Fw: Re: blackice ignoring port 113

["Talisker" <Talisker () networkintrusion co uk>]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------
Robert Grahams Reply to the mail

www.networkintrusion.co.uk
                    '''
                 (0 0)
  ----oOO----(_)----------
  | The geek shall        |
  |  Inherit the earth     |
  -----------------oOO----
               |__|__|
                  || ||
              ooO Ooo


The opinions contained within this transmission are entirely my own, and do
not necessarily reflect those of my employer.





----- Original Message -----
From: "Robert Graham" <bugtraq () NETWORKICE COM>
To: <BUGTRAQ () securityfocus com>
Sent: Sunday, July 23, 2000 2:11 AM
Subject: Re: blackice ignoring port 113


> BlackICE Defender ships with the following defaults. All these
> defaults can be changed by the user. These settings were chosen
> because we believe they provide an adequate compromise between
> acceptable security and ease-of-use for the less  knowledgeable
> user. I stress words like "compromise" and "acceptable" because
> high-security is not acceptable to most consumers.
>
> The product is highly configurable for the expert user; though
> we probably need to document things better.
>
> Allow port 113 (TCP)
>   A lot of ISPs do reverse-identd lookups that cause e-mail sesssions
>   to timeout if they don't get back a response (RST or SYN-ACK).
>   Also, a lot of consumer packages install identd listeners, and
>   sometimes they need to be enabled in order to allow access to
>   their servers.
>   Remember that BlackICE is a network-IDS: it does check for
>   identd exploits even if they are allowed through the firewall
>   component by default.
>   If you want to change this, edit "firewall.ini" config file.
>
> Allow ports above 1024
>   This is the default configuration as shipped. Not wonderful. It
>   stops most of the common mistakes users make, but lets most apps
>   run correctly. BlackICE does have numerous stateful-packet filters
>   (e.g. non-PASV FTP clients always work), but we don't have enough
>   to default to firewalling on all ports as shipped.
>   The user can change this with a click of the mouse, as well
>   as editing "firewall.ini".
>
> Logging of events
>   We store all events to a file "attack-list.csv", but we only
>   "display" the most recent 50k worth of events. Beyond that,
>   you probably want to use 3rd party utilities like ClearICE
>   or Excel.
>
> Displaying port scan data
>   We are criticized from both sides of not showing enough data
>   and showing too much. Sigh. Anyway, list of ports scanned on the
>   machine is stored in "attack-list.csv" as an extra column in
>   the file. You can display this extra column. Right-mouse-click
>   on the column titles in order to edit what info is displayed.
>
> Sniffing
>   By default, it saves just those packets that trigger alerts.
>   In rare conditions, you own logon failures to your own ISP
>   might trigger an alert, causing that data to be saved to a file.
>   BlackICE has the really cool feature of being able to save a
>   record of all network traffic passing through the system. If
>   you are truly paranoid (like me), you should save all traffic.
>
> DNS and NetBIOS lookups
>   I really want to disable them, but they have proven useful so
>   many times I believe the benefits outweigh the risks. A huge
>   number of users have successfully caught friends/families/enemies
>   this way. Remember these people who get the most value from
>   the product are not very knowledgeable.
>
> What is BlackICE Defender?
>   BlackICE Defender is a simplified version of our full network-IDS.
>   It scans network traffic (non-promiscuous) looking for signs
>   of intrusion. A list of most intrusions it detects is at:
>   http://advice.networkice.com/advice/intrusions
>   It also contains a small personal firewall, hence the "defender"
>   moniker.
>
> Robert Graham
> CTO/Network ICE
>
>
> -----Original Message-----
> From: Bugtraq List [mailto:BUGTRAQ () securityfocus com]On Behalf Of vali
> Sent: Saturday, July 22, 2000 9:27 AM
> To: BUGTRAQ () securityfocus com
> Subject: blackice ignoring port 113
>
>
> It's as simple as that, blackice (a somehow popular windows firewall) is
> ignoring TCP trafic with destination port 113 (even with "paranoid"
seting).
> The most simple way to try this is
>
> nmap -sS -p 113 -P0 victim (victim's blackice is silent)
> nmap -sS -p any_other_port -P0 victim (blackice says "tcp port probe").
>
> Tried with blackice 2.1.x (blackice.exe & vxd = 2.1.25, blackicd and
> blackdll.dll = 2.1.22) on both win95 OSR 2 ans win98 SE.
>
> This is not much, but is a simple way to flood a computer without blackice
> reacting in any way. Also, if somebody is using a buggy ident server this
is
> fatal (irc clients install sometimes ident servers, without users
> knowledge).
>
> Other comments regarding BlackIce:
>
> Blackice is doing a good job in stoping malformed packets "bad" for
> Microsoft
> IP stacks (including IGMP, fragmented ICMP aka teardrop, etc, etc). Can
> detect
> nmap stealth scan but there is no simple way to tell from the interface
the
> port scaned (if the port is not a "standard" port). Anyway, it has
> extensive logging capabilities. In fact with "logging" and "evidence
> logging"
> enabled sniffed sessions can linger in Blackice folder, alongside with
> sensitive information like passwords.
> Blackice can do (automatic)  DNS reverse lookup and a Netbios scan for the
> atackers (wich can be a *very* bad thing). I think this feature is enabled
> by
> default.
>
> Blackice seems to have some limits for the number of packets loged and for
> the
> alerts displayed. This is a good thing and a bad thing. This limit the
> memory
> used but some packets can go unnoticed (and if someone send a lot of
spoofed
> packets the real atack will go unnoticed).