Just updated to the new Black Ice (cob) and look at this -

3120014 11835 PDE_Renew_Host*
3120015 11835 PDE_Unauthenticated_Host*
2113179 14267 Spyware_PH_BroadcastPC
2113183 14311 Spyware_PH_DownloadWare
2113178 14320 Spyware_PH_MoeMoneyMaker
2113185 14333 Spyware_PH_ExactSearchBar
2113186 14336 Spyware_PH_EzulaTopText
2113189 14370 Spyware_PH_HotBar
2113193 14425 Spyware_PH_MyWebSearch
2113196 14477 Spyware_PH_ShopAtHomeSelect
2113180 14571 Spyware_PH_WhenUSearch
2113197 14848 Spyware_PH_WildTangent
2116016 16627 SMB_System32_FileWritten
2113188 17404 Spyware_PH_GAIN
2113194 18126 Spyware_PH_QuickSearchBar
2113195 18148 Spyware_PH_EliteBar
2113187 18252 Spyware_PH_GameSpyArcade
2113192 18261 Spyware_PH_WeatherBug
2113176 18291 Spyware_PH_MySearchBar
2113197 18307 Spyware_PH_MessengerPlus
2118027 18395 HTML_IE_Sysimage_Disclosure
2113190 18419 Spyware_PH_IEPlugin
2113182 18451 Spyware_PH_KeenValue
2113181 18476 Spyware_PH_DownloadAcceleratorPlus
2118028 18519 SMB_Samba_SecurityDescriptor_Bo
2106186 18836 DNS_Authors_Request
2121016 18884 UDP_Squid_WCCP_Cachelist_DOS
2106185 19268 HTTP_WmvDownloader_B
2106187 19269 Image_GIF_Netscape_Extension_BO
3121002 19303 DNS_IDN_Query
2110083 19385 PsExec_Installed
2110084 19385 PsExec_Service_Accessed
2110081 19396 IM_File_Xfer_Double_Extension
2111021 19405 GTP_C_Element_Unexpected
2111024 19408 GTP_C_Element_Overflow
2120062 19433 LHA_File_Path_Overflow
2104034 19494 MGCP_LongField
2104035 19494 MGCP_Long_Endpoint
2104036 19494 MGCP_Long_Tid
2111025 19506 GTP_C_Element_Underflow
2111026 19507 GTP_C_Err_SystemFailure
3111030 19509 GTP_C_Discovery
2111031 19510 GTP_C_APN_Corrupt
3111033 19511 GTP_C_PPP_Login
2111034 19513 GTP_U_InfrastructureAddress
2111034 19514 GTP_U_Recursion
2111038 19518 GTP_U_StationToStation
2106189 19562 CA_License_Server_Request_Bo

It now detects some spywares - cool.

What is black ice? If you are referring to black ice the firewall, it used to be the worst known firewall in existence. (compared to the leaders)

What is black ice? If you are referring to black ice the firewall, it used to be the worst known firewall in existence. (compared to the leaders)
but this is Curio... the master IDS configurator :D

Nice list, i notice the WhenUsearch is listed... still spyware, even though another 'brand name' anti-spyware said they were no longer a threat!! :rolleyes:

outpost, prevx, regdefend (w/regrun entries) and process guard seem to do the job well. Maybe this Black Ice (cob) can replace some of my apps? What do you think, Curio? :)

Black Ice is and always has been the best host IDS come firewall. Some people used to have a downer on it because it lacked egress filtering and program checksums (integrity checking) - it now includes these but they aren't the reason it is so good. It monitors the traffic in and out of any network adapter (including dial-up) and it will detect in real time what is inside the traffic. It will detect and can block all kinds of attack even if the attack is made on legitimate ports on legitimate services with legitimate tools, it recognises the attack signature and can temporarily block the attacking IP. For instance I am behind a hard firewall so I am just about immune from straight port attacks but BlackIce still picks up FavIcon overflow attacks, IE_Address_Bar_Spoofing, UPX_Packed executable downloads etc... This is because it reads the traffic and is a real IDS with attack signatures - I don't think there is another product like it, the rest are just firewalls, Integrity Checkers or both. Process Guard again is a bit unique - does anything else enable you to block Service installations, Global Hooks and Dll Injection - all known Trojan techniques? Take a look at ISS Website (http://www.iss.net/) and get deep insiteful understanding of what it does. Maybe this is a better link http://blackice.iss.net/demo.php.

