Intrusion Detection Systems mailing list archives

Re: RE: BlackICE product description?

From: andyb () lexmark com (andyb () lexmark com)
Date: Fri, 16 Jun 2000 11:56:31 -0400

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
I've used Blackice at home for a while, and have the following two points to
contribute:

1) There is an .ini file (firewall.ini) that allows for more granular control.
It look similar to standard routing rules, and work in the same manner (i.e DENY
and PERMIT on specific ports to/from specific hosts).  Their existance isn't
included in the manual, but if you dig through the knowledgebase pages trying
to, for instance, make ICQ (or Napster :O  ) work, you'll find them.  They
explain the file location/purpose/format fairly well.

            http://advice.networkice.com/advice/support/kb/q000017/default.htm
<--- making ICQ work
            http://advice.networkice.com/advice/support/kb/q000091/default.htm
<--- firewall.ini format

2) There are packet captures that can be read with standard network monitoring
tools that provide sniffer/analyzer levels of detail, but you need to enable
them.  They create standard .enc files that must be read with an appropriate
reader.   The FAQ on the Blackice support page points you to Robert Graham's web
pages for some tools.  I've been using the Ethereal package that's been ported
to windows.

           http://www.networkice.com/html/blackice_faq.html   <--- 2nd question,
finding reader for .enc log files.

regards,
Andy

broyds%Home.com () interlock lexmark com on 06/15/2000 08:13:33 PM

To:   gshipley%neohapsis.com () interlock lexmark com,
      ids%uow.edu.au () interlock lexmark com
cc:    (bcc: Andy Brinkhorst/Lex/Lexmark)
Subject:  IDS: RE: BlackICE product description?

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
Despite the marketing-speak, is reasonably accurate about INBOUND traffic.
It has four protection levels: Trusting, Cautious, Nervous and Paranoid.

Paranoid blocks all incoming traffic unless from trusted IP sources
Nervous blocks all TCP and standard UDP.
Cautions blocks standard TCP and standard UDP
Trusting blocks nothing (but will record).

When an inbound attempt comes in, it does an extensive signature comparison to
label the attempt so the log
has entries like Sub7 Trojan on port 27374.

It does NOT block outbound connections so Trojans can still have a heyday.
It is kind of a blocking IDS rather than a true firewall since it doesn't allow
one to have a tailored security policy and it is fairly simplistic in logging.
Here is the log entries for my cable connection for the last few days. Count is
number of packets combined in log line.

