Re: Deny rules...

From: Steinarr.G. (steinki_at_dynamicsystems.dk)
Date: 04/10/04 

Date: Sat, 10 Apr 2004 21:09:17 +0200

And again .. =)

Still not getting this denay rule to work..
i even create one manually to deny
all protocols
traffic both ways
from remote ip
default ip addresses on external interface
at any time

The script does it exact the same..

I kill all sessions..
started an new ie on the blocked maskine.. - got answer
tryed telnet to port 80 .. - got answer..

then i even tryed to restart the isa. and - still got answer and
all times i could port scan and get to see port 80 ( as that is the only
port to talk to. )

Any more ideas.. ?

Regards.
Steinki.

"Steinarr.G." <steinki@dynamicsystems.dk> wrote in message
news:OwGktqyHEHA.4052@TK2MSFTNGP12.phx.gbl...
> Tony ..
> Thanks for your time =)
>
> You dont know how nice it is to gett comments about your own thougts.
>
> <very> useful. :)
>
> Regards.
> Steinki.
>
>
>
>
> "Tony Su" <anonymous@discussions.microsoft.com> wrote in message
> news:1ad8101c41f21$75ad4cd0$a401280a@phx.gbl...
> Jim has a very good point which is why for a Financial
> services client I have not implemented it.
>
> And, the situation he describes is interesting. If IP
> spoofing IDS is turned on, is it evaluated before anything
> else or can someone successfully spoof and cause another
> alert to trigger which might cause a blocking PF? I'd been
> relying on the former and hope that if there is an order
> IDS is applied in a complex attack is the case.
>
> I agree that using a tool as powerful as Blockattacker
> must be used carefully. For one client involved in
> Financial Services (Broker trading), because of the
> excessive number of attacks they're getting, I'm going to
> create a duplicate of specified alerts and turn that
> duplicate on and off at specified times to quickly build
> up lists of blocked IPs during specific times I can
> monitor... and not run it regularly during business hours.
>
> As for the BlockAttacker being subject to false positives,
> it <has> happened from time to time but the only times I'm
> aware it has happened is usually shortly after initial
> configuration. No remote SysAdmin should be doing anything
> anyway that should trigger an alert like doing an all port
> scan. And, IMO ISA's packet analysis is pretty good.
> Although I haven't seen any documentation on how it works,
> I assume it's pretty straight-forward, filtering for
> string lengths and character strings... and since SMTP,
> HTTP and other commands are pretty standard plus lengths
> should all be according to RFC specification, I assume
> that there is very little room for packet analysis error.
>
> So, of course every situation should be handled carefully,
> but in general I find that the BlockAttacker can be <very>
> useful.
>
> As for whether the script works or not, I have found that
> a blocking PF will block access from the remote IP address
> to any ISA IP address, port or service, published or not.
> But, as long as the "attacker" still has a session open,
> the PF may not yet be effective... but close that initial
> session and try again and you should find the block
> working.
>
> If you are writing code to populate a Client set, remember
> that you have to stop/restart the ISA services immediately
> after creating the Client Set and maybe after pointing a
> Web Publishing rule to it although I have found that a
> stop/restart has not been necessary if I modify the
> entries in the Set.
>
> Tony Su
>
>
>
>
>
>
> >-----Original Message-----
> >Thanks good point..
> >
> >The way i do it.. is everything has to do with clients
> sets conserning
> >remote access ..
> >The Script makes sure the ip to be blocked is not it´s
> own ip.
> >I have few outside servers to connect from to my servers
> and i get mails
> >conserning everything
> >and most cases i have very important things be sent to me
> by SMS message to
> >my telephone.
> >I have my ISA with its reporting system.. and then i have
