IPNetSentry Release Notes

September 11, 2001 (1.2)

IPNetSentry.PPC FBA:

Feature Enhancements:

• Ability to do payload inspections of incoming datagrams. This capability can be used for worm and virus detection, such as the Code Red Worm. Command to detect the Code Red Worm is:
  
  #set\payload_inspection\tcp\80\off\11\default.ida\Code Red Worm\

Bug Fixes:

• Fixed a bug which was interfering with IPNetMonitor.

IPNetSentry Companion Application:

Feature Enhancements:

• Companion application now supports iCab browsers (to the best of its ability. SSL connections are not supported in the default iCab installation, so online registration must still be performed with another browser).

Bug Fixes:

• Fixed a display bug in the Aged Filter window where an intruder's IP address would not fully be displayed if it was 15 characters (e.g. 192.168.243.212).

August 28, 2001 (1.1.6)

IPNetSentry.PPC FBA:

Feature Enhancements:

• Ability to prohibit logging of broadcast packets. Broadcast packets can occasionally fill a log file with unnecessary entries, especially if IPNetSentry is run on the same machine as IPNetRouter. The command to disable logging of broadcast packets is:

  #set\filter_logging\on no broadcast

Bug Fixes:

• none

IPNetSentry Companion Application:

Feature Enhancements:

• The "Log" and "Aged Filter" windows can now be closed with the "Command - W" keys.

Bug Fixes:

• none

August 20, 2001 (1.1.5)

IPNetSentry.PPC FBA:

Feature Enhancements:

• none

Bug Fixes:

• Fixed date reporting for Who's There Firewall Advisor. The IPNetSentry_FA.log file now uses the required mm/dd/yyyy format for date stamping of log entries.

IPNetSentry Companion Application:

Feature Enhancements:

• Companion Application "About" dialog box now reports the Companion App version, the IPNetSentry FBA version, and the OTModl$Proxy extension version.

Bug Fixes:

• none

Including OTModl$Proxy v2.1.5 with this release of IPNetSentry.

July 24, 2001 (1.1.4)

IPNetSentry.PPC FBA:

Feature Enhancements:

• Added ip header hex dump command. (#set command). When the hex dump feature is on, and a datagram arrives which matches a filter (or trigger), the entire datagram IP header is dumped in the log file in hexadecimal format (for manaul analysis). This feature is primarily used to identify datagrams which arrive but are not automatically recognized as being IPv4 datagrams of known protocols.

Bug Fixes:

• none

IPNetSentry Companion Application:

Feature Enhancements:

• none

Bug Fixes:

• Fixed version caption of IPNetSentry Extension (as shown in About dialog box).

June 26, 2001 (1.1.3)

IPNetSentry.PPC FBA:

Feature Enhancements:

• Added lpd (TCP Port 515) and SOCKS (TCP Port 1080) triggers to default IPNetSentry Config file.

Bug Fixes:

• Fixed version reporting bug (as displayed in Extensions Manager).

IPNetSentry Companion Application:

Feature Enhancements:

• No need to use a browser to complete registration process. Key checking is performed directly through the Companion Application.

Bug Fixes:

• None

June 20, 2001 (1.1.2)

IPNetSentry.PPC FBA:

Feature Enhancements:

• None

Bug Fixes:

• Fixed bug which removed IPNetRouter filters when IPNetSentry was turned off.

IPNetSentry Companion Application:

Feature Enhancements:

• None

Bug Fixes:

• Fixed log window scrolling when text exceeds 32Kbytes

June 12, 2001 (1.1.1)

IPNetSentry.PPC FBA:

Feature Enhancements:

• Added capability to easily perform a trace route on an intruder's IP address when an intrusion alert appears. The trace route is performed through IPNetMonitor, a separate Sustworks product. See the accompanying "IPNetSentry Trace Route ReadMe" for more details on setting up this functionality.

Bug Fixes:

• None

IPNetSentry Companion Application:

Feature Enhancements:

• Added capability to easily perform a trace route on an intruder's IP address through the Aged Filter window. The trace route is performed through IPNetMonitor, a separate Sustworks product. See the accompanying "IPNetSentry Trace Route ReadMe" for more details on setting up this functionality.
• The "Log" button now opens a separate Log window within the IPNetSentry Companion application. This Log window displays the last 32Kbytes of the IPNetSentry.log file and displays IPNetSentry events as they occur in real-time.
  
