In which order monitor rules are read?

[Guest]

[zorank]

Hi,

I am new to the forum. I have tried to find information on this in the forum (and documentation) in which order rules are processed, but could not find any .

The only thing I've found is that in network monitor rules CPF starts from top and moves to the bottom. Still, I wonder where program starts on higher level. For example, does it start with application rules first, then jumps to components list, then to network rules, etc. (in the same order as on the menu)? Also, I would like to know, if this is so, whether there are some exceptions to this (for example, it is not at all clear to me what happens if I define application specific rules, which rules are processed first).

I believe that it would be good idea to include such information in documentation.

Kind regards
Zoran
 

[egemen]

Hi,

I am new to the forum. I have tried to find information on this in the forum (and documentation) in which order rules are processed, but could not find any .

The only thing I've found is that in network monitor rules CPF starts from top and moves to the bottom. Still, I wonder where program starts on higher level. For example, does it start with application rules first, then jumps to components list, then to network rules, etc. (in the same order as on the menu)? Also, I would like to know, if this is so, whether there are some exceptions to this (for example, it is not at all clear to me what happens if I define application specific rules, which rules are processed first).

I believe that it would be good idea to include such information in documentation.

Kind regards
Zoran
 

Hi Zoran,

Lets divide the operations into 2 parts :

- Incoming Connecions

1- Network monitor applies filtering if success it passes to application monitor
2- Application monitor checks the target application, if allowed passes to
3- Advanced security analysis monitor(component monitor + application behavior analysis)

if these 3 steps are passed, application receives the connection.

- Outgoing connections

The order changes :

1- Application monitor
2- Advanced security monitor
3- Network monitor


Hope this helps,

Egemen

[panic]

Hi Zoran,

Lets divide the operations into 2 parts :

- Incoming Connecions

1- Network monitor applies filtering if success it passes to application monitor
2- Application monitor checks the target application, if allowed passes to
3- Advanced security analysis monitor(component monitor + application behavior analysis)

if these 3 steps are passed, application receives the connection.

- Outgoing connections

The order changes :

1- Application monitor
2- Advanced security monitor
3- Network monitor


Hope this helps,

Egemen

If this could be done as a flow chart, it would be a great item for the Beginners FAQ.

Rgds,
Ewen :-)

[zorank]

Many thanks Egemen. I would like to learn few more details, please bear with me.

Let's take incoming connection as example. Packet comes in and, first, network monitor looks at it. For example, I have default rules after installation that says block all packages (I did not want to change something I do not understand fully at the moment so I keep it as when installed). What happens next? Does the processing stops here, or does it contiue to steps 2 and 3 (application mointor, advanced security analysis monitor) reagrdles of the outocome of step 1 analysis?

For example should the flow chart look like (a) or like (b). I have just indicated first critical steps:

(a) case

(i) packet comes in
(ii) network monitor inspects it
(iii) if blocked just keep the stuff out without any further inspection
(iv) if allowed send it to application monitor etc.

(b) case

(i) packet comes in
(ii) netowork monitor inspects it
(iii) if blocked send it to application monitor for inspection (maybe it allowes it in, etc)
(iv) if allowed let the stuff in with no further inspection

In this case, step (iv) I could have site specific rule that would allow all traffic from site with specific IP. Of course, there could be third case that is different from (a) and (b) I discussed above. For example, perhaps program runs all tests 1-3 irrespectivelly of the outcome of each individial step, or some combination, that is dynamically decided upon...?

I am asking all this since I would really like to understand what happens with packet in detail when it reaches Comodo Personal firewall for analysis .

Zoran

[panic]

Many thanks Egemen. I would like to learn few more details, please bear with me.

Let's take incoming connection as example. Packet comes in and, first, network monitor looks at it. For example, I have default rules after installation that says block all packages (I did not want to change something I do not understand fully at the moment so I keep it as when installed). What happens next? Does the processing stops here, or does it contiue to steps 2 and 3 (application mointor, advanced security analysis monitor) reagrdles of the outocome of step 1 analysis?