I also use a router. How does it perform against leak tests such as DNS? Does it feature "open process control"? Are there as many cofiguration points such as Outposts: http://www.outpostfirewall.com/forum/showthread.php?t=9858

**edit - the demo video put much emphasis on incoming which is generally hardware firewall territory. How does it perform as far as outgoing?

Is there any area that is not covered in my security configuration that Black Ice covers?

I am not familar with the term IDS firewall. All i've been exposed to is "rule based" "stateful inspection" type firewalls.

speaking of attacks:

http://i134.exs.cx/img134/3848/att1ek.jpg (http://www.imageshack.us)

http://i134.exs.cx/img134/2875/att28ar.jpg (http://www.imageshack.us)


http://img228.exs.cx/img228/1826/att32uk.jpg (http://www.imageshack.us)


I never hear much about Black Ice at security forums I frequent. Someone did mention Black Ice but as you can see, there was no interest: http://www.wilderssecurity.com/showthread.php?t=71034&highlight=black



BTW, I have a hard time reading posts that do not utilize paragraphs. I have a vision tracking problem (no i'm not crosseyed) my eyes wander.

Maybe I will demo BI on the other computer.

I started a thread at http://www.wilderssecurity.com/showthread.php?p=404151#post404151 - some actually installed it and tested for a short while. It did not seem to impress, though you may know more and have spend more time with the app.

Gibson research has problems with blackice defender:
http://www.grc.com/lt/leaktest.htm

are these complaints finally sorted out?

, it's difficult to forgive BID for its lack of outbound protectiontheir demo video was almost entirely about filtering inbound. (I think)

, it's difficult to forgive BID for its lack of outbound protection
Thats a quote from November 8, 2001, software has been known to get better (or worst) over the years.

How good was Firefox back then ?

There was no firefox back then. I tend to like specialized apps (separates) not all in wonders. But then here's the latest post:

Sounds like BI is doing a lot more than I thought regarding network traffic. I don't know of any other product that scans packets for that kind of info or intrusions. Tiny has an IDS which is probably pretty good, but not the same as that. Nowadays AVs are also scanning network traffic for viruses and malware Such as Avast, NOD32. I don't know but I doubt BI is on the level of those two AV's'.

I'm still considering trying it though for the sony computer.

Test your IDS: http://www1.corest.com/products/coreimpact/index.php?

You may want to look into shellcode obfuscation. While it may not fool every IDS
out there it certainly fools a great many analysts.

Thats a quote from November 8, 2001, software has been known to get better (or worst) over the years.

How good was Firefox back then ?

Right, I did notice leaktest was updated years ago after my post.

I still recall a hack that crashed bd or something. It only affected those users.

Anyway

I might try gain.

I heard gator was bad but gain is the new version :p

J/K

i am also not sure about ad-aware.

and who said bad publicity aint bad?

hmm....

Can you remember how bad ZoneAlarm was in those days - there were hacks on the internet to disable it remotely and replace the icon in the system tray so no-one noticed, at the same time it used half your system resources and if you tried to uninstall it without following the correct procedure it killed your PC - cool, but GRC recommended it. I quite like Outpost Firewall and it has some cool add-ons but I don't think it is an IDS as such I believe that it operates as a proxying firewall similarly to Norton Internet Security - I could be wrong - it is a nice firewall though, I used to use 1 through 2 on various machines. If it saw a packet with the signature of a buffer overflow in it would it recognise it?
No really - I have no idea.
Go to www.secunia.com try a search for BlackIce, try a search for zonealarm, try a search for outpost, try a search for sygate - nothing's perfect eh? (remember these products are not the same thing).

...which is why I feel a lot safer using Process Guard and RegDefend.....

cool, I never thought about going to securnia for firewalls

The Secunia database currently contains 0 Secunia advisories marked as "Unpatched", which affects Outpost Firewall Pro 2.x.

This is based on the most severe Secunia advisory, which is marked as "Unpatched" in the Secunia database. Go to Unpatched/Patched list below for details.

Currently, 0 out of 3 Secunia advisories, is marked as "Unpatched" in the Secunia database.

BlackICE PC Protection 3.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Less critical

This is based on the most severe Secunia advisory, which is marked as "Unpatched" in the Secunia database. Go to Unpatched/Patched list below for details.

