IPNetSentry Release Notes
September 11, 2001 (1.2)
IPNetSentry.PPC FBA:
Feature Enhancements:
- Ability to do payload inspections
of incoming datagrams. This capability can be used for worm and
virus detection, such as the Code Red Worm. Command to detect the
Code Red Worm is:
#set\payload_inspection\tcp\80\off\11\default.ida\Code Red
Worm\
Bug Fixes:
- Fixed a bug which was interfering
with IPNetMonitor.
IPNetSentry Companion
Application:
Feature Enhancements:
- Companion application now
supports iCab browsers (to the best of its ability. SSL
connections are not supported in the default iCab installation, so
online registration must still be performed with another
browser).
Bug Fixes:
- Fixed a display bug in the Aged
Filter window where an intruder's IP address would not fully be
displayed if it was 15 characters (e.g.
192.168.243.212).
August 28, 2001 (1.1.6)
IPNetSentry.PPC FBA:
Feature Enhancements:
Bug Fixes:
IPNetSentry Companion
Application:
Feature Enhancements:
- The "Log" and "Aged Filter"
windows can now be closed with the "Command - W" keys.
Bug Fixes:
August 20, 2001 (1.1.5)
IPNetSentry.PPC FBA:
Feature Enhancements:
Bug Fixes:
- Fixed date reporting for Who's
There Firewall Advisor. The IPNetSentry_FA.log file now uses the
required mm/dd/yyyy format for date stamping of log
entries.
IPNetSentry Companion
Application:
Feature Enhancements:
- Companion Application "About"
dialog box now reports the Companion App version, the IPNetSentry
FBA version, and the OTModl$Proxy extension version.
Bug Fixes:
Including OTModl$Proxy v2.1.5 with
this release of IPNetSentry.
July 24, 2001 (1.1.4)
IPNetSentry.PPC FBA:
Feature Enhancements:
- Added ip header hex dump command.
(#set command).
When the hex dump feature is
on, and a datagram arrives which matches a filter (or trigger),
the entire datagram IP header is dumped in the log file in
hexadecimal format (for manaul analysis). This feature is
primarily used to identify datagrams which arrive but are not
automatically recognized as being IPv4 datagrams of known
protocols.
Bug Fixes:
IPNetSentry Companion
Application:
Feature Enhancements:
Bug Fixes:
- Fixed version caption of
IPNetSentry Extension (as shown in About dialog box).
June 26, 2001 (1.1.3)
IPNetSentry.PPC FBA:
Feature Enhancements:
- Added lpd (TCP Port 515) and
SOCKS (TCP Port 1080) triggers to default IPNetSentry Config
file.
Bug Fixes:
- Fixed version reporting bug (as
displayed in Extensions Manager).
IPNetSentry Companion
Application:
Feature Enhancements:
- No need to use a browser to
complete registration process. Key checking is performed directly
through the Companion Application.
Bug Fixes:
June 20, 2001 (1.1.2)
IPNetSentry.PPC FBA:
Feature Enhancements:
Bug Fixes:
- Fixed bug which removed
IPNetRouter filters when IPNetSentry was turned off.
IPNetSentry Companion
Application:
Feature Enhancements:
Bug Fixes:
- Fixed log window scrolling when
text exceeds 32Kbytes
June 12, 2001 (1.1.1)
IPNetSentry.PPC FBA:
Feature Enhancements:
- Added capability to easily
perform a trace route on an intruder's IP address when an
intrusion alert appears. The trace route is performed through
IPNetMonitor, a separate Sustworks product. See the accompanying
"IPNetSentry Trace Route ReadMe" for more details on setting up
this functionality.
Bug Fixes:
IPNetSentry Companion
Application:
Feature Enhancements:
- Added capability to easily
perform a trace route on an intruder's IP address through the Aged
Filter window. The trace route is performed through IPNetMonitor,
a separate Sustworks product. See the accompanying "IPNetSentry
Trace Route ReadMe" for more details on setting up this
functionality.
- The "Log" button now opens a
separate Log window within the IPNetSentry Companion application.
This Log window displays the last 32Kbytes of the IPNetSentry.log
file and displays IPNetSentry events as they occur in
real-time.
Users can still open the entire IPNetSentry.log file with a
default text editor by holding down the "Shift" key while clicking
the Log button.
- Holding down the "Command" key
while launching the application will bypass the splash
screen.
