RE: Fw: blackice ignoring port 113

["Meritt, Jim" <Jim.Meritt () wang com>]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------
Sheer coincidence, of course, that it is YOUR URL...

Does this fit under the heading of "SPAM: DO NOT send unsolicted mail to
this list."?

BTW:  I read bugtraq...

_______________________
The opinions expressed above are my own.  The facts simply are and belong to
none. 
James W. Meritt, CISSP, CISA
Senior Secure Systems Engineer at Wang Government Services, Inc.


> -----Original Message-----
> From: Talisker [mailto:Talisker () networkintrusion co uk]
> Sent: Sunday, July 23, 2000 8:14 AM
> To: ids () uow edu au; FOCUS-IDS () securityfocus com
> Subject: IDS: Fw: blackice ignoring port 113
>
>
> Archive: http://msgs.securepoint.com/ids
> FAQ: http://www.ticm.com/kb/faq/idsfaq.html
> IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> HELP: Having problems... email questions to ids-owner () uow edu au
> NOTE: Remove this section from reply msgs otherwise the msg 
> will bounce.
> SPAM: DO NOT send unsolicted mail to this list.
> UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
> --------------------------------------------------------------
> ---------------
> Found this on Bugtraq this morning
>
> www.networkintrusion.co.uk
>                     '''
>                  (0 0)
>   ----oOO----(_)----------
>   | The geek shall        |
>   |  Inherit the earth     |
>   -----------------oOO----
>                |__|__|
>                   || ||
>               ooO Ooo
>
>
> The opinions contained within this transmission are entirely 
> my own, and do
> not necessarily reflect those of my employer.
>
>
>
>
>
> ----- Original Message -----
> From: "vali" <vali () iname com>
> To: <BUGTRAQ () securityfocus com>
> Sent: Saturday, July 22, 2000 5:27 PM
> Subject: blackice ignoring port 113
>
>
> > It's as simple as that, blackice (a somehow popular windows 
> firewall) is
> > ignoring TCP trafic with destination port 113 (even with "paranoid"
> seting).
> > The most simple way to try this is
> >
> > nmap -sS -p 113 -P0 victim (victim's blackice is silent)
> > nmap -sS -p any_other_port -P0 victim (blackice says "tcp 
> port probe").
> > Tried with blackice 2.1.x (blackice.exe & vxd = 2.1.25, blackicd and
> > blackdll.dll = 2.1.22) on both win95 OSR 2 ans win98 SE.
> >
> > This is not much, but is a simple way to flood a computer 
> without blackice
> > reacting in any way. Also, if somebody is using a buggy 
> ident server this
> is
> > fatal (irc clients install sometimes ident servers, without users
> knowledge).
> > Other comments regarding BlackIce:
> >
> > Blackice is doing a good job in stoping malformed packets "bad" for
> Microsoft
> > IP stacks (including IGMP, fragmented ICMP aka teardrop, 
> etc, etc). Can
> detect
> > nmap stealth scan but there is no simple way to tell from 
> the interface
> the
> > port scaned (if the port is not a "standard" port). Anyway, it has
> > extensive logging capabilities. In fact with "logging" and "evidence
> logging"
> > enabled sniffed sessions can linger in Blackice folder, 
> alongside with
> > sensitive information like passwords.
> > Blackice can do (automatic)  DNS reverse lookup and a 
> Netbios scan for the
> > atackers (wich can be a *very* bad thing). I think this 
> feature is enabled
> by
> > default.
> >
> > Blackice seems to have some limits for the number of 
> packets loged and for
> the
> > alerts displayed. This is a good thing and a bad thing. 
> This limit the
> memory
> > used but some packets can go unnoticed (and if someone send a lot of
> spoofed
> > packets the real atack will go unnoticed).