#File format help at: http://www.networkice.com/Advice/Support/KB/q000018/
#Severity, timestamp (GMT),issueId, issueName, intruderIp, intruderName,
victimIp, victimName, parameters, count
59, 2000-06-13 11:41:37, 2003105, SubSeven port probe, 63.226.189.115,
mplsnas43poolA115.mpls.uswest.net, 24.112.232.x, , port=27374&name=Sub_7_2, 1, A
19, 2000-06-13 15:03:15, 2001507, PCAnywhere ping, 24.112.232.158,
cr1015685-a.rchrd1.on.wave.home.com, 24.112.232.x, , port=5632, 1,
59, 2000-06-14 02:01:17, 2003105, SubSeven port probe, 24.68.102.245,
24.68.102.245.on.wave.home.com, 24.112.232.x, , port=27374&name=Sub_7_2, 1, A
59, 2000-06-14 11:09:01, 2002004, SNMP discovery broadcast, 24.112.93.26,
cr338445-a.flfrd1.on.wave.home.com, 255.255.255.255, , community=public, 2, A
59, 2000-06-14 13:37:02, 2002004, SNMP discovery broadcast, 24.112.95.3,
cr711451-a.rchrd1.on.wave.home.com, 255.255.255.255, , community=public, 2, A
59, 2000-06-15 00:54:31, 2003105, SubSeven port probe, 24.112.90.151,
cr719470-a.flfrd1.on.wave.home.com, 24.112.232.x, , port=27374&name=Sub_7_2, 1,
A
59, 2000-06-15 03:58:47, 2003105, SubSeven port probe, 212.129.4.30,
dyn-212-129-4-30.paris.none.net, 24.112.232.x, , port=1243&name=Sub_7, 2, A
59, 2000-06-15 04:17:46, 2003105, SubSeven port probe, 24.16.91.33,
cx964033-a.rsmt1.occa.home.com, 24.112.232.x, , port=27374&name=Sub_7_2, 1, A
59, 2000-06-15 07:57:53, 2003105, SubSeven port probe, 204.215.230.26,
max-roc11-26.digital.net, 24.112.232.x, , port=27374&name=Sub_7_2, 2, A
59, 2000-06-15 10:08:57, 2003105, SubSeven port probe, 24.112.235.205,
cr865480-a.slnt1.on.wave.home.com, 24.112.232.x, , port=27374&name=Sub_7_2, 1, A
59, 2000-06-15 17:02:18, 2003105, SubSeven port probe, 24.112.209.106,
cr853773-a.slnt1.on.wave.home.com, 24.112.232.x, , port=27374&name=Sub_7_2, 1, A
59, 2000-06-15 21:07:01, 2003105, SubSeven port probe, 24.42.34.135,
cr28327-a.cambr1.on.wave.home.com, 24.112.232.x, , port=1243&name=Sub_7, 2, A
59, 2000-06-15 21:34:48, 2003105, SubSeven port probe, 212.83.132.92,
ppp-92.dialup-132.worldonline.fr, 24.112.232.X, , port=1243&name=Sub_7, 1, A
59, 2000-06-15 21:35:18, 2003105, SubSeven port probe, 24.5.8.72,
cx5123-a.cv1.sdca.home.com, 24.112.232.X, , port=27374&name=Sub_7_2, 1, A
59, 2000-06-15 22:01:38, 2003105, SubSeven port probe, 212.129.5.79,
dyn-212-129-5-79.paris.none.net, 24.112.232.x, , port=1243&name=Sub_7, 1, A

-----Original Message-----
From: owner-ids () uow edu au [mailto:owner-ids () uow edu au]On Behalf Of
Greg Shipley
Sent: Thursday, June 15, 2000 04:28
To: ids () uow edu au
Subject: IDS: BlackICE product description?

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au

I don't want to start any kind of marketing battle here, but a colleague
of mine pointed this out on Network ICE's site and now I am curious:

(See http://www.networkice.com/html/blackice_agent.html_

"BlackICE Agents actively defend each system by employing a multi-layered
defense mechanism.  Like a firewall, the first layer of protection blocks
the ports that do not need to be open on the protected machine.  The
second defense layer is the dynamic analysis of all of the traffic
destined to any open ports to ensure the validity of these communications.
While traditional firewalls cannot stop malicious activity directed at
available ports, Network ICE's 7-layer decode technology enables it to
thwart these attacks in real time."

I guess what I don't understand (and perhaps I need to do some more
homework) is whether or not this thing really DOES serve as a firewall?
What does this mean by "the ports that do not need to be open?"  Does it
block all INBOUND ports, by default?  As in, if I have file sharing
enabled on my Win32 box, will it block 135/139 out of the box? What about
other listening services?  All of them, too?

If so, this could indeed be a handy little tool to shove down the throats
of those pesky remote users.....

Me rambling,

-Greg
Current thread:

BlackICE product description? Greg Shipley (Jun 15)
- RE: BlackICE product description? Bill Royds (Jun 15)
  - RE: RE: BlackICE product description? Calvin P. Tait (Jun 16)
- RE: BlackICE product description? Bill Royds (Jun 15)
- <Possible follow-ups>
- Re: RE: BlackICE product description? andyb () lexmark com (Jun 16)
- Re: RE: BlackICE product description? andyb () lexmark com (Jun 19)