Home page logo

bugtraq logo Bugtraq mailing list archives

Re: NtWakO BlackICE sig missing
From: "Graham, Robert (ISS Atlanta)" <rgraham () iss net>
Date: Wed, 27 Feb 2002 22:14:23 -0500 (EST)

In regards to the "advisory" posted February 14th:
NtWaK0 Advisory
Affected         : BlackIce 2.9 car Latest with patch
Type             : DOS attacks with URG Flag Set ARE NOT LOGGED

Official Response:

As far as I can tell, this "advisory" states that the IDS
doesn't have a signature that somebody expected it to have. I 
am not sure that this is really bugtraq material. However,
customers have asked about this bugtraq posting and want an
official vendor response. This response is that we are looking
at the signature to see if we want to add it.

On the other hand, there have been cases before of vendors not
quite understanding the nature of the "bug" that was presented
to them. If I have misinterpreted the "advisory", please
send me e-mail.

Unofficial Response:

One of our engineer describes the problem as:

Yes, it is true that we do not announce when we see TCP 
packets with just the URG bit set.  However, there are 
many other unusual combinations of TCP bits that we 
don't announce, because of the fear of false positives.  
We currently announce TCP flag combinations which are 
characteristicly sent by scanning programs such as Queso 
and nmap.  We also announce combinations which have 
caused some TCP implementations to crash.  But my 
fear-of-false-positives means that we don't announce 
ALL possible illegal combinations; after all, we don't 
want to start World War III - see 
Of course, detecting the URG bit by itself could be 
added trivially.

If people can point me to something well-known that uses
URG by itself, then we'll of course add that signature.
I would also be interested in any other IDS that supports
this signature; if somebody else triggers on it, it is more
likely to be important.

The reason I describe this as the "unofficial" response is 
that there is a little trick you can use to add this 
signature. However, it is UNSUPPORTED, UNTESTED, and POORLY 
DOCUMENTED. As an official from the company, I can't recommend
you use this feature, but it may be interesting for 
entertainment purposes. Add the following lines to the 
"blackice.ini" file:

trons = enabled
trons.rule = alert tcp any any -> any any (msg:"URG Scan";flags:U;)
trons.filename = trons-needs-filename-even-if-dont-exist

I can't stress enough that this feature is unsupported and that 
you can't get any help from us about this feature at this time. 
However, you might find documentation somewhere on the net :-).
As a user, I added those lines and transmitted the packet
described in the NtWaK0 message, and BlackICE triggered on it.

Robert Graham
Internet Security Systems

PS: I'll be putting up a small TRONS document up on my personal
website tomorrow. The link will be:

  By Date           By Thread  

Current thread:
  • Re: NtWakO BlackICE sig missing Graham, Robert (ISS Atlanta) (Mar 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]