For example should the flow chart look like (a) or like (b). I have just indicated first critical steps:

(a) case

(i) packet comes in
(ii) network monitor inspects it
(iii) if blocked just keep the stuff out without any further inspection
(iv) if allowed send it to application monitor etc.

(b) case

(i) packet comes in
(ii) netowork monitor inspects it
(iii) if blocked send it to application monitor for inspection (maybe it allowes it in, etc)
(iv) if allowed let the stuff in with no further inspection

In this case, step (iv) I could have site specific rule that would allow all traffic from site with specific IP. Of course, there could be third case that is different from (a) and (b) I discussed above. For example, perhaps program runs all tests 1-3 irrespectivelly of the outcome of each individial step, or some combination, that is dynamically decided upon...?

I am asking all this since I would really like to understand what happens with packet in detail when it reaches Comodo Personal firewall for analysis .

Zoran

Hey Zoran,

AFAIK, blocked is blocked. If it fails at the network inspection, the packet is dropped and no further testing is required.

Hope this helps,
Ewen :-)

[zorank]

Okay, I understand much better now:

Step 1 (network monitor) is done, if blocked there packet inspection stops. If not CPF goes to step 2 (application monitor), if packet is stoped here, it is just droped, if not, finally, step 3 (advanced analysis) is done.

From what you say, this means that in default settings I have (all incoming packets blocked), there is no way that packet will ever reach further to application monitor.

Uhmpps... How come I can read my e-mail, use web browser, and print???

Oh boy, I am getting lost here...

Zoran

p.s. If you see smoke in Sweden this is my brain working trying to understand all this .

[zorank]

Of course, all the activites I indicated above were initiated by me! Which means that packets that reach my computer are responses to my request (solicitated), and CPF lets these pass network monitor. Oh man, I am really slow sometimes. Many thanks I think I understand fully now. In summary, for FAQ section one could use

Lets divide the operations into 2 parts :

- Incoming Connecions

1- Network monitor applies filtering if success it passes to application monitor
2- Application monitor checks the target application, if allowed passes to
3- Advanced security analysis monitor(component monitor + application behavior analysis)

if these 3 steps are passed, application receives the connection.

- Outgoing connections

The order changes :

1- Application monitor
2- Advanced security monitor
3- Network monitor

+ discussion on solicitated and unsolicitated packages on this formum (under "Server rights on Comodo firewall")

SPI should be differentiating between responses to requests that an application on your computer initiated and those that are initiated from outside your system.

....

SPI = Stateful Packet Inspection
This means the firewall examines the contents of each and every packet that attempts to enter or attempts to leave your PC.

Solicited / Unsolicited = A solicited packet is one that comes back to your PC in response to a request from your PC, like asking for a web page or emails. An unsolicited packet is one that your PC hasn't asked for - like a port scan.

+ one should state that network monitor rules only apply for unsolicitated requests.


Also, FAQ discussed above is fine, but I strongly believe that having information above in documentation that comes with software would be extremely helpful. For example, what happens once network monitor takes over is well documented, but overall picture (the one discussed in here) is missing (I think).

Many thanks for the help both to you and Egemen. Over and out...

Zoran

[zorank]

Ehh... maybe one more question.

Reading order of the rules for outgoing messages in the previous posts. First it goes to application monitor. What if rule specification does not exists for application (for example, there is no rule for "system" in my default settings)? (I am assuming that automatic checking for trusted application is dissabled in "Advanced options"). Is an outbound request by such application allowed or blocked at this step? If none of these, is it sent further to advanced security monitor and network monitor? And, in the end, say it does not mach any allow/block rule, what happens then?

Zoran

[panic]

Ehh... maybe one more question.

Reading order of the rules for outgoing messages in the previous posts. First it goes to application monitor. What if rule specification does not exists for application (for example, there is no rule for "system" in my default settings)? (I am assuming that automatic checking for trusted application is dissabled in "Advanced options"). Is an outbound request by such application allowed or blocked at this step? If none of these, is it sent further to advanced security monitor and network monitor? And, in the end, say it does not mach any allow/block rule, what happens then?

