mailing list archives
Re: [PEN-TEST] BlackICE
From: Eric <ews () TELLURIAN NET>
Date: Wed, 13 Sep 2000 13:13:24 -0700
1. It takes a computer with not many or no ports open and opens ports to
on them, thereby making your computer an attractive target for would-be
>>I dont' see this at all. What version are these people running? I've
been running it for a long time on a combination of NT4 and Win2K machines
and have never noticed additional listening ports aside from the ports
opened by teh OS itself.
2. The logs it creates are nonstandard and difficult to get at. I need to see
src port and ip, destination port and ip and I don't want to see what BlackIce
interprets...The logs are also not very informative.
>>This is not the tool for you. You'd be much better off running WinRoute
Pro to gather this info - although WRP is not an IDS-like system. WRP and
BI work well in tandem.
3. I've had many instances where BlackIce has misinterpreted a traceroute or a
ping for an attack.
>>I dare you to find another product for NT - along the same functional
lines as BI, that will log Win32 API calls like BI does. BI records
netuserenum calls, netlocalgroup get calls, nettransportenum calls,
etc. It also records when someone remotely dumps your password file. I
don't know of any other product that will tell me when someone has mounted
a HackNT attack (as described in Hacking Exposed) and differentiate between
each of the different Win32 calls that are being made. I'll buy any
product for $30 that tells me what the more expensive products won't.