Intrusion Detection Systems mailing list archives
RE: BlackICE product description?
From: broyds () Home com (Bill Royds)
Date: Thu, 15 Jun 2000 20:13:33 -0400
Archive: http://msgs.securepoint.com/ids FAQ: http://www.ticm.com/kb/faq/idsfaq.html IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au Despite the marketing-speak, is reasonably accurate about INBOUND traffic. It has four protection levels: Trusting, Cautious, Nervous and Paranoid. Paranoid blocks all incoming traffic unless from trusted IP sources Nervous blocks all TCP and standard UDP. Cautions blocks standard TCP and standard UDP Trusting blocks nothing (but will record). When an inbound attempt comes in, it does an extensive signature comparison to label the attempt so the log has entries like Sub7 Trojan on port 27374. It does NOT block outbound connections so Trojans can still have a heyday. It is kind of a blocking IDS rather than a true firewall since it doesn't allow one to have a tailored security policy and it is fairly simplistic in logging. Here is the log entries for my cable connection for the last few days. Count is number of packets combined in log line. #File format help at: http://www.networkice.com/Advice/Support/KB/q000018/ #Severity, timestamp (GMT),issueId, issueName, intruderIp, intruderName, victimIp, victimName, parameters, count 59, 2000-06-13 11:41:37, 2003105, SubSeven port probe, 63.226.189.115, mplsnas43poolA115.mpls.uswest.net, 24.112.232.x, , port=27374&name=Sub_7_2, 1, A 19, 2000-06-13 15:03:15, 2001507, PCAnywhere ping, 24.112.232.158, cr1015685-a.rchrd1.on.wave.home.com, 24.112.232.x, , port=5632, 1, 59, 2000-06-14 02:01:17, 2003105, SubSeven port probe, 24.68.102.245, 24.68.102.245.on.wave.home.com, 24.112.232.x, , port=27374&name=Sub_7_2, 1, A 59, 2000-06-14 11:09:01, 2002004, SNMP discovery broadcast, 24.112.93.26, cr338445-a.flfrd1.on.wave.home.com, 255.255.255.255, , community=public, 2, A 59, 2000-06-14 13:37:02, 2002004, SNMP discovery broadcast, 24.112.95.3, cr711451-a.rchrd1.on.wave.home.com, 255.255.255.255, , community=public, 2, A 59, 2000-06-15 00:54:31, 2003105, SubSeven port probe, 24.112.90.151, cr719470-a.flfrd1.on.wave.home.com, 24.112.232.x, , port=27374&name=Sub_7_2, 1, A 59, 2000-06-15 03:58:47, 2003105, SubSeven port probe, 212.129.4.30, dyn-212-129-4-30.paris.none.net, 24.112.232.x, , port=1243&name=Sub_7, 2, A 59, 2000-06-15 04:17:46, 2003105, SubSeven port probe, 24.16.91.33, cx964033-a.rsmt1.occa.home.com, 24.112.232.x, , port=27374&name=Sub_7_2, 1, A 59, 2000-06-15 07:57:53, 2003105, SubSeven port probe, 204.215.230.26, max-roc11-26.digital.net, 24.112.232.x, , port=27374&name=Sub_7_2, 2, A 59, 2000-06-15 10:08:57, 2003105, SubSeven port probe, 24.112.235.205, cr865480-a.slnt1.on.wave.home.com, 24.112.232.x, , port=27374&name=Sub_7_2, 1, A 59, 2000-06-15 17:02:18, 2003105, SubSeven port probe, 24.112.209.106, cr853773-a.slnt1.on.wave.home.com, 24.112.232.x, , port=27374&name=Sub_7_2, 1, A 59, 2000-06-15 21:07:01, 2003105, SubSeven port probe, 24.42.34.135, cr28327-a.cambr1.on.wave.home.com, 24.112.232.x, , port=1243&name=Sub_7, 2, A 59, 2000-06-15 21:34:48, 2003105, SubSeven port probe, 212.83.132.92, ppp-92.dialup-132.worldonline.fr, 24.112.232.X, , port=1243&name=Sub_7, 1, A 59, 2000-06-15 21:35:18, 2003105, SubSeven port probe, 24.5.8.72, cx5123-a.cv1.sdca.home.com, 24.112.232.X, , port=27374&name=Sub_7_2, 1, A 59, 2000-06-15 22:01:38, 2003105, SubSeven port probe, 212.129.5.79, dyn-212-129-5-79.paris.none.net, 24.112.232.x, , port=1243&name=Sub_7, 1, A -----Original Message----- From: owner-ids () uow edu au [mailto:owner-ids () uow edu au]On Behalf Of Greg Shipley Sent: Thursday, June 15, 2000 04:28 To: ids () uow edu au Subject: IDS: BlackICE product description? Archive: http://msgs.securepoint.com/ids FAQ: http://www.ticm.com/kb/faq/idsfaq.html IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au I don't want to start any kind of marketing battle here, but a colleague of mine pointed this out on Network ICE's site and now I am curious: (See http://www.networkice.com/html/blackice_agent.html_ "BlackICE Agents actively defend each system by employing a multi-layered defense mechanism. Like a firewall, the first layer of protection blocks the ports that do not need to be open on the protected machine. The second defense layer is the dynamic analysis of all of the traffic destined to any open ports to ensure the validity of these communications. While traditional firewalls cannot stop malicious activity directed at available ports, Network ICE's 7-layer decode technology enables it to thwart these attacks in real time." I guess what I don't understand (and perhaps I need to do some more homework) is whether or not this thing really DOES serve as a firewall? What does this mean by "the ports that do not need to be open?" Does it block all INBOUND ports, by default? As in, if I have file sharing enabled on my Win32 box, will it block 135/139 out of the box? What about other listening services? All of them, too? If so, this could indeed be a handy little tool to shove down the throats of those pesky remote users..... Me rambling, -Greg
Current thread:
- BlackICE product description? Greg Shipley (Jun 15)
- RE: BlackICE product description? Bill Royds (Jun 15)
- RE: RE: BlackICE product description? Calvin P. Tait (Jun 16)
- RE: BlackICE product description? Bill Royds (Jun 15)
- <Possible follow-ups>
- Re: RE: BlackICE product description? andyb () lexmark com (Jun 16)
- Re: RE: BlackICE product description? andyb () lexmark com (Jun 19)
- RE: BlackICE product description? Bill Royds (Jun 15)