Bug Fixes:
May 15, 2001 (1.1)
Released as version 1.1
May 2, 2001 (1.1c4)
IPNetSentry.PPC FBA:
Feature Enhancements:
- Added capability to record
messages from "Log" filters. A "Log" filter is typically added to
watch for specific activity on a port or protocol. With Log
filters, NO action is taken. A Log filter simply passes
notification to IPNetSentry. IPNetSentry then records this
notification message.
For example, log all incoming ICMP
(Ping type) activity:
+filter\Default_Interface\Rcv\Log\icmp\*\*\*\*\*\
This Log filter will let
IPNetSentry simply log all incoming ICMP datagrams on a machine's
active Internet port.
Log filters are especially useful
when used with IPNetRouter. For example, you could log all HTTP
activity on the clients attached to your private LAN with the
following filter configured within IPNetRouter:
+filter\Ethernet Slot
1\Rcv\Log\tcp\*\192.168.0.1/24\*\*\80\
The above filter assumes your
clients are connected via the Ethernet Slot 1 port and configured
for the 192.168.0.x subnet.
IPNetRouter (v1.6c8 and later)
provides a very simple way to configure a Log filter through the
Filtering window.
Bug Fixes:
IPNetSentry Companion
Application:
No Feature Enhancements
Bug Fixes:
- Fixed the method that the
companion application uses to determine a PPP interface IP
address. This is ONLY important IF you are running the companion
application on a machine which is sharing a PPP type connection
with IPNetRouter.
April 24, 2001 (1.1c3)
IPNetSentry.PPC FBA:
Bug Fix:
Fixed the #set\excluded_subnet
feature. This is particularly important for IPNetSentry users who are
also running IPNetRouter on the same Macintosh and which is setup to
share a cable/DSL/ADSL modem using the single ethernet configuration.
In this case, a user must use the #set\excluded_subnet command to
ensure that their client machines do not unnecessarily trigger
IPNetSentry.
IPNetSentry Companion
Application:
No Feature Enhancements nor Bug
Fixes
April 19, 2001 (1.1c2)
IPNetSentry.PPC FBA:
Feature Enhancements:
The IPNetSentry FBA has been nearly
completely rewritten. This new version provides:
- stealth scan
detection
- icmp protocol triggers (i.e.
detection when someone Pings you).
- continued filter logging when
packets arrive which match an existing filter
- port scan detection
- denial of service (DoS) attack
detection
- creation of an event log
compatible with Open Door Networks "Who's There" Firewall
Advisor
These are signifcant enhancements.
Current IPNetSentry users are advised to upgrade to this latest
candidate version of IPNetSentry.
Stealth scan detection permits
IPNetSentry to detect any type of remote TCP port scan. A remote user
does not have to directly connect to your machine. Just someone port
scanning your Mac can cause a trigger to occur.
Continued filter logging lets you see
if an intruder keeps hitting your machine even after a filter is
applied to ban them.
You can see if a trigger was set by a
one time event (perhaps someone mistaking your IP address for some
other IP address) or if the intrusion was by a deliberate port
scan.
IPNetSentry can now build a separate
log file which is compatible with Open Door Networks "Who's There"
Firewall Advisor. Note: icmp events are not correctly identified with
"Who's There" v1.0.1 or earlier.
IPNetSentry Companion
Application:
Feature Enhancements:
- Due to the addition of several
new features, the IPNetSentry Companion Application now uses a
different URL for configuration. There are several new options
available on this new configuration page.
April 5, 2001 (1.1c1)
IPNetSentry.PPC FBA:
Bug Fixes:
- The logging function has been
modified so that it will not fill up the log with repeating
entries (such as detecting an interface is not yet up). This will
prevent the log from being filled with redundant
entries.
IPNetSentry Companion
Application:
Bug Fixes:
- Modified the Configure, Test, and
Save Registration routines so that they now should work more
reliably under Mac OS 9.1.
March 12, 2001 (1.0)
Released as version 1.0
February 27, 2001 (1.0c7)
IPNetSentry.PPC FBA:
Feature Enhancements:
- The IPNetSentry Log file is now
checked against a maximum size. When this size is exceeded the
user is notified.
The maximum log file size can be set in the IPNetSentry
configuration file. If it is not set in this file, the maximum log
file size defaults to 1000 KBytes. The log file size is checked
each time IPNetSentry restarts.
No Bug Fixes
IPNetSentry Companion
Application:
No Feature Enhancements
Bug Fixes:
- Fixed a bug which left a TCP port
open when a connection was attempted but could not be made to the
Companion Application.
