Good morning,
Is there anyway to COMODO FW and winpcap concurrently?
Or, in other words, is there anyway winpcap could see all traffic while COMODO FW is up and running?
Thx
It should be possible by setting up as “Trusted Application”
Did this help?
- Jacob Kilgore
I have a home network with a FreeBSD server/gateway and two windows PCs.
I don’t why I have witnessed several attacks recently.
PF and Snort are running on the server. I would like to set up a second snort sensor on one of the two windows PCs.
On windows, Snort needs winpcap to listen all traffic.
As a trusted app, winpcap doesn’t see all traffic just traffic from and to itself.
Is there anyway winpcap could see all traffic?
thanks,
As a trusted app, winpcap doesn't see all traffic just traffic from and to itself.
I’ve got winpcap running with Wireshark, no problems and no special setup. Are you using a switch or a hub for your wired LAN? A hub will see all traffic, but the switch will allow only host specific traffic. That’s how they work.
If you’re wireless, then host only is a Windows limitation. Full LAN packet capture on wireless is pretty much restricted to Linux systems, or BSD systems with selected supported hardware.
I don't why I have witnessed several attacks recently.
If your Windows machine(s) are sitting behind FBSD boxes, the Windows machines should be fairly well protected from most outside probes (PF, ipfw, Snort, and other tools). Stuff that comes in trying to take advantage of the bug of the day (Flash, PDF, or some such), will come in and try to do whatever. That’s not something a LAN can protect, but host security can (limited user accounts, memory firewalls, AV, and all that good CIS stuff)
PC no1:server/gateway
PC no2:windows system
PC no3:windows system
1.PC2 and PC3 comunicate through PC1: PC1 can capture all of packets from pc1,pc2,pc3
2.You just installed winpcap on pc2 or pc3 but you want to capture
all of incomming and out going packets whole network system just like PC1 can right?
: Impossible, pc2 and pc3 is not the gateway.
Packet capturing all over the same IP range: It should be the gateway.
But there is the only way to do so.
Hack your home network with ARP spoofing…
You can do it with pc2 or pc3 easly…
lol
Snort is already up and running on PC1.
I just want to set up another SNORT sensor on PC2. This sensor will see inbound/outbound local traffic on PC2. I don’t want PC2 to see all internet and local incomming and outgoing packets like PC1.
My question is how to have COMODO FW and winpcap running on the same pc.
thx
Did you check port 53 opened? check it out.
Did you hide ports(stealth mode)? If you did, do not use steath mode.
Otherwise you need to show me your firewall setting and your routing table.
Actually , CIS and winpcap works fine.(winpcap is not a software, it’s just a library for packet capturing tools)
Anyway, nobody can answer with those information you gave.
More details needed.
port setting, routing table, CIS log etc…
Thank you. That clarifies things for me.
I’m not aware of any conflict. I have Wireshark 1.0.6/WinPCap 4.x running on a machine with CIS 3.8. No special settings required.
Have you installed, and are running into problems? If so, then what’s in the CIS logs?
I have installed yesterday snort and winpcap with success.
I had two problems (this is why I posted here):
-
winpcap 4.02 hangs during the install; I had to uninstall, disable CIS, reinstall and enable CIS.
-
I had to add “127.0.0.1 winids” in C:\WINDOWS\system32\drivers\etc\hosts.
I got snort to work in sniffer mode.
PC2 config is Windows XP + SP3, CIS 3.8, Avira AntiVir 9.0, a-squared 4.0 and Zemena AntiLogger 1.7.2.
PC2 is sitting behind PC1 (FreeBSD home server/gateway). PC2 (desktop) and PC3 (laptop) are my best part’s turf. The other day, PC2 (with CIS running) was infected by a nasty trojan. I was unable to assess the nature, the extent and the duration of the breach and I had to reinstall windows from scratch.
Once access is granted to/from PC2 or an app, I don’t see how CIS FW/Defense+ or snort (with a single sensor) could detect or block all malicious activity.
PF is an excellent packet filter but doesn’t have full QoS. I am using CIS FW/Defense+ as a complement. I cannot always sit around and check which apps and services is ok and I am installing snort to detect suspicious traffic early on.
CIS has pretty much installed out of the box. The dns port is open outbound (there is a dns cache on PC1) and CIS is not on stealth mode. I have no problem to PM you my pf.conf and my CIS settings.
One last word, CIS FW is a great and a powerful packet filter, a zest of traffic shapping and ToS would make it even better.
Thank you all for your help.
1) winpcap 4.02 hangs during the install; I had to uninstall, disable CIS, reinstall and enable CIS
That makes sense, which is why I haven’t encountered it. I had pcap installed way back when, then then much later installed CIS. CIS will monitor TCP stack stuff, so what I have apparently was recognized as okay. Yours was in the reverse sequence, so CIS was seeing something trying to “attack” the TCP stack.