Currently, 1 out of 5 Secunia advisories, is marked as "Unpatched" in the Secunia database.l

BTW software junkies (that's you - all of you) might like a look at harden-it http://sniffem.exaserve.net/Hardenit.exe some nice people have looked at the registry entries needed to stiffen up the stack and made a nice configuration tool for lazy people - that means me. I tested it on a few machines and it doesn't do anything bad (like add spyware apps).

We should start a PG fan club

You got that right! "software junkies" hehe

Hardenit? - been there, done that - :) good advice though


*edit - i'm running hardenit again because I forgot I used a true image backup. Should I follow recommendations for all (I use emule)

*member of PG fan club....

How about CHX-I Packet Filter or the security toolkit? http://www.idrci.net/idrci_products.htm

You know where it says you shouldn't just click next all the way through it .......



you should run it with the /s switch so it does that for ya.

I don't know. I'm lazy. I just notice what is "best" and clicked away as fast as possible........i'm busy with other things - :p /s switch would have been easier but I wanted to see some of the settings

the mule seems to be connecting "high" so I guess it's fine.

I started a thread at http://www.wilderssecurity.com/showthread.php?p=404151#post404151 - some actually installed it and tested for a short while. It did not seem to impress, though you may know more and have spend more time with the app.
Looks like your post is picking up intrest, looks like BlackIce isn't bad after all ;)

Why don't you run back over there and stir the pot a little :)

Yeah but looks like some issues or compatibility problems. I'll go look. I still feel better using mulitple specialty apps - maybe a holdover from my audiophile days (seperate components best)

I still prefer to block some apps outgoing for various reasons - not sure BI allows this according to this statment

It doesn't have app control in the way we think of it. Once it does it's baseline scan, it allows ALL your existing apps full internet access without even asking you.

Maybe i'll make a true image today and install BI - go to the red light district with my pants down.

*edit - i'm trying to config snort - man, it's a bitch!

An antivirus will catch things already in your computer - or it is a bad antivirus. There is no reason to catch it twice and all new apps trying to gain access to the Internet will be flagged, this makes complete sense to me.

I don't want all my apps overlapping in function, that is a waste of processor cycles. I have BI installed from OS installation and nothing ever got 'in' to try to get back 'out'. I hope you can see the symmetry in that reasoning.

Guys at Wilders suggest a "layered" approach to security defense. Many apps will, of course, overlap but today it's not easy to rely on just one app because one app is (rarely? - if at all) 100% secure. For instance adding an AT to your AV could possible decrease your odds of becoming infected than just running an AV with AT defs.

This is war. In an interest of "homeland security" I want to outfit my "home" with as much of an avantage as my processor allows without dragging down operations too much.

No worries, each to thier own. Something they may not have mentioned is that every piece of software you add is a potential extra vulnerability.

Hence the reason for the popularity of the PG fan club :)

PG - we all love it :)

what do you think of http://la-samhna.de/samhain/ - Snort requires too much studying - (more than i'm willing at the moment)

**maybe I ought to just follow this advice:

The trouble with IDS is that not many people know how to conigure it properly, as the person up the top stated that they have relatively no expirience with IDS
brings me to the following conclusion and advice. IDS is not for everyone and even those who it is meant for have to spend a lot of time configuring it, usually people will generally run IDS for 2 days before giving up and turning it off.

I suggest that people run a firewall an AV and an anti-spyware application, which with some common sense will steer you clear of most nasty's

That's Network based IDS - only justified in highly secure networks, it takes a lot of computer to do some NIDSing. You probably want a Host based IDS and there is only one choice in Windows as far as I am aware and it requires very little learning except in the concept - Black Ice. Strictly speaking it is IPS an Intrusion Protection System because it is pro-active and takes action to stop detected intrusions by blocking IPs or discarding packets.

Yeah seems like they all require much set up. Can I run BI with outpost? In a way, isn't Protowall considered an intrusion blocker (using blocklists) It is, afterall, an IP blocker, I use trojan, spyware, etc blacklists - though it does not analyse packets

I know, I know curio but i'm a software sicko (true image makes me brave). What do you think - are they going to play nice?

http://img123.exs.cx/img123/7985/sick3ox.jpg

*edit - I have app protection stopped since outpost has the same thing. The BI engine is started. On boot I have BI set for manual start. Outpost complained before I started it - saying that I have a 3rd party firewall installed and It could cause blue screens etc - so far no hang ups.

http://img216.exs.cx/img216/618/bi7yj.th.jpg (http://img216.exs.cx/my.php?loc=img216&image=bi7yj.jpg)

http://img209.exs.cx/img209/5624/sick20kk.jpg

That thread over at Wilders is getting a lot of "air time" now. 841 views: http://www.wilderssecurity.com/showthread.php?p=409939#post409939

The packet analysis is the nice part, that is what makes it an IDS not just a firewall - it can spot an exploit being delivered through a legitimate application. A port blocking firewall will allow traffic on port 80 and the return port via your browser because it is web traffic and your browser is allowed. Packet analysis can spot the malware in this legitimate traffic (as long as their is a sig).

