Love this firewall - Would be great if Glasswire could detect (among a list of many sh*tty things) incoming SMB enumeration and RDP attack attempts and block the offending IP address? Was on a public hotel network (yeah we know… I was forced, based on limited connectivity) a few months ago and almost got pwned by either some jackass running SMB enums or someone’s computer that was hijacked with malware. Great also if we could have attacker thumbprint and fingerprint detection, and some ARP poison detection as well. As far as I can tell, it’s not built in and I cannot see where I’d enable it or customize it. I can run Snort, but it won’t BLOCK an attacker. I’d double my license fee if you can do this; Most others would as well. There isn’t a solution out there that doesn’t cost enterprise-level $$$$. Please consider! THANKS!!! What else would you guys & girls love to see added to Glasswire in this (HIPS) realm?
Thanks for your feedback. We agree!
We do have a successful RDP connection monitor (but not failed attempts yet), Evil Twin Attack Detection, ARP spoofing, and some other things. Go to the top left GlassWire menu and choose settings/security to see, and our list of alerts are also here https://www.glasswire.com/dictionary/.
How do you detect SMB enumeration with Windows?
My GlassWire installations are on paranoid mode, i’ve enabled ALL of those options, and somehow missed reading the ARP poison detect (although it was still enabled) lol.
As far as SMB enums, they’re likely only through the log entries; Many enterprise IPS appliances/agents will alert on this and null session pipes. If you search SMB enumeration, there are a bunch of resources that show what the log entries look like, or set up a windows box and try it. Bunch of pentesting tools that can do this easily.
We will check it out, thank you. Also, if you have other ideas for similar detections we could look for in the future please post them.
We have thought about just reading the Windows Events Logs so other apps could drop alerts there we could read too but we worry it could become annoying with too many alerts.
I sure will. Thanks for the reply! There are patterns which should be able to be picked up from monitoring the logs, and then potentially block the subsequent enum requests to the OS. I’ll send more info as I collect it.
If reading OS logs is still an idea, I think it would be extremely useful. Users can always suppress alerts, if required. The protection value would be well worth it.
You could double the cost of this firewall if you could include all of these features, and it would still be a good value.
Btw it would be great if one could snooze alerts for additional increments of time, up to 24 hours, like 15min, 1h, 4h, 8h, 12h, 24h… Keep forgetting to resume alerts when I only need it for less than 24 hrs which is almost every mon-fri. Thanks!
Our next update will send our alerts optionally to the Windows Event Logs so they can be read by other third party apps that read that log.
Was talking about the opposite, to actually watch the windows logs for things like SMB enum attacks etc… Then alert me