Greg Metcalfe wrote:

> Newsbox wrote:
>
>> On Tue, 29 Nov 2005 23:43:24 -0800, matt_left_coast wrote:
>>
>>> Newsbox wrote:
>>>
>>>> I would like to be able to parse my firewall listings of all the
>>>> unsolicited traffic I receive, and be able to easily determine just
>>>> what supposed or possible vulnerability some criminal creep was trying
>>>> to find
>>>> or exploit when each was sent. Maybe that's asking a lot, but wait,
>>>> here's more:
>>>>
>>>> I would then like to know exactly what trojan, virus, worm or other
>>>> malware on a zombie host would be sending those packets, what kinds of
>>>> OS's they might be running on, how (if possible) to directly contact
>>>> the host, and what vulnerabilities that zombied host would likely have,
>>>> and how to exploit any such known vulnerability to stop the zombied
>>>> host from further attacking me and others.
>>>>
>>>> I'm surely not a rich man, but would consider setting a separate
>>>> firewall server for this purpose if it were possible or doable.
>>>>
>>>> All suggestions welcome.
>>>>
>>>> Best wishes.
>>>
>>> I would suggest you do research on firewalls, what they are, what they
>>> do and what they do not do. Your question suggest a lack of
>>> understanding of what security is and what it takes to get a secure
>>> system. Unless you do some studying, you will probably never have a
>>> secure system no matter what firewall you put in.
>>
>> Thank you for the response. I do not want to insult your analysis at
>> this
>> time. And thank you for your (apparent) concern that I will never have a
>> secure system. I would invite you to shoot at my system, if that is what
>> it would take, except that I do not like "learning the hard way". I have
>> had "secure systems" for some years, apparently. And that is not at all
>> the focus of my request. What for example are these:?
>> port 2 udp
>> port 1026 udp
>> port 1911 tcp
>> ...(and many, many more)
>>
>> If you had a pointer to a database of what these probes were for, it
>> would really be more to the point of my question than any of you
>> suggestions for "studying".
>>
>> Sorry, but I don't think you got the "gist" of my request. Thanks, but
>> no
>> thanks. Give me a database. Thanks anyway.
>
> Well, you can spend into 6 figures and not get everything on your shopping
> list. Also, you may not *want* everything on that list.
>
> Suppose your software really could tell "what vulnerabilities that zombied
> host would likely have, and how to exploit any such known vulnerability to
> stop the zombied host from further attacking me and others." That changes
> like the wind, but suppose you had something completely accurate. You'd
> still need to round up exploit code, which may be coming from a rather
> unsavory source. I gather you'd like to do that in a completely automated
> fashion as well. That would be dangerous in and of itself, especially as
> you couldn't quantify a new and ever-changing risk, so automation is
> probably the last thing you want. This is a case where you need humans in
> the loop--except that it would take a full-time staff. But suppose you got
> past those difficulties as well. There's an ethics issue involved with
> pushing that exploit button, as well as the fact that you would then be in
> violation of federal law, and likely state laws as well.
>
> There really is only so much that can be done with automation. You'll find
> that the larger managed security services (Counterpane, etc.) pride
> themselves on the caliber of the people they have in the loop. You might
> spend some time on isc.sans.org. Read through some handler's diaries,
> learn how to submit your firewall logs, look at the port histories, etc. I
> think you might find that site both interesting and instructive.

News box does not want to LEARN anything and does not want to take advise.

--