What happens is when I browse a site that contains an exploit all of a sudden I get a message 'connection refused' it's actually being filtered out by BI, I can then look at the site and weigh up the risk deciding wether to unblock it via the advanced interface.

I was going to post a screenie of that but the site which I can usually rely on to trigger the Favicon_Buffer_Overflow trap has fixed their favicon - bummer. Oh well if I find another I will try to post back.

As to the apps playing nice together I have no idea but thank heaven for Acronis and their excellent True Image products, they allow us to experiment with software and emerge unscathed.

I'm curious about this. Is it blocked automatically or do I need to "block for a day/week/etc?

http://img97.exs.cx/img97/9700/scan1pb.png (http://www.imageshack.us)

hehe, it's "Tigerdirect" - why are they scanning me? 199.181.77.54

OrgName: TigerDirect
OrgID: TIGERD-1
Address: 3329 chapell blvd.
City: Durham
StateProv: NC
PostalCode: 27707
Country: US

what's all this? emule?

http://img182.exs.cx/img182/5750/mail5fg.jpg


**edit - now google is scanning me? - 64.233.187.99

I'm curious about this. Is it blocked automatically or do I need to "block for a day/week/etc?


Oranges aren't that serious and probably won't block even if you have auto-blocking turned on, they are just 'possible' attack signatures. Port scans go on all the time and don't necessarily mean you are being targeted just someone is looking and looked at you. Yellows are just infrormation if you download a lot (if - theres a joke :-) ) then you may get yellows just on return scans fro download ports and detection of packed executables. In general only worry about reds they are a signature match for a definite attack method and will be auto blocked if you have it turned on.

Good job Curio, one minute LK was poking fun at BlackIce and now him and some of the guys at WS are liking it cuz they gave it a try ;) LOL

In between the yellow (it will be red though) and the ip you will see a little black stop sign if the auto-block has happened. I am not at all sure about running 3 firewalls on a system but if that is what floats your boat then go for it.

To find more information about an event highlight it and click the Event Info button (bottom left) this will take you to a page on ISS website that will explain the event to you. Over time these little explanations will increase your overall knowledge of internet based attack vectors. Some of the explanations will also contain detail of how to correct the vulnerability in affected systems.

For interested people here is a link to the explanation of the Favicon Buffer Overflow on ISS website, there is enough information there for even the most inquisitive. I don't know if any other softwares provide an online database inthis kind of depth.

http://www.iss.net/security_center/reference/2002555.html

FG - a little knowledge is a dangerous thing, but it's also a building block.

Good job Curio, one minute LK was poking fun at BlackIce and now him and some of the guys at WS are liking it cuz they gave it a try ;) LOL

Poking fun? All I said was: it used to be the worst known firewall in existence

I am not at all sure about running 3 firewalls on a system but if that is what floats your boat then go for it.
JWell, that's not what I want. I tried snort but it's too involved - so I guess this is the only (easier) alternative than spending a month with one of the IDS apps. I want someone to make an IDS plugin for Outpost. :)

***edit - this might interest you_ http://outpostfirewall.com/forum/showthread.php?t=10828&highlight=intrusion+detection

ISS update the program regularly, often including detection for things they have discovered themselves because they do security research. I don't know if the other companies are active that way. It varies but updates every 4-10 weeks-ish.

I invested in PC-Cillins internet security/antivirius not long ago...used to use nothin but sygate....trend micro updates daily....pretty good app so far.

PC-Cillin is a different thing entirley - it is an antivirus and firewall (ZoneAlarm), you would expect an antivirus to update daily-ish. Trend Micro products are on the whole very good, I have no problem with them. I like Sygate too as a Firewall - no problems with that product either.

Unfortunately there was a lot of prejudice generated against BlackIce by that old GRC nonsense, at the time I don't think SG understood the theory of a IDS/IPS but I bet he does now after all that DDOSing he's had.

