![[Guide Home]](../../resources/misc/oplogo_green.jpg){kind=small}
|
The Web Hikers guide to
|
Home > The Outpost GUI > Plug-Ins > Attack Detection
![[Green colours with tiny sized fonts]](../../resources/misc/css_green_small.gif){kind=small}
![[Green colours with medium sized fonts]](../../resources/misc/css_green_regular.gif){kind=small}
![[Green colours with large sized fonts]](../../resources/misc/css_green_large.gif){kind=small}
![[Orange colours with tiny sized fonts]](../../resources/misc/css_orange_small.gif){kind=small}
![[Orange colours with medium sized fonts]](../../resources/misc/css_orange_regular.gif){kind=small}
![[Orange colours with large sized fonts]](../../resources/misc/css_orange_large.gif){kind=small}
![[Blue colours with tiny sized fonts]](../../resources/misc/css_blue_small.gif){kind=small}
![[Blue colours with medium sized fonts]](../../resources/misc/css_blue_regular.gif){kind=small}
![[Blue colours with large sized fonts]](../../resources/misc/css_blue_large.gif){kind=small}
![[Grey colours with tiny sized fonts]](../../resources/misc/css_grey_small.gif){kind=small}
![[Grey colours with medium sized fonts]](../../resources/misc/css_grey_regular.gif){kind=small}
![[Grey colours with large sized fonts]](../../resources/misc/css_grey_large.gif){kind=small}
Attack Detection
The Attack Detection plugin options
![[Atack Detection plugin options]](../../resources/snapshots/outpost/48.gif)
There are two sections to the Attack Detection plugin options:
1 - Alarm level
You can decide how Outpost alerts you. You can choose between Minimum, Normal, and Maximum. Minimum makes a log entry only when Outpost can identify an attack, Normal warns you when multiple ports are scanned or when ports of a specific service are scanned. Maximum makes a log entry whenever a single port is probed.
2 - Block intruders
This area covers how Outpost should respond. Outpost can block all traffic if you want, or just traffic from the intruders IP. You can also have Outpost block traffic from the intruders subnet. You also have the option of enabling Outpost to block local ports when ever a DOS (Denial Of Service) attempt is made.
Tweaking the plugins configuration
The Attack Detection plugin can be tweaked by the user to suit the own needs. Inside Outpost's directory is a file called protect.lst. If you take it into a text editor you will be able to modify the detection settings. The file itself contains information on how to do this, but only do this if you know what you are doing!
What the plugin protects you from
“The Attack Detection plugin is made up of two parts:
- The Outpost Scanning Detection module
- The Outpost Attack Detection module.
The Attack Detection module can detect and block thhe following DOS (Denial Of Service) attacks: Teardrop, Nestea, Iceping, Winnuke, Nuke, FRAG_ICMP Class (Jol12, Targa13 and other), FRAG_IGMP Class (IGMPSYN and other), SHORT_FRAGMENTS Class, MY_ADDRESS Class (Snork and others), Rst, 1234, Fawx, Fawx2, Kox, Tidcmp, Rfposion, Rfparalyse, Win95handles. DDOS (Distributed Denial Of Service) attacks are also neutralized. The Scanning Detection module can detect TCP and UDP port scanning as well as the following forms of stealth scanning: Syn, Fin, Xmas, Null, Udp.
Usually scan detectors in most Personal Firewalls detect a Port Scan (also called TCP port scanning or port probe) if someone connects to any closed port on the local PC. However, this approach results in a great number of false alarms because often-valid software needing to interchange data routinely checks for open or closed ports.
To decrease the number of false alarms Outpost's Scanning Detection Module differentiates between single scan of a closed port (a suspicious packet) and several accesses to different ports by the same remote host.
Outpost designates a packet as suspicious if it is a:
- TCP Connection request or UDP packet to a non-open port.
- TCP data packet for a non-existent connection.
- TCP Connection request or UDP packet to a port closed by Outpost.
If Outpost detects a suspicious packet, it displays the 'Connection request'message in its log file.
Port Scanning is another intrusion indicator that is detected if several suspicious packets are received from one remote host within a specified time interval.” - Outpost's Protect.lst file
Attack Detection Log
There are 4 columns in the Attack Detection log
- Date/Time
This is the Date and Time the Attack Type occurred. - Attack Type
This is a description of what type of blocking has occurred.
Connection request is not an attack, it is just Outpost reporting a suspicious packet.
Port scanned means that several suspicious packets were directed at a port or range of ports by the same IP. Some ports are given more importance then others (you can add to these by editing the protect.lst file) and these important ports (because of the different weighting) may trigger a Port scanned message when if they were not an important port Outpost would have just logged a Connection request.
There are also various other Attack Types, but these will be the name of the attack.
- IP Address
This is the source of the attack. - Scan Port Details
These are the ports the Attack Type was against
Outpost and the Outpost logo are ©Agnitum Software
This is an unofficial guide, the information expressed here may differ from Agnitum's. There is a support forum (no longer run by Agnitum, but by users) if you need more help this is a good place to start. Where information here conflicts with what Agnitum have told you always go with the information given to you by Agnitum.
Guide/site and images ©Stephen Cox