discussions
    Replies: 2
    Last Post: 02-05-2005, 10:17
  3. attack detection warns not working?
    By check in forum General Plug-In Discussions
    Replies: 1
    Last Post: 09-21-2003, 20:49
  4. Attack Detection still not working...
    By henk in forum Retired Threads
    Replies: 12
    Last Post: 02-03-2002, 01:58
  5. xp: attack detection not working (again)
    By Petersen in forum Retired Threads
    Replies: 18
    Last Post: 01-11-2002, 23:47

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •