OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: With Wings on March 20, 2017, 07:26:12 am

Title: IP Intel / AV Plugins?
Post by: With Wings on March 20, 2017, 07:26:12 am
I have a VoIP phone that someone was trying to port scan (at least) the other day. It has a few SIP test accounts on it. One of the providers apparently got hacked. The first round of scans came over a VPN tunnel in Germany. So I Geo Blocked the world 'United States (not)'. A few hours later they started again from a U.S. IP.

I was looking for a way to automatically lookup if an IP is a known VPN tunnel, or TOR Relay. I came across GetIPIntel, which accurately classified all the IPs I threw at it. For now I just disabled inbound calls from that provider. This would be a fantastic option along the lines of GeoIP / SpamHaus Drop / eDrop (which are already configured).

He provides some php code for this:
https://github.com/blackdotsh/getIPIntel

I like the multi scanner AV approach that VirusTotal provides. There is apparently an ICAP server for this here:
https://github.com/sooshie/VirusTotal-ICAP

I don't personally trust Symantec, or Mcafee (lots of problems with their software over the years). Kaspersky apparently doesn't know which skus support ICAP (Storage Server?)

I reached out to VirusTotal to ask them if it would violate their ToS for home use, and of the possibility of using their commercial version 'VirusTotal Intelligence', though I don't know what that would cost. I'll update this if I hear back from them. It's possible these guys are a worth a shot as well:
https://www.opswat.com/solutions/prevent-malicious-downloads-proxy-servers-icap

Update:
I heard back from Virustotal, asking about using the icap server listed above, they just said that I needed the public API key (by signing up for a free account), so I'm guessing that it doesn't violate the ToS. I haven't heard back regarding pricing yet for their business / intelligence subscription.

Here is a 'setup' link for Metadefender:
https://www.opswat.com/blog/scan-network-traffic-using-proxy-server-metadefender-proxy


Title: Re: IP Intel / AV Plugins?
Post by: fabian on March 20, 2017, 08:44:10 am
He provides some php code for this:
https://github.com/blackdotsh/getIPIntel (https://github.com/blackdotsh/getIPIntel)

Forget this, because it is useless. It iwill send the IP to an external server and returns the result. This is only a wrapper around an HTTP service. Without the databases it cannot be used for anything except doing a single check. In some countries, an IP address is PII which means it is probably illegal to use such a service because you send an IP address to an external server without consent.

I like the multi scanner AV approach that VirusTotal provides. There is apparently an ICAP server for this here:
https://github.com/sooshie/VirusTotal-ICAP (https://github.com/sooshie/VirusTotal-ICAP)

I don't personally trust Symantec, or Mcafee (lots of problems with their software over the years). Kaspersky apparently doesn't know which skus support ICAP (Storage Server?)
Does not look maintained (a single commit). BTW: In OPNsense you need RESPMOD AND REQMOD.

I reached out to VirusTotal to ask them if it would violate their ToS for home use, and of the possibility of using their commercial version 'VirusTotal Intelligence', though I don't know what that would cost. I'll update this if I hear back from them. It's possible these guys are a worth a shot as well:
https://www.opswat.com/solutions/prevent-malicious-downloads-proxy-servers-icap (https://www.opswat.com/solutions/prevent-malicious-downloads-proxy-servers-icap)
If you don't trust those products, why do you want to use VirusTotal?
Title: Re: IP Intel / AV Plugins?
Post by: With Wings on March 20, 2017, 07:58:08 pm
I'm not looking for someone else to maintain this for me. I am opening a discussion about how to include these features as plugins. I don't know enough about programming to do this without community input.

It's hardly 'useless'. For my own network, and for clients, why would I want someone connecting over a VPN that isn't part of their network, or over a Tor relay? No client would ever connect from such an address, so it would be good to block them all out of the gate.

I have contributed Tor relays in the past, will do so in the future, however it is a lightweight defense in depth strategy to prevent those IPs from touching DMZ servers anyway; there is no reason to allow it. For SMBs, and home offices you would basically never need to connect from 'those IPs'.

Symancrap has nothing but errors for me across a dozen years. More often than not that software has been disabled by malware, than actually prevented an infection. This includes a few different Symantec, and Norton engines. If you have ever installed their server component that was java dependent you would find that more often than not, after a random few weeks to months, more than 2/3 of the time the server itself would fail to start with a 'Java -1' error, and was basically never fixable without re-installing. After documenting the fifth fix for that worthless engine I swore off their software.

Mcafee, and his bag of orange powder had generally worse issues. My first experience with it was on a laptop with 256 MB of RAM, that Mcrapee happily consumed some ~500 MB of. It had consistently worse detection ratios than Crapmantec.

I have a long memory, when organizations like these display such apathy, arrogance, or indifference regarding their project management, or code quality, I don't do business with them anymore. Put another way, if they can't protect themselves, how can they protect the infrastructure?

I am certain those two vendors have improved their products, but even if they were free, they aren't worth using. After many years, both products finally become useable, and could install themselves in under 15 minutes. What other programming gremlins remain? Their codebase was huge! Symantec specifically was still shipping with TDI drivers even after it was deprecated. Those caused performance issues, as well as the occasional blue screen. I was surprised to read the Stuxnet dossier by Symantec, which was very well done. It made me realize that Symantec does actually employ talented people, who are allowed to fix problems. It shows a sick corporate culture, which is prevalent throughout the U.S.; Greed, apathy, and arrogance. It is a cancer. Here is a list of processes that Stuxnet would check for (some which it could actually infect):

• umxagent, Tiny Personal Firewall
• cfgintpr, Tiny Personal Firewall
• umxldra, Tiny Personal Firewall
• amon, Tiny Activity Monitor
• UmxCfg, Tiny Personal Firewall
• UmxPol, Tiny Personal Firewall
• UmxTray, Tiny Personal Firewall
• vsmon, ZoneAlarm Personal Firewall
• zapro, ZoneAlarm Personal Firewall
• zlclient, ZoneAlarm Personal Firewall
• tds-3,TDS3 Trojan Defense Suite
• avp, Kaspersky
• avpcc, Kaspersky
• avpm, Kaspersky
• kavpf, Kaspersky
• kavi, Kaspersky
• safensec,SafenSoft
• snsmcon, SafenSoft
• filemon, Sysinternals Filemon
• regmon, Sysinternals Filemon
• FrameworkService, McAfee
• UpdaterUI, McAfee
• shstat, McAfee
• naPrdMgr, McAfee
• rapapp.exe, Blackice Firewall
• blackice.exe, Blackice Firewall
• blackd.exe, Blackice Firewall
• rcfgsvc.exe
• pfwcfgsurrogate.exe, Tiny Personal Firewall
• pfwadmin.exe, Tiny Personal Firewall
• persfw.exe, Kerio Personal Firewall
• agentw.exe, Kerio Personal Firewall
• agenta.exe, Kerio Personal Firewall
• msascui.exe, Windows Defender
• msmpeng.exe, Windows Defender
• fssm32.exe, F-Secure
• fsgk32st.exe, F-Secure
• fsdfwd.exe, F-Secure
• fsaw.exe, F-Secure
• fsavgui.exe, F-Secure
• fsav32.exe, F-Secure
• fsav.exe, F-Secure
• fsma32.exe, F-Secure
• fsm32.exe, F-Secure
• fsgk32.exe, F-Secure

If the code isn't stable, reliable, and fast, there is no reason to run it. If the code itself is an attack vector there is a very good reason to not run it. The engines may be able to detect non-Polymorphic malware, but I wouldn't run either of those two vendors, or trendmicro on a endpoint that I cared about. Too slow, too error prone, and generally I would be called in to clean up what those 'security solutions' should have caught in the first place. Webroot, Panda, Eset, Kaspersky, Avira, Giant Anti-Spyware, MalwareBytes, the newer versions of Bitdefender, and a few others are worth the expense.
Title: Re: IP Intel / AV Plugins?
Post by: With Wings on March 20, 2017, 08:17:22 pm

In some countries, an IP address is PII which means it is probably illegal to use such a service because you send an IP address to an external server without consent.


I am not an attorney, and this isn't legal advice. That said I doubt current case law would uphold a judgment against submitting an IP address by itself for the purpose of 'IP reputation' checking or similar. An IP address isn't classified as PII by itself in any case. All the more so, if that IP just connected to you dozens of times on the same port, indicating more intent than just a simple port scan.

It is no different than the drop / edrop lists, just with more intelligence, and faster updating. The point being for a user connecting to a service that is otherwise allowed to be checked before allowing access.

'The law' tends to be overly vague, so that enforcement can proceed, and there is less chance for someone to 'get away with' something. That said the law should serve man. Men should not fear the law:

https://nmap.org/book/legal-issues.html

"These laws are meant to ban the distribution, use, and even possession of “hacking tools”. For example, the UK amendment to the Computer Misuse Act makes it illegal to “supply or offer to supply [a program], believing that it is likely to be used to commit, or to assist in the commission of [a Computer Misuse Act violation]”"

What's a 'hacking tool', netcat, hping? To me they're security tools. How does a court test that you believed something? It's overly arcane, and basically useless.