Zoran

I think that if it fails the application monitor test, you get a pop-up asking what to do. If it passes the app monitor test, the component test are then run. If it passes this test, its allowed out to play.

Have I got this right?

Ewen :-)

[egemen]

I think that if it fails the application monitor test, you get a pop-up asking what to do. If it passes the app monitor test, the component test are then run. If it passes this test, its allowed out to play.

Have I got this right?

Ewen :-)

Exactly:)

[zorank]

Hmmmm.... what if there is no rule for application? Is application going to be allowed in such a case? Also, I am not sure what is exactly meant by "fail"?

Zoran

[panic]

Hmmmm.... what if there is no rule for application? Is application going to be allowed in such a case? Also, I am not sure what is exactly meant by "fail"?

Zoran

If an application that wants to access the internet isn't in the list of approved applications, then you'll get a popup asking what to do. If you say ALLOW, then an allow rule is created, if you say BLOCK then a block rule is created. An application "fails" if there is a rule that says "block". It's as simple as that.

Hope this helps,
Ewen :-)
 (WCF3) (WCF3) (WCF3)

[zorank]

Thank you Sir!!! It certainly helps. Smart, very, very smart!

One more question, if I may: What about "System" application? Is this treated in different way?

I have good reasons for asking this. For example, I clicked "close" for "System" application and it died. Then, as artefact of this, I started getting a lot of log from application monitor saying that it prevented "System" application receiving data (log appended bellow).

Application monitor kills them all (now "System" is not on the list somehow). Also,  I am never asked by any popup anything... which makes me confused in the light of what you said above. It seems that rules for "System" are not clearly defined.

Zoran

START OF LOG

Date/Time :2006-06-30 20:38:57
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (System:129.16.110.210:nbdgram(138))
Application: System
Parent: System
Protocol: UDP In
Remote: 129.16.110.210:nbdgram(138)

Date/Time :2006-06-30 20:38:55
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (System:129.16.137.66:nbname(137))
Application: System
Parent: System
Protocol: UDP In
Remote: 129.16.137.66:nbname(137)

...

Date/Time :2006-06-30 20:38:48
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (System:129.16.138.243:nbdgram(138))
Application: System
Parent: System
Protocol: UDP In
Remote: 129.16.138.243:nbdgram(138)

Date/Time :2006-06-30 20:38:48
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (System:129.16.42.153:nbdgram(138))
Application: System
Parent: System
Protocol: UDP In
Remote: 129.16.42.153:nbdgram(138)

Date/Time :2006-06-30 20:38:46
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (System:129.16.138.124:nbdgram(138))
Application: System
Parent: System
Protocol: UDP In
Remote: 129.16.138.124:nbdgram(138)

Date/Time :2006-06-30 20:38:45
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (System:129.16.137.140:nbname(137))
Application: System
Parent: System
Protocol: UDP In
Remote: 129.16.137.140:nbname(137)

...

END OF LOG

[Leebme]

Zorank,  do you by any chance have file and printer shareing enabled?     If so, these nbdgrams are a part of the computers on your network talking to each other.   I have a realtime monitor on my network and see this traffic all the time.

  Lee

[zorank]

Hi Lee, thanks for jumping in and trying to help me out!

Yes, it is university network. Printing is handled through special gateway. I am not sure about file sharing though there is central file server. I do not think we have file sharing  (for security reasons, though I am not 100%  sure what is meant by this in this context: e.g., I know for sure that nobody but has access to files on my computer).

It seems that computer communicates with range of machines: not only file server where we have home directory, and printer gateway, but there seem to be many more. Comodo does not tell explicitly which machines (it just shows range in "Activity Tab/Connections") but once I killed "System" process ("Activity Tab/Connections" + "Close") then application monitor rejected numerous packets (which I presume were solicitated packets from the time when "System" was running, the other computers did not know that I killed "System" application so they continued sending packets).

If I am not daydreaming here then the list of machines in the log rejected by application monitor are machines that I am exchanging 2Mbytes/sec.

The more I think about this the more puzzled I get...

Zoran

[Tags:]