RE: NetworkICE BlackICE Agent(s)

From: Graham, Robert (ISS Atlanta) (rgraham@iss.net)
Date: 08/02/02


From: "Graham, Robert (ISS Atlanta)" <rgraham@iss.net>
To: Brenna Primrose <drxlecter@phreaker.net>, "'Ralph Los'" <RLos@enteredge.com>, focus-ids@securityfocus.com
Date: Fri, 2 Aug 2002 14:57:47 -0400 

BlackICE records the packets that trigger events. They are stored in files
like "evd001.enc" in the BlackICE directory. These files can be viewed with
products like the NAI Sniffer, Microsoft NetMon, or Ethereal.com. This is a
"round-robin" showing only the latest packets.

If you send me these "evidence" files containing the BOOTP packets, I can
figure out what is going on and change the signature accordingly.

Robert Graham
Founder of Network ICE

PS: BlackICE records "port-probes". This is our noisiest event, but one that
we leave enabled by default because it has proven to be one of the more
useful events. You definately should not have this page you are send
e-mails. BlackICE is designed to be noisier with low-severity events, but to
be extremely accurate with the high-priority events. You should only set the
pager for the high priority ones.

PS: I would love to see the "attack-list.csv" as well as the evd*.enc files.

-----Original Message-----
From: Brenna Primrose [mailto:drxlecter@phreaker.net]
Sent: Friday, August 02, 2002 12:11 PM
To: 'Ralph Los'; focus-ids@securityfocus.com
Subject: RE: NetworkICE BlackICE Agent(s)

We've been getting the BOOTP overflow notifications for about 2 weeks
now. I can't pinpoint what causes them, and they were happening before
the latest update of BID. When they occur on our LAN the source IP is
always listed as 0.0.0.0...makes no sense.

http://profiles.yahoo.com/absolut_contagion
http://gsa.creighton.edu
AIM - absolutxpsycho
Yahoo! - absolut_contagion
ICQ - 1363187
MSN - r00t@creighton.edu
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GSS d-- s: a-- C++ UL++++ P+ L+ E W++ N+ o-- K- w+
O-- M V-- PS++ PE Y+ PGP- t-- 5-- X++ R- tv+ b+++ DI D+
G e* h- r++ x+
------END GEEK CODE BLOCK------

-----Original Message-----
From: Ralph Los [mailto:RLos@enteredge.com]
Sent: Friday, August 02, 2002 11:25 AM
To: focus-ids@securityfocus.com
Subject: NetworkICE BlackICE Agent(s)

All,

        The problem I am having a hard time with deals with the fact
that we have thousands of managed agents reporting to various servers
(ICECap) which we run as a managed service for folks. I've got 2
separate issues, one I would like an opinion on, the other some actual
facts/help.

        The first issues deals with the fact that ICECap reports
hundreds of 'port scan', or 'tcp scan', etc...constantly. This is
expected when I have 2,000 server agents running, of course. Is there
ANY way to get ICECap that anyone's found that would give me an more
information in my pages, emails I receive? Not necessarily dealing with
port scans, but issues in general? The emails are so vague and often I
want to dig into the situation without logging into ICECap...I hope that
question is clear....

        The second question deals with false-positives. I've been
getting the 'Bootp file overflow' (very close wording) for some time
now. ISS swears there are no false positives that they know of - but
that can't be since an INTERNAL network is reporting hundreds of these
'attacks' a day...and I know for a fact there is nothing wrong there.
What could be causing this? They are using DHCP. Could that have
something to do with it? It's also an all-MS environment of
workstations and servers since I know that makes a difference.

Thanks in advance everyone...

Ralph
** Network security geek **