  Users can still open the entire IPNetSentry.log file with a default text editor by holding down the "Shift" key while clicking the Log button.
• Holding down the "Command" key while launching the application will bypass the splash screen.

Bug Fixes:

• None

May 15, 2001 (1.1)

Released as version 1.1

May 2, 2001 (1.1c4)

IPNetSentry.PPC FBA:

Feature Enhancements:

• Added capability to record messages from "Log" filters. A "Log" filter is typically added to watch for specific activity on a port or protocol. With Log filters, NO action is taken. A Log filter simply passes notification to IPNetSentry. IPNetSentry then records this notification message.

  For example, log all incoming ICMP (Ping type) activity:

  +filter\Default_Interface\Rcv\Log\icmp\*\*\*\*\*\

  This Log filter will let IPNetSentry simply log all incoming ICMP datagrams on a machine's active Internet port.

  Log filters are especially useful when used with IPNetRouter. For example, you could log all HTTP activity on the clients attached to your private LAN with the following filter configured within IPNetRouter:

  +filter\Ethernet Slot 1\Rcv\Log\tcp\*\192.168.0.1/24\*\*\80\

  The above filter assumes your clients are connected via the Ethernet Slot 1 port and configured for the 192.168.0.x subnet.

  IPNetRouter (v1.6c8 and later) provides a very simple way to configure a Log filter through the Filtering window.

Bug Fixes:

• None

IPNetSentry Companion Application:

No Feature Enhancements

Bug Fixes:

• Fixed the method that the companion application uses to determine a PPP interface IP address. This is ONLY important IF you are running the companion application on a machine which is sharing a PPP type connection with IPNetRouter.
  

April 24, 2001 (1.1c3)

IPNetSentry.PPC FBA:

Bug Fix:

Fixed the #set\excluded_subnet feature. This is particularly important for IPNetSentry users who are also running IPNetRouter on the same Macintosh and which is setup to share a cable/DSL/ADSL modem using the single ethernet configuration. In this case, a user must use the #set\excluded_subnet command to ensure that their client machines do not unnecessarily trigger IPNetSentry.

IPNetSentry Companion Application:

No Feature Enhancements nor Bug Fixes

April 19, 2001 (1.1c2)

IPNetSentry.PPC FBA:

Feature Enhancements:

The IPNetSentry FBA has been nearly completely rewritten. This new version provides:

• stealth scan detection
• icmp protocol triggers (i.e. detection when someone Pings you).
• continued filter logging when packets arrive which match an existing filter
• port scan detection
• denial of service (DoS) attack detection
• creation of an event log compatible with Open Door Networks "Who's There" Firewall Advisor

These are signifcant enhancements. Current IPNetSentry users are advised to upgrade to this latest candidate version of IPNetSentry.

Stealth scan detection permits IPNetSentry to detect any type of remote TCP port scan. A remote user does not have to directly connect to your machine. Just someone port scanning your Mac can cause a trigger to occur.

Continued filter logging lets you see if an intruder keeps hitting your machine even after a filter is applied to ban them.

You can see if a trigger was set by a one time event (perhaps someone mistaking your IP address for some other IP address) or if the intrusion was by a deliberate port scan.

IPNetSentry can now build a separate log file which is compatible with Open Door Networks "Who's There" Firewall Advisor. Note: icmp events are not correctly identified with "Who's There" v1.0.1 or earlier.

IPNetSentry Companion Application:

Feature Enhancements:

• Due to the addition of several new features, the IPNetSentry Companion Application now uses a different URL for configuration. There are several new options available on this new configuration page.

April 5, 2001 (1.1c1)

IPNetSentry.PPC FBA:

Bug Fixes:

• The logging function has been modified so that it will not fill up the log with repeating entries (such as detecting an interface is not yet up). This will prevent the log from being filled with redundant entries.

IPNetSentry Companion Application:

Bug Fixes:

• Modified the Configure, Test, and Save Registration routines so that they now should work more reliably under Mac OS 9.1.

March 12, 2001 (1.0)

Released as version 1.0

February 27, 2001 (1.0c7)

IPNetSentry.PPC FBA:

Feature Enhancements:

• The IPNetSentry Log file is now checked against a maximum size. When this size is exceeded the user is notified.
  The maximum log file size can be set in the IPNetSentry configuration file. If it is not set in this file, the maximum log file size defaults to 1000 KBytes. The log file size is checked each time IPNetSentry restarts.

