Statefull Packer Inspection Against all kind of Malware!

Discussion in 'Linux Networking' started by beatnik, Aug 13, 2004.

  1. beatnik

    beatnik Guest

    Lets assume that i do not want to run critical security updates (patches)
    by Micro$oft.

    a) I was wondering if just a firewall can save my ass without even using
    AV. Is there a WinXp firewall tool with stafefull packet inspection that
    i will configure it to accept inbound traffic only as a respond to mine
    previous outbound connection?

    b) If there is one, then i would like it also that firewall to inspect
    each incoming packet to my network interface and if the data portion of
    the packet matches a virus/trojan/worm/ or anykind of malware packet then
    simply it will have to drop it of.

    That way even if i deliberately choose to open a virus infected link or a
    worm infected attachment my OS still be in no danger at all even without
    running an AV or Pacthes!

    I think this is a logical demand and we dont have to search every day for
    pacthes to secure our holes in our OS instead will leave the firewall to
    update his database automatically.

    Antivirus Packages after all dont work as they should in my opinion!.
    They wait for your machine to get infected with a virus which is stored
    in a hdd file and then because they have a scannable object in their
    hands, only then, they can delete the damn thing....

    I beleive Statefull Packer Inspection by examining the contents of the ip
    packets data portion against a malware(trojan/worm/virus) database that
    would update it self periodically would be a far more secure approach.
    No?!?!

    What you guys think of of it? Am i asking too much?

    Can it be done by the use of iptables?
     
    beatnik, Aug 13, 2004
    #1
    1. Advertisements

  2. beatnik

    Bit Twister Guest

    Before anyone replies to this post, you may want to read this thread
    http://groups.google.com/groups?selm=cfdcpj$sgi$
    so not to repeat and get a good feel for what beatnik wants.
     
    Bit Twister, Aug 13, 2004
    #2
    1. Advertisements

  3. beatnik

    beatnik Guest

    beatnik, Aug 13, 2004
    #3
  4. beatnik wrote on 13.08.2004 09:32:
    What does this have to do with Linux networking?
    Ask a Microsoft group.
    This is what on-demand virus-scanners are for.
    Now it's getting weird. I you're running your computer with this
    attitude it surely is infected.
    Where do you see the difference between updating your "firewall" and
    updating your OS?
    Get yourself some logic thinking.
    Scanning each IP packet for content is quite a hassle.
    Asking as such is good, but asking without thinking first is at least
    impolite because thei tells the others "I'm just too lazy, you do the
    thinking for me".
    By stateful inspection is meant the state of the connection. If you
    initiate a connection, all answers to this connection are accepted. If a
    remote machine initiates a new and unanswerd for connection it will be
    rejected.
    Do yourself a favour and do some resaerch and get your vocabulary clear
    before posting.
     
    Walter Schiessberg, Aug 13, 2004
    #4
  5. beatnik

    Bit Twister Guest

    You would have ranted more had you known he has posted the same
    message in
    comp.security.firewalls
    local.linux.greek.users
    alt.hacker
     
    Bit Twister, Aug 13, 2004
    #5
  6. Bit Twister wrote on 13.08.2004 10:07:
    Somehow I suspected this :))
     
    Walter Schiessberg, Aug 13, 2004
    #6
  7. beatnik

    beatnik Guest

    I told you in previous post why i did it. read it.
     
    beatnik, Aug 13, 2004
    #7
  8. beatnik

    beatnik Guest

    What i am asking is why.
    I just want the simplest and more "little needed" way to do it
    Well actually i did. why dont you tell me your logic thinking about it?
    Iam asking if its possbile for iptables except from SPI to also check
    each ip packet against malware. thats what i am asking.
     
    beatnik, Aug 13, 2004
    #8
  9. The standard xp firewall (what the heck has this question to do with linux?)
    will do it. As well as iptables.
    Now a firewall cannot save your ass from malware received and opened on the
    inside (mail or warez download or whatever).
    Ah. Yes. Sounds like a good idea. Now what about malware coming zipped or
    otherwise compressed? How can iptables collect all the parts of a multipart
    rar, extract it, scan it and resubmit them with the same tcp checksums and
    session numbers, without timing out and forcing resends by the requesting
    client in between, causing buffer overflows and breakdown of the whole tcp
    stack?
    Dreamer.
    Well, there is such a thing as clamav-squid, which - when running as
    transparent proxy and blocking direct www/ftp outgoing connections via
    iptables - might come close to what you want, in conjunction with a mail
    proxy (postfix-amavis). Needs a lot of configuration though.
    Now there are still other ways to insert malware. You cannot make a network
    foolproof, there are always better fools.
    The on-access-scanners running in the background (there is clamd with
    dazuko/clamuko in linux) do inhibit the storage of a virus, at least in
    executable (unpacked) form.
    Yes.
     
    Walter Mautner, Aug 13, 2004
    #9
  10. Op Fri, 13 Aug 2004 09:53:47 +0200 schreef Walter Schiessberg:

    [crap snipped]

    His name is "beatnik", right?

    Nomen est omen:

    When the term 'Beat Generation' began to be used as a label for the
    young people Kerouac called 'hipsters' or 'beatsters' in the late 1950s,
    the word 'beat' lost its specific references to a particular subculture
    and became a synonym for anyone living as a bohemian or acting
    *rebelliously* or appearing to advocate a revolution in manners.

    In 1958, a few months after Russia launched their 'sputnik' satellite,
    San Francisco Chronicle columnist Herb Caen coined the word 'beatnik'.
    He wrote condescendingly that "Look Magazine hosted a party for 50
    Beatniks... and over 250 bearded cats and kits were on hand... They're
    only Beat, y'know, when it comes to work ..."

    Holmes wrote that "... the Beatniks and the Mass Media succeeded in
    beclouding most of what was unsettling, and thereby valuable, in the
    idea of Beatness..."


    PLOINK
     
    Gerard Wassink, Aug 13, 2004
    #10
  11. -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    NotDashEscaped: You need GnuPG to verify this message

    Not at all, nothing will save your ass, if you insist connecting
    some M$ system with the internet without even patches. There are
    for sure many great games for M$, but don't even think about
    connecting it to the internet, even with all patches there's no
    security. Dunno if this is a bug or a feature.;)

    [..]

    --
    Michael Heiming (GPG-Key ID: 0xEDD27B94)
    mail: echo | perl -pe 'y/a-z/n-za-m/'
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.4 (GNU/Linux)

    iD8DBQFBHI9hAkPEju3Se5QRAuLKAKDF4A623F+FH3Wgcp11ZI1HwrNI2QCgs1TN
    AtkB3eOfTDbOiN9u14MFzu4=
    =GjX1
    -----END PGP SIGNATURE-----
     
    Michael Heiming, Aug 13, 2004
    #11
  12. beatnik

    beatnik Guest

    Take it easy now!
     
    beatnik, Aug 13, 2004
    #12
  13. Op Fri, 13 Aug 2004 09:52:35 -0000 schreef Michael Heiming:

    [...]
    Rest asure, it's a feature by defintion:

    Bugs don't exist, we call them undocumented features now.

    And I dunnot think M$ documented these...

    :-D
     
    Gerard Wassink, Aug 13, 2004
    #13
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.