> Snort inside my
> >reporting direct to SMS.
> >
> >Still there are holes i´m working on that i consider
> risky ..i´m hoping to
> >be lucky untill i´m finished.
> >
> >I just feel like i must get this to block auto even if
> not for a short
> >period of time, i thouhgt it might be smarter than
> >noting at all.
> >
> >But as you say this mack addres spoof is actually to easy
> with macspoof in
> >lin that you got me to think . =)
> >
> >Still i think about if it´s not better to block 99% of
> scanners and then
> >when he or himm who knows his way around
> >and will get trouhg no matter if i have this auto block
> or not...
> >
> >Please tell me if i make sence or what you think.. !
> >==================================
> >
> >
> >Regards.
> >Steinki.
> >
> >
> >
> >
> >
> >
> >
> >
> >"Jim Harrison [MSFT]" <jmharr@online.microsoft.com> wrote
> in message
> >news:%237B3lLxHEHA.716@TK2MSFTNGP12.phx.gbl...
> >> Don't use that script unless you like pulling your hair
> out.
> >> There is no way a script can accurately determine
> whether or not a single
> >"event" is worth blocking all traffic from a single IP.
> >> With the data available to the script, all it takes is
> one attack from
> >someone spoofing your own IP and you're out of business.
> >>
> >> Learn to read and analyze your ISA logs.
> >> --
> >> Jim Harrison [ISASE]
> >> Read the help, books and articles!
> >>
> >> This posting is provided "AS IS" with no warranties,
> and confers no
> >rights.
> >>
> >>
> >> "Steinarr.G." <steinki@dynamicsystems.dk> wrote in
> message
> >news:%23oIZxlqHEHA.3696@TK2MSFTNGP10.phx.gbl...
> >> good scripts there.
> >>
> >> But i still have the same bug..
> >> I tested this great blockAtacker and it works to create
> the rule..
> >>
> >> but i have the same bug.. it does not affect
> published servers .
> >>
> >> The way i test this.. is i scan from a server
> elsewhere.. and see the rule
> >> created..
> >>
> >> then i test a web page .. behind a published server..
> and it shows..
> >> then i telnet the site on port 80 to be sure and it
> answers fine.
> >>
> >>
> >> Any ideas ? ..
> >>
> >> Regards
> >> Steinki.
> >>
> >>
> >>
> >>
> >>
> >>
> >> "Tony Su" <anonymous@discussions.microsoft.com> wrote
> in message
> >> news:1aaba01c41e9b$a9c264f0$a301280a@phx.gbl...
> >> The code is pretty much spelled out in a page at
> >> msdn.microsoft.com, this code was created awhile ago.
> >> Configure IDS alerts to trigger and run the script.
> >>
> >>
> http://www.toolzz.com/Downloads/ISATools/Jalojash/BlockAtta
> >> cker.zip
> >>
> >> Before deploying, understand how it works and if you
> >> accidentally block yourself how to regain access to your
> >> server so you can remove the block.
> >>
> >> I have found that although a block can be created for
> any
> >> one address on the external inteface, the actual effect
> is
> >> to a block which effectively denies to <all> IP
> addresses
> >> on the external interface.
> >>
> >> Tony Su
> >>
> >>
> >>
> >>
> >>
> >>
> >> >-----Original Message-----
> >> >Hi.
> >> >
> >> >I.m cowboycoding deny script to create automatic deny
> >> packed filters
> >> >triggered by action,
> >> >they get created and look perfect but they just dont
> >> block..
> >> >
> >> >pf.PacketDirection = fpcPfDirectionIndexBoth
> >> >pf.SetLocalHost fpcPfDefaultProxyExternalIp
> >> >pf.LocalPortType = fpcPfAnyPort
> >> >pf.RemotePortType = fpcPfAnyRemotePort
> >> >pf.SetRemoteHost fpcPfSingleHost, WshEnv
> >> ("ALERT_PARAMETER_1")
> >> >
> >> >Even when i create them manually they just dont affect
> >> servers that are
> >> >published.
> >> >
> >> >I have about 60 ip´s on my external interface and
> >> servers that are
> >> >published have one ip each .
> >> >
> >> >Is it possible that deny rules dont work for this ? or
> am
> >> i doing the whole
> >> >thing wrong..?
> >> >
> >> >Any info would be nice..
> >> >Regards.
> >> >Steinki..
> >> >
> >> >
> >> >
> >> >.
> >> >
> >>
> >>
> >>
> >
> >
> >.
> >
>
>

Relevant Pages