2) I had to add "127.0.0.1 winids" in C:\WINDOWS\system32\drivers\etc\hosts.
That sounds like it is something that is Snort specific. I haven’t encountered that one before.
PC2 is sitting behind PC1 (FreeBSD home server/gateway). PC2 (desktop) and PC3 (laptop) are my best part's turf. The other day, PC2 (with CIS running) was infected by a nasty trojan. I was unable to assess the nature, the extent and the duration of the breach and I had to reinstall windows from scratch.
Ouch. Not a fun experience. It would have been good to know what got past CIS. But clearing the problem has priority.
PF is an excellent packet filter but doesn't have full QoS. I am using CIS FW/Defense+ as a complement. I cannot always sit around and check which apps and services is ok and I am installing snort to detect suspicious traffic early on.
Snort, as good as it is, is still a reactive defense, like most AV engines. There has to be a pattern to recognize, and the the patterns have to get communicated to the world. The bleedingsnort folks are about as up-to-date as anybody, with the understood risk of false positives.
PF and ipfw both have very good traffic shaping facilities. But you need to build your FBSD kernel to enable the functionality. If you have full source installed, follow the instructions in /usr/src/UPDATING to rebuild your kernel. The necessary kernel variables are describe in the ipfw( 8 ) man page, and the kernel options are described in altq( 4 ).
CIS has pretty much installed out of the box. The dns port is open outbound (there is a dns cache on PC1) and CIS is not on stealth mode. I have no problem to PM you my pf.conf and my CIS settings.
I presume then that you’ve run the CIS Config Reporting script (up one level from this forum), and have looked thru the firewall report section.
The rule of thumb that I use on the dayjob, is that Windows machines have no Internet accessible UDP traffic. DNS and NTP traffic all go to local LAN hosts (FBSD machines). That pretty much kills any chance of a tunnel or zombie server lookup. Either the newest BIND nameserver, or a soon to be released version, will have log reporting for strange DNS traffic. That’s one of the earliest ways to catch trojans, but it’s reactive in that the trojan may already have gotten installed.
There is a SnortSam add-on that can process Snort logs, and update the PF/ipfw rules (http://www.snortsam.net/) which can automate the security lockdown. That might be useful for those times when you can’t be watching the logs.
I’m game to eyeball your pf.conf and CIS config report.
rpcapd.exe hang during install and CIC did not report any attack then. I tried an allow in/out custom rule for rpcapd.exe with logging and no event logged (which is quite normal because there should not be any traffic from/to rpcapd.exe).
I blocked rpcapd.exe since then as I can easily imagine ways to use rpcapd.exe to sniff traffic. Snort is still working fine.
I don’t think CIC detects rpcapd.exe and this might be an exploit as some a** can inject and use a clone of rpcapd.exe.
That sounds like it is something that is Snort specific. I haven't encountered that one before.
This is specific to the Windows flavor of snort. I have not quite understood why this is needed.
Ouch. Not a fun experience. It would have been good to know what got past CIS. But clearing the problem has priority.
My wife was unable to retrace her acts even under induced hypnosis ;D.
Antivir reported the infection and I sent a copy of the suspicious files to Avira. I have to remember what name they gave to the trojan.
Snort, as good as it is, is still a reactive defense, like most AV engines. There has to be a pattern to recognize, and the the patterns have to get communicated to the world. The bleedingsnort folks are about as up-to-date as anybody, with the understood risk of false positives.
I agree. Snort_inline is more proactive but it works only with ipfw. I saw somewhere a preprocessor based on clamav libs. I also bumped into http://www.bothunter.net/. This is based on the SCADE preprocessor developed by folks at Georgia Institute of Technology. These processors are closed source but the math is available on the Internet like here http://www.cyber-ta.org/pubs/botHunter-final7.pdf
By the way, the bleedingsnort guy moved to www.emergingthreats.net
PF and ipfw both have very good traffic shaping facilities. But you need to build your FBSD kernel to enable the functionality. If you have full source installed, follow the instructions in /usr/src/UPDATING to rebuild your kernel. The necessary kernel variables are describe in the ipfw( 8 ) man page, and the kernel options are described in altq( 4 ).
Thx, pf and altq are already up and running.
There is a SnortSam add-on that can process Snort logs, and update the PF/ipfw rules (http://www.snortsam.net/) which can automate the security lockdown. That might be useful for those times when you can't be watching the logs.
I am using snortsam on FreeBSD but the Windows port is broken and no longer maintained. On PC2, snort (on Windows) needs snortsam (on Windows) to forward alerts to the snortsam daemon (on FreeBSD).
I'm game to eyeball your pf.conf and CIS config report.
I am sending you my pf.conf.
I need a couple of days to review my CIS config report. I didn’t realize it was that detailed.