Wish list

I would like to be able to parse my firewall listings of all the
unsolicited traffic I receive, and be able to easily determine just what
supposed or possible vulnerability some criminal creep was trying to find
or exploit when each was sent. Maybe that's asking a lot, but wait,
here's more:

I would then like to know exactly what trojan, virus, worm or other
malware on a zombie host would be sending those packets, what kinds of
OS's they might be running on, how (if possible) to directly contact the
host, and what vulnerabilities that zombied host would likely have, and
how to exploit any such known vulnerability to stop the zombied host from
further attacking me and others.

I'm surely not a rich man, but would consider setting a separate firewall
server for this purpose if it were possible or doable.

All suggestions welcome.

Best wishes.

Newsbox wrote:

> I would like to be able to parse my firewall listings of all the
> unsolicited traffic I receive, and be able to easily determine just what
> supposed or possible vulnerability some criminal creep was trying to find
> or exploit when each was sent. Maybe that's asking a lot, but wait,
> here's more:
>
> I would then like to know exactly what trojan, virus, worm or other
> malware on a zombie host would be sending those packets, what kinds of
> OS's they might be running on, how (if possible) to directly contact the
> host, and what vulnerabilities that zombied host would likely have, and
> how to exploit any such known vulnerability to stop the zombied host from
> further attacking me and others.
>
> I'm surely not a rich man, but would consider setting a separate firewall
> server for this purpose if it were possible or doable.
>
> All suggestions welcome.
>
> Best wishes.

I would suggest you do research on firewalls, what they are, what they do
and what they do not do. Your question suggest a lack of understanding of
what security is and what it takes to get a secure system. Unless you do
some studying, you will probably never have a secure system no matter what
firewall you put in.

--

On Tue, 29 Nov 2005 23:43:24 -0800, matt_left_coast wrote:

> Newsbox wrote:
>
>> I would like to be able to parse my firewall listings of all the
>> unsolicited traffic I receive, and be able to easily determine just what
>> supposed or possible vulnerability some criminal creep was trying to find
>> or exploit when each was sent. Maybe that's asking a lot, but wait,
>> here's more:
>>
>> I would then like to know exactly what trojan, virus, worm or other
>> malware on a zombie host would be sending those packets, what kinds of
>> OS's they might be running on, how (if possible) to directly contact the
>> host, and what vulnerabilities that zombied host would likely have, and
>> how to exploit any such known vulnerability to stop the zombied host from
>> further attacking me and others.
>>
>> I'm surely not a rich man, but would consider setting a separate firewall
>> server for this purpose if it were possible or doable.
>>
>> All suggestions welcome.
>>
>> Best wishes.
>
> I would suggest you do research on firewalls, what they are, what they do
> and what they do not do. Your question suggest a lack of understanding of
> what security is and what it takes to get a secure system. Unless you do
> some studying, you will probably never have a secure system no matter what
> firewall you put in.

Thank you for the response. I do not want to insult your analysis at this
time. And thank you for your (apparent) concern that I will never have a
secure system. I would invite you to shoot at my system, if that is what
it would take, except that I do not like "learning the hard way". I have
had "secure systems" for some years, apparently. And that is not at all
the focus of my request. What for example are these:?
port 2 udp
port 1026 udp
port 1911 tcp
....(and many, many more)

If you had a pointer to a database of what these probes were for, it would
really be more to the point of my question than any of you suggestions for
"studying".

Sorry, but I don't think you got the "gist" of my request. Thanks, but no
thanks. Give me a database. Thanks anyway.

Newsbox wrote:

> On Tue, 29 Nov 2005 23:43:24 -0800, matt_left_coast wrote:
>
>> Newsbox wrote:
>>
>>> I would like to be able to parse my firewall listings of all the
>>> unsolicited traffic I receive, and be able to easily determine just what
>>> supposed or possible vulnerability some criminal creep was trying to
>>> find
>>> or exploit when each was sent. Maybe that's asking a lot, but wait,
>>> here's more:
>>>
>>> I would then like to know exactly what trojan, virus, worm or other
>>> malware on a zombie host would be sending those packets, what kinds of
>>> OS's they might be running on, how (if possible) to directly contact the
>>> host, and what vulnerabilities that zombied host would likely have, and
>>> how to exploit any such known vulnerability to stop the zombied host
>>> from further attacking me and others.
>>>
>>> I'm surely not a rich man, but would consider setting a separate
>>> firewall server for this purpose if it were possible or doable.
>>>
>>> All suggestions welcome.
>>>
>>> Best wishes.
>>
>> I would suggest you do research on firewalls, what they are, what they do
>> and what they do not do. Your question suggest a lack of understanding of
>> what security is and what it takes to get a secure system. Unless you do
>> some studying, you will probably never have a secure system no matter
>> what firewall you put in.
>
> Thank you for the response. I do not want to insult your analysis at this
> time. And thank you for your (apparent) concern that I will never have a
> secure system. I would invite you to shoot at my system, if that is what
> it would take, except that I do not like "learning the hard way". I have
> had "secure systems" for some years, apparently. And that is not at all
> the focus of my request. What for example are these:?
> port 2 udp
> port 1026 udp
> port 1911 tcp
> ...(and many, many more)
>
> If you had a pointer to a database of what these probes were for, it would
> really be more to the point of my question than any of you suggestions for
> "studying".
>
> Sorry, but I don't think you got the "gist" of my request. Thanks, but no
> thanks. Give me a database. Thanks anyway.

Well, you can spend into 6 figures and not get everything on your shopping
list. Also, you may not *want* everything on that list.

Suppose your software really could tell "what vulnerabilities that zombied
host would likely have, and how to exploit any such known vulnerability to
stop the zombied host from further attacking me and others." That changes
like the wind, but suppose you had something completely accurate. You'd
still need to round up exploit code, which may be coming from a rather
unsavory source. I gather you'd like to do that in a completely automated
fashion as well. That would be dangerous in and of itself, especially as
you couldn't quantify a new and ever-changing risk, so automation is
probably the last thing you want. This is a case where you need humans in
the loop--except that it would take a full-time staff. But suppose you got
past those difficulties as well. There's an ethics issue involved with
pushing that exploit button, as well as the fact that you would then be in
violation of federal law, and likely state laws as well.

There really is only so much that can be done with automation. You'll find
that the larger managed security services (Counterpane, etc.) pride
themselves on the caliber of the people they have in the loop. You might
spend some time on isc.sans.org. Read through some handler's diaries, learn
how to submit your firewall logs, look at the port histories, etc. I think
you might find that site both interesting and instructive.

On Wed, 30 Nov 2005 03:33:25 -0500, Newsbox <nospam_for_me_please@thanks.invalid> wrote:
> On Tue, 29 Nov 2005 23:43:24 -0800, matt_left_coast wrote:

> > Newsbox wrote:
> >
> >> I would like to be able to parse my firewall listings of all the
> >> unsolicited traffic I receive, and be able to easily determine just what
> >> supposed or possible vulnerability some criminal creep was trying to find
> >> or exploit when each was sent.
> >> ...
> ...
> I have
> had "secure systems" for some years, apparently. And that is not at all
> the focus of my request. What for example are these:?
> port 2 udp
> port 1026 udp
> port 1911 tcp
> ...(and many, many more)

Try:

http://www.iana.org

for all such info, and specifically:

http://www.iana.org/assignments/port-numbers

for port numbers / services. For example, port 2 udp is:
compressnet 2/udp Management Utility
which you'd have to use google for to investigate further.

Your own system might have an /etc/services file with some
of this info.

--
Dale Dellutri <ddelQQQlutr@panQQQix.com> (lose the Q's)

Newsbox wrote:

> On Tue, 29 Nov 2005 23:43:24 -0800, matt_left_coast wrote:
>
>> Newsbox wrote:
>>
>>> I would like to be able to parse my firewall listings of all the
>>> unsolicited traffic I receive, and be able to easily determine just what
>>> supposed or possible vulnerability some criminal creep was trying to
>>> find
>>> or exploit when each was sent. Maybe that's asking a lot, but wait,
>>> here's more:
>>>
>>> I would then like to know exactly what trojan, virus, worm or other
>>> malware on a zombie host would be sending those packets, what kinds of
>>> OS's they might be running on, how (if possible) to directly contact the
>>> host, and what vulnerabilities that zombied host would likely have, and
>>> how to exploit any such known vulnerability to stop the zombied host
>>> from further attacking me and others.
>>>
>>> I'm surely not a rich man, but would consider setting a separate
>>> firewall server for this purpose if it were possible or doable.
>>>
>>> All suggestions welcome.
>>>
>>> Best wishes.
>>
>> I would suggest you do research on firewalls, what they are, what they do
>> and what they do not do. Your question suggest a lack of understanding of
>> what security is and what it takes to get a secure system. Unless you do
>> some studying, you will probably never have a secure system no matter
>> what firewall you put in.
>
> Thank you for the response. I do not want to insult your analysis at this
> time.

Insult all you want, you would only be confirming your ignorance. C'ya,
chump. Don't come crying to us when your system is hacked.

Greg Metcalfe wrote:

> Newsbox wrote:
>
>> On Tue, 29 Nov 2005 23:43:24 -0800, matt_left_coast wrote:
>>
>>> Newsbox wrote:
>>>
>>>> I would like to be able to parse my firewall listings of all the
>>>> unsolicited traffic I receive, and be able to easily determine just
>>>> what supposed or possible vulnerability some criminal creep was trying
>>>> to find
>>>> or exploit when each was sent. Maybe that's asking a lot, but wait,
>>>> here's more:
>>>>
>>>> I would then like to know exactly what trojan, virus, worm or other
>>>> malware on a zombie host would be sending those packets, what kinds of
>>>> OS's they might be running on, how (if possible) to directly contact
>>>> the host, and what vulnerabilities that zombied host would likely have,
>>>> and how to exploit any such known vulnerability to stop the zombied
>>>> host from further attacking me and others.
>>>>
>>>> I'm surely not a rich man, but would consider setting a separate
>>>> firewall server for this purpose if it were possible or doable.
>>>>
>>>> All suggestions welcome.
>>>>
>>>> Best wishes.
>>>
>>> I would suggest you do research on firewalls, what they are, what they
>>> do and what they do not do. Your question suggest a lack of
>>> understanding of what security is and what it takes to get a secure
>>> system. Unless you do some studying, you will probably never have a
>>> secure system no matter what firewall you put in.
>>
>> Thank you for the response. I do not want to insult your analysis at
>> this
>> time. And thank you for your (apparent) concern that I will never have a
>> secure system. I would invite you to shoot at my system, if that is what
>> it would take, except that I do not like "learning the hard way". I have
>> had "secure systems" for some years, apparently. And that is not at all
>> the focus of my request. What for example are these:?
>> port 2 udp
>> port 1026 udp
>> port 1911 tcp
>> ...(and many, many more)
>>
>> If you had a pointer to a database of what these probes were for, it
>> would really be more to the point of my question than any of you
>> suggestions for "studying".
>>
>> Sorry, but I don't think you got the "gist" of my request. Thanks, but
>> no
>> thanks. Give me a database. Thanks anyway.
>
> Well, you can spend into 6 figures and not get everything on your shopping
> list. Also, you may not *want* everything on that list.
>
> Suppose your software really could tell "what vulnerabilities that zombied
> host would likely have, and how to exploit any such known vulnerability to
> stop the zombied host from further attacking me and others." That changes
> like the wind, but suppose you had something completely accurate. You'd
> still need to round up exploit code, which may be coming from a rather
> unsavory source. I gather you'd like to do that in a completely automated
> fashion as well. That would be dangerous in and of itself, especially as
> you couldn't quantify a new and ever-changing risk, so automation is
> probably the last thing you want. This is a case where you need humans in
> the loop--except that it would take a full-time staff. But suppose you got
> past those difficulties as well. There's an ethics issue involved with
> pushing that exploit button, as well as the fact that you would then be in
> violation of federal law, and likely state laws as well.
>
> There really is only so much that can be done with automation. You'll find
> that the larger managed security services (Counterpane, etc.) pride
> themselves on the caliber of the people they have in the loop. You might
> spend some time on isc.sans.org. Read through some handler's diaries,
> learn how to submit your firewall logs, look at the port histories, etc. I
> think you might find that site both interesting and instructive.

News box does not want to LEARN anything and does not want to take advise.

--

Newsbox wrote:

> I do not want to insult your analysis at this
> time. And thank you for your (apparent) concern that I will never have a
> secure system.

Read and LEARN, CHUMP:

http://software.newsforge.com/softwa...2.shtml?tid=78

QUOTE

The truth is, anti-virus software, firewalls, and intrusion detection are
only the surface of security. They are all reactive measures that attempt
to respond to active threats, rather than proactive measures that
anticipate threats and try to make them harmless. These applications have a
major role to play, but are not enough in themselves.

/QUOTE

I DO want to insult your approach, it will not be effective.

--

On Wed, 30 Nov 2005 12:27:38 +0000, Dale Dellutri wrote:

> On Wed, 30 Nov 2005 03:33:25 -0500, Newsbox <nospam_for_me_please@thanks.invalid> wrote:
>> On Tue, 29 Nov 2005 23:43:24 -0800, matt_left_coast wrote:
>
>> > Newsbox wrote:
>> >
>> >> I would like to be able to parse my firewall listings of all the
>> >> unsolicited traffic I receive, and be able to easily determine just what
>> >> supposed or possible vulnerability some criminal creep was trying to find
>> >> or exploit when each was sent.
>> >> ...
>> ...
>> I have
>> had "secure systems" for some years, apparently. And that is not at all
>> the focus of my request. What for example are these:?
>> port 2 udp
>> port 1026 udp
>> port 1911 tcp
>> ...(and many, many more)
>
> Try:
>
> http://www.iana.org
>
> for all such info, and specifically:
>
> http://www.iana.org/assignments/port-numbers
>
> for port numbers / services. For example, port 2 udp is:
> compressnet 2/udp Management Utility
> which you'd have to use google for to investigate further.
>
> Your own system might have an /etc/services file with some
> of this info.

Thank you. I have indeed seen these before, and is is indeed a starting
point. I think I'll need to do some considerable homework to get to a
point where I can even begin to easily correlate what is incoming with
what might be sending these packets, if that is even possible. I'll also
be trying to respond to Mr. Metcalf, who makes some important points that
require response re: ethics and legal considerations. Thanks again.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dale Dellutri wrote:

> On Wed, 30 Nov 2005 03:33:25 -0500, Newsbox
> <nospam_for_me_please@thanks.invalid> wrote:
>> On Tue, 29 Nov 2005 23:43:24 -0800, matt_left_coast wrote:
>
>> > Newsbox wrote:
>> >
>> >> I would like to be able to parse my firewall listings of all the
>> >> unsolicited traffic I receive, and be able to easily determine just
>> >> what supposed or possible vulnerability some criminal creep was trying
>> >> to find or exploit when each was sent.
>> >> ...
>> ...
>> I have
>> had "secure systems" for some years, apparently. And that is not at all
>> the focus of my request. What for example are these:?
>> port 2 udp
>> port 1026 udp
>> port 1911 tcp
>> ...(and many, many more)
>
> Try:
>
> http://www.iana.org
>
> for all such info, and specifically:
>
> http://www.iana.org/assignments/port-numbers
>
> for port numbers / services. For example, port 2 udp is:
> compressnet 2/udp Management Utility
> which you'd have to use google for to investigate further.
>
> Your own system might have an /etc/services file with some
> of this info.
>
Yeah, I considered giving those two references, too. But the post was
already getting long, and the whole standard services thing is so easily
(and commonly) subverted. /etc/services is used by the library calls seen
in man(3) getservent, etc. So, Bad Guys can just avoid those calls.

Striking a balance between getting good starting info out there, which
everyone dealing with this stuff has to know about (as you've done) and
confusing many people, which is what I've probably done in the first para
above, is always tough. Particularly since this isn't a classroom
environment, face to face conversation, etc. It's hard to judge anyone's
background.

I'm certainly not very good at it. I hope I'm not just confusing the issue
here, but I'll probably risk doing it some more by putting a couple of
legal caveats into that piece of the thread as well.

Cheers,

Greg
GPG key fingerprint: 95B3 2BDD 9152 1E7D A240 37C1 7AE2 9B71 0065 F029

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)

iD8DBQFDjkV0euKbcQBl8CkRAjNvAJ4i01p3p/e/bCRiODxQptgNvDndEACdECuH
ExoDa20O1wu1ghP5QiQO2cw=
=fBi7
-----END PGP SIGNATURE-----