Perhaps if he had used BI on his servers they would have auto-blocked the attacking machines IPs, wouldn't that be ironic.

hello curio - do i need to allow net bios for blackice in outpost? I have nothing set for "always trust" should I for BI?

http://img200.exs.cx/img200/5741/trust0eb.jpg (http://www.imageshack.us)

NetBIOS is filesharing and I think NetBIOS_NS is the name service part (137) I expect that BI is attempting a netbios name check on intruders. Do the IPs correspond to attackers listed in BI?

Normally it is better to turn off something like reverse name checks as it effectively is informing the person probing your IP that you are 'live'. All your ports may be stealth but if he gets a reverse connection on port 137 from your IP that's as good as a straight ping. I'd leave it blocked or turn it off in BI, it's on the BackTrace tab - NetBIOS node status.

Incidentally there is a project that is making a 'user friendly' snort installation at http://www.engagesecurity.com/products/eaglex/. I have never used it but all the components are well known, full snorting requires a powerful PC running virtually nothing but the Snort IDS subsystem. It's not suitable for home or small network usage really unless of course you just 'want/need to know'.

thanks curio

\\**edit - I wonder why they are blacklisted

Packet to "logprotect.org" ( 213.186.33.19 ) blocked. [protocol: TCP - src: 1917 / dst: 80]

Hello curio Do you have any idea what the problem here could be?

http://img122.exs.cx/img122/4873/config6qm.jpg (http://www.imageshack.us)

Simple answer - no. Looks nice though.
Complicated answer - looks like your MySQL server isn't running, the database isn't configured or there is no data in the database. If you query the database directly (from a command line 'mysqladmin status') do you get a response?

I did say I'd never used it.

Ok will you take a look at my other problem with STM: http://www.techzonez.com/forums/showthread.php?p=89836#post89836

thanks

Somewhere dimly in the back of my mind I seem to recall there is another IDS for windows that is freeware. Hmmm.......

I will remember (that means look it up on the interweb) sometime soon and post back.

k thanks curio

I think i'll continue with the BI/Outpost combo for now as Outpost is not capable of picking up these red alerts this morning as BI did:

http://img103.exs.cx/img103/4171/red6fq.jpg (http://www.imageshack.us)

BI is exactly what U want anyhow ISS is a big company that has been doing IDS stuff for years, anyhow other thing is securepoint IDS - again not used it - they also do a freeware firewall http://www.securepoint.cc/. Incidentally there are more columns you can add to your BI window and you can drag the columns wider to read them better and rearrange the columns so they are in a more user friendly order. If you right click on the title bar - say where it says 'event' you will get a drop down menu with the bottom option 'columns...', you can add and re-order columns of data from the dialog box it opens.

yes, seems like a very compatible combo (unless, of course, Outpost comes up with an IDS plugin) A little extra inbound security - courtesy of BI and Outpost's outbound configuration flexibility

**edit - looks like they have a stand alone IDS! - Freeware Intrusion Detection Systems from Securepoint - http://www.securepoint.cc/en/products-ids.html

**Did my router actually fail to respond to those 3 red alerts?

Thanks for the tip

http://img17.exs.cx/img17/9452/tip6lx.jpg (http://www.imageshack.us)

this is all neat-o

http://img13.exs.cx/img13/2672/nuz1hw.jpg (http://www.imageshack.us)

but not going to work when it's not detecting network card

http://img13.exs.cx/img13/3273/net0ck.jpg (http://www.imageshack.us)

You have a lot of auto blocks on port 4662 traffic - that's E-mule.

should they be unblocked?
**edit - I "forwarded" those portss

http://img13.exs.cx/img13/6052/foward5rx.jpg (http://www.imageshack.us)


*can't get Nuzzler to work. Back to BI.


Curio, do you have anything here? I deleted a couple entries because I thought it was of ignore - now it seems everything is being ignored


http://img27.exs.cx/img27/7713/blank3hx.jpg (http://www.imageshack.us)

I don't have anything there - no, except SMB_Winreg like you. You can add events or ip addresses you want to ignore in that bit. I don't want to ignore anything so I leave it as is. If something was really popping up relentlessly and I knew it was only an annoyance I might stick a rule in there but it's never happened.

thanks.

Oh nooooooooooo! Not the unknown! Anything but the unknown... :eek:

http://img151.exs.cx/img151/6724/unknown9by.jpg (http://www.imageshack.us)