mailing list archives
Re: NtWakO BlackICE sig missing
From: "Graham, Robert (ISS Atlanta)" <rgraham () iss net>
Date: Wed, 27 Feb 2002 22:14:23 -0500 (EST)
In regards to the "advisory" posted February 14th:
Affected : BlackIce 2.9 car Latest with patch
Type : DOS attacks with URG Flag Set ARE NOT LOGGED
As far as I can tell, this "advisory" states that the IDS
doesn't have a signature that somebody expected it to have. I
am not sure that this is really bugtraq material. However,
customers have asked about this bugtraq posting and want an
official vendor response. This response is that we are looking
at the signature to see if we want to add it.
On the other hand, there have been cases before of vendors not
quite understanding the nature of the "bug" that was presented
to them. If I have misinterpreted the "advisory", please
send me e-mail.
One of our engineer describes the problem as:
Yes, it is true that we do not announce when we see TCP
packets with just the URG bit set. However, there are
many other unusual combinations of TCP bits that we
don't announce, because of the fear of false positives.
We currently announce TCP flag combinations which are
characteristicly sent by scanning programs such as Queso
and nmap. We also announce combinations which have
caused some TCP implementations to crash. But my
fear-of-false-positives means that we don't announce
ALL possible illegal combinations; after all, we don't
want to start World War III - see
Of course, detecting the URG bit by itself could be
If people can point me to something well-known that uses
URG by itself, then we'll of course add that signature.
I would also be interested in any other IDS that supports
this signature; if somebody else triggers on it, it is more
likely to be important.
The reason I describe this as the "unofficial" response is
that there is a little trick you can use to add this
signature. However, it is UNSUPPORTED, UNTESTED, and POORLY
DOCUMENTED. As an official from the company, I can't recommend
you use this feature, but it may be interesting for
entertainment purposes. Add the following lines to the
trons = enabled
trons.rule = alert tcp any any -> any any (msg:"URG Scan";flags:U;)
trons.filename = trons-needs-filename-even-if-dont-exist
I can't stress enough that this feature is unsupported and that
you can't get any help from us about this feature at this time.
However, you might find documentation somewhere on the net :-).
As a user, I added those lines and transmitted the packet
described in the NtWaK0 message, and BlackICE triggered on it.
Internet Security Systems
PS: I'll be putting up a small TRONS document up on my personal
website tomorrow. The link will be:
- Re: NtWakO BlackICE sig missing Graham, Robert (ISS Atlanta) (Mar 01)