No Bug Fixes

IPNetSentry Companion Application:

No Feature Enhancements

Bug Fixes:

• Fixed a bug which left a TCP port open when a connection was attempted but could not be made to the Companion Application.

February 13, 2001 (1.0c6)

IPNetSentry.PPC FBA:

Reverted to an older version of the Installation package maker. Appeared to be some problems installing IPNetSentry on machines running MacOS 8.1 or earlier and the new installation package.

No Feature Enhancements nor Bug Fixes

IPNetSentry Companion Application:

No Feature Enhancements nor Bug Fixes

February 12, 2001 (1.0c5)

IPNetSentry.PPC FBA:

Feature Enhancements:

• - Notification type can be set on a per trigger basis.

  For example, consider the situation where you might be protecting your Mac which has a DHCP type cable modem connection. You may wish to have incoming DHCP requests from your neighbors (UDP Port 67) trigger IPNetSentry BUT not alert you. This would offer you the security of your neighbors not being able to access your machine (a filter would automatically be added), but you would not be disturbed by these frequent DHCP requests. The other triggers you set, however, would perform the default notification as set in the configuration file. The command lines to do this would look similar to this:

  #set\notification_type\alert
  ....
  +trigger\tcp\25\smtp
  +trigger\tcp\161\snmp
  +trigger\tcp\23\telnet
  +trigger\udp\53\dns
  ....
  +trigger\udp\67\dhcp\none
  .....
  +trigger\tcp\79\finger
  +trigger\tcp\110\pop3

  Note that the dhcp trigger has a "none" option set. This will cause IPNetSentry to log any trigger events for DHCP intrusions, add the appropriate filter, but not alert the user. All other triggers will cause an alert to appear (since the default notification type has been set to alert).

IPNetSentry Companion Application:

No Feature Enhancements nor Bug Fixes

January 29, 2001 (1.0c4)

IPNetSentry.PPC FBA:

Bug Fixes:

• Fixed notification bugs (including AppleScript file error -43 )

IPNetSentry Companion Application:

No Feature Enhancements nor Bug Fixes

January 20, 2001 (1.0c3)

IPNetSentry.PPC FBA:

Feature Enhancements:

• Added Syslog notification. This will send the log message to a designated Syslog server via UDP Port 514.
• Multiple notification methods can now be enabled (e.g. alert, applescript, and syslog can all be chosen as notification methods if desired, etc.).

Bug Fixes:

• Fixed a bug when reloading interface data.

IPNetSentry Companion Application:

Bug Fixes:

• Fixed problem of Configuring and/or Testing IPNetSentry when ISP uses a Proxy server. True IP address of machine running IPNetSentry is sent to and used by Sustworks server for configuration and testing.
• Fixed problem where the previous IP address was used when retrieving IPNetSentry configuration information. Companion application now waits for interface to come completely up before retrieving IP address of local machine (mainly a dialup PPP issue).

December 22, 2000 (1.0c2)

IPNetSentry.PPC FBA:

Feature Enhancements:

• Added feature for AppleScript notification. IPNetSentry can now launch an AppleScript when a trigger is hit (script saved as a runable application in Preferences folder) . A typical use of this feature is to send an administrator an email message with the details of the intrusion. Example scripts for sending mail through Eudora and Outlook Express are provided.
• Added feature to specify the public port (on which Aged Filters will be applied). This is important for IPNetRouter users who are sharing a dialup PPP connection. In this case the public interface is NOT the primary interface (the local private interface is the primary interface as setup in the TCP/IP control panel).
• Added feature to exclude specified subnets from causing IPNetSentry to trigger. Examples where this may be desired:
  • You do not want client machines on your private IPNetRouter subnet to cause unnecessary triggers.
  • There is a remote machine (e.g. office) with a static IP address for which you always want to give access to your home machine. You do not want this office machine to accidently hit a trigger on the home machine, thereby banning this remote machine from any access.
• Added feature to record the protocol and service of the trigger in the IPNetSentry Aged Filter file.

Bug Fixes:

• - Fixed loading access (static) filters
• - Fixed closing FBA resource fork (so companion application can write to it when registering).

IPNetSentry Companion Application:

Feature Enhancements:

• Added feature to display protocol and service of trigger in Aged Filter window.

Bug Fixes:

• Fixed restart of IPNetSentry FBA after an Aged Filter has been modified or deleted or the IPNetSentry configuration file has been modified.

December 8, 2000 (1.0c1)

First final candidate posted.