February 13, 2001 (1.0c6)
IPNetSentry.PPC FBA:
Reverted to an older version of the
Installation package maker. Appeared to be some problems installing
IPNetSentry on machines running MacOS 8.1 or earlier and the new
installation package.
No Feature Enhancements nor Bug
Fixes
IPNetSentry Companion
Application:
No Feature Enhancements nor Bug
Fixes
February 12, 2001 (1.0c5)
IPNetSentry.PPC FBA:
Feature Enhancements:
- - Notification type can be set on
a per trigger basis.
For example, consider the
situation where you might be protecting your Mac which has a DHCP
type cable modem connection. You may wish to have incoming DHCP
requests from your neighbors (UDP Port 67) trigger IPNetSentry BUT
not alert you. This would offer you the security of your neighbors
not being able to access your machine (a filter would
automatically be added), but you would not be disturbed by these
frequent DHCP requests. The other triggers you set, however, would
perform the default notification as set in the configuration file.
The command lines to do this would look similar to
this:
#set\notification_type\alert
....
+trigger\tcp\25\smtp
+trigger\tcp\161\snmp
+trigger\tcp\23\telnet
+trigger\udp\53\dns
....
+trigger\udp\67\dhcp\none
.....
+trigger\tcp\79\finger
+trigger\tcp\110\pop3
Note that the dhcp trigger has a
"none" option set. This will cause IPNetSentry to log any trigger
events for DHCP intrusions, add the appropriate filter, but not
alert the user. All other triggers will cause an alert to appear
(since the default notification type has been set to
alert).
IPNetSentry Companion
Application:
No Feature Enhancements nor Bug
Fixes
January 29, 2001 (1.0c4)
IPNetSentry.PPC FBA:
Bug Fixes:
- Fixed notification bugs
(including AppleScript file error -43 )
IPNetSentry Companion
Application:
No Feature Enhancements nor Bug
Fixes
January 20, 2001 (1.0c3)
IPNetSentry.PPC FBA:
Feature Enhancements:
- Added Syslog notification. This
will send the log message to a designated Syslog server via UDP
Port 514.
- Multiple notification methods can
now be enabled (e.g. alert, applescript, and syslog can all be
chosen as notification methods if desired, etc.).
Bug Fixes:
- Fixed a bug when reloading
interface data.
IPNetSentry Companion
Application:
Bug Fixes:
- Fixed problem of Configuring
and/or Testing IPNetSentry when ISP uses a Proxy server. True IP
address of machine running IPNetSentry is sent to and used by
Sustworks server for configuration and testing.
- Fixed problem where the previous
IP address was used when retrieving IPNetSentry configuration
information. Companion application now waits for interface to come
completely up before retrieving IP address of local machine
(mainly a dialup PPP issue).
December 22, 2000 (1.0c2)
IPNetSentry.PPC FBA:
Feature Enhancements:
- Added feature for AppleScript
notification. IPNetSentry can now launch an AppleScript when a
trigger is hit (script saved as a runable application in
Preferences folder) . A typical use of this feature is to send an
administrator an email message with the details of the intrusion.
Example scripts for sending mail through Eudora and Outlook
Express are provided.
- Added feature to specify the
public port (on which Aged Filters will be applied). This is
important for IPNetRouter users who are sharing a dialup PPP
connection. In this case the public interface is NOT the primary
interface (the local private interface is the primary interface as
setup in the TCP/IP control panel).
- Added feature to exclude
specified subnets from causing IPNetSentry to trigger. Examples
where this may be desired:
- You do not want client
machines on your private IPNetRouter subnet to cause
unnecessary triggers.
- There is a remote machine
(e.g. office) with a static IP address for which you always
want to give access to your home machine. You do not want this
office machine to accidently hit a trigger on the home machine,
thereby banning this remote machine from any
access.
- Added feature to record the
protocol and service of the trigger in the IPNetSentry Aged Filter
file.
Bug Fixes:
- - Fixed loading access (static)
filters
- - Fixed closing FBA resource fork
(so companion application can write to it when
registering).
IPNetSentry Companion
Application:
Feature Enhancements:
- Added feature to display protocol
and service of trigger in Aged Filter window.
Bug Fixes:
- Fixed restart of IPNetSentry FBA
after an Aged Filter has been modified or deleted or the
IPNetSentry configuration file has been modified.
December 8, 2000 (1.0c1)
First final candidate
posted.