ZB Block - IP bypass for SiteInspector

[Guest]

[scanreg]

Hi

We use ZB Block as a protective wrap for our scripts and stuff:

http://www.spambotsecurity.com/

In order to run the SiteInspector tests but also to not turn off the ZB Block protection, we would need to know the IP of where the SiteInspector tests are run from so we can create an IP-based bypass for ZB Block.

Here is the thread over in the ZB forum:

http://www.spambotsecurity.com/forum/viewtopic.php?f=9&t=1202

Is it possible to find out which IP or IP range is used to originate the SiteInspector tests so we can write the bypass?

This would allow SiteInspector to get through ZB and perform its tests

Thanks

[vadim]

 Hello

Is it possible to find out which IP or IP range is used to originate the SiteInspector tests so we can write the bypass?

Sorry, but we can't provide our IP range, because if it becomes known to hackers, they will be excluded our address and we will not be able to effectively scan. So, we regularly switch SI from one pool of external IPs to another.

Also, SI works like a usual browser client it doesn't do any active scans, like Comodo HackerGuardian.

[scanreg]

Sorry, but we can't provide our IP range, because if it becomes known to hackers, they will be excluded our address and we will not be able to effectively scan. So, we regularly switch SI from one pool of external IPs to another.

No worries, I figured this and for the same reason

Also, SI works like a usual browser client it doesn't do any active scans, like Comodo HackerGuardian.

Interesting, so SI is like a regular site visitor but HG is more aggressive?

Question:  if using HackerGuardian, is it at least possible when the HG tests would be done, the actual time of day, so we could "open the door" so to speak and disable ZB so HG can run its tests during that time period?

The author of ZB mentioned in the SpambotSecurity thread mentioned above that "UDP, ICMP, and other "maybe it gets there" protocols are spoofable. But http:, https:, and a few others require client->host->client->host handshakes to open the connection, and are "when it gets there" protocols."

So, just not sure how to write a ZB bypass for HG or other of the more aggressive tests

[vadim]

Interesting, so SI is like a regular site visitor but HG is more aggressive?

HG try to find websites vulnerabilities, SI try to find malicious, phishing web-pages and links to malware files. It's a different targets.

Question:  if using HackerGuardian, is it at least possible when the HG tests would be done, the actual time of day, so we could "open the door" so to speak and disable ZB so HG can run its tests during that time period?

It's better to contact HG guys in this question.

[scanreg]

Thanks, will check with the HG guys regarding how to approach things.

Regarding SI, if our system blocks SI, will our site still pass the SI tests?

Thanks

[vadim]

Regarding SI, if our system blocks SI, will our site still pass the SI tests?

If you block SI requests, SI can make only a blacklist checking.

[scanreg]

If you block SI requests, SI can make only a blacklist checking.

hi vadim

okay, thanks, zb is designed to block stuff after so many attempts, so gotta figure this out, want to get flying colors with all the tests

for the SI testing, is it possible to know roughly when the tests might run (like a window of a few days perhaps) so that we can disable zb so you can run the tests fully?

thanks

[vadim]

hi vadim

okay, thanks, zb is designed to block stuff after so many attempts, so gotta figure this out, want to get flying colors with all the tests

for the SI testing, is it possible to know roughly when the tests might run (like a window of a few days perhaps) so that we can disable zb so you can run the tests fully?

thanks

If you added your website to a daily scan, SI add scan task to a daily scanning queue every day at 00:10 UTC with a high priority. Start time depend on a number of users and websites, now all such scans all checks completed within 2 hours.

So, every day since 00:10 till 2:00.

We'll think about feature to around web-firewall systems, maybe it should be possibility to set special SI agent name as a user option.

[scanreg]

We'll think about feature to around web-firewall systems, maybe it should be possibility to set special SI agent name as a user option.

That would be great

Thanks

[Tags:]