|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: IDS: Fw: blackice ignoring port 113
From: Talisker (Talisker
networkintrusion.co.uk)Date: Sun Jul 23 2000 - 07:14:13 CDT
- Next message: John S Flowers: "Re: IDS: kernel implementations"
- Previous message: Dug Song: "Re: IDS: kernel implementations"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
-----------------------------------------------------------------------------
Found this on Bugtraq this morning
www.networkintrusion.co.uk
'''
(0 0)
----oOO----(_)----------
| The geek shall |
| Inherit the earth |
-----------------oOO----
|__|__|
|| ||
ooO Ooo
The opinions contained within this transmission are entirely my own, and do
not necessarily reflect those of my employer.
----- Original Message -----
From: "vali" <valiiname.com>
To: <BUGTRAQsecurityfocus.com>
Sent: Saturday, July 22, 2000 5:27 PM
Subject: blackice ignoring port 113
> It's as simple as that, blackice (a somehow popular windows firewall) is
> ignoring TCP trafic with destination port 113 (even with "paranoid"
seting).
> The most simple way to try this is
>
> nmap -sS -p 113 -P0 victim (victim's blackice is silent)
> nmap -sS -p any_other_port -P0 victim (blackice says "tcp port probe").
>
> Tried with blackice 2.1.x (blackice.exe & vxd = 2.1.25, blackicd and
> blackdll.dll = 2.1.22) on both win95 OSR 2 ans win98 SE.
>
> This is not much, but is a simple way to flood a computer without blackice
> reacting in any way. Also, if somebody is using a buggy ident server this
is
> fatal (irc clients install sometimes ident servers, without users
knowledge).
>
> Other comments regarding BlackIce:
>
> Blackice is doing a good job in stoping malformed packets "bad" for
Microsoft
> IP stacks (including IGMP, fragmented ICMP aka teardrop, etc, etc). Can
detect
> nmap stealth scan but there is no simple way to tell from the interface
the
> port scaned (if the port is not a "standard" port). Anyway, it has
> extensive logging capabilities. In fact with "logging" and "evidence
logging"
> enabled sniffed sessions can linger in Blackice folder, alongside with
> sensitive information like passwords.
> Blackice can do (automatic) DNS reverse lookup and a Netbios scan for the
> atackers (wich can be a *very* bad thing). I think this feature is enabled
by
> default.
>
> Blackice seems to have some limits for the number of packets loged and for
the
> alerts displayed. This is a good thing and a bad thing. This limit the
memory
> used but some packets can go unnoticed (and if someone send a lot of
spoofed
> packets the real atack will go unnoticed).
>
>
- Next message: John S Flowers: "Re: IDS: kernel implementations"
- Previous message: Dug Song: "Re: IDS: kernel implementations"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]