In regards to the "advisory" posted February 14th: >NtWaK0 Advisory >Affected : BlackIce 2.9 car Latest with patch >Type : DOS attacks with URG Flag Set ARE NOT LOGGED Official Response: As far as I can tell, this "advisory" states that the IDS doesn't have a signature that somebody expected it to have. I am not sure that this is really bugtraq material. However, customers have asked about this bugtraq posting and want an official vendor response. This response is that we are looking at the signature to see if we want to add it. On the other hand, there have been cases before of vendors not quite understanding the nature of the "bug" that was presented to them. If I have misinterpreted the "advisory", please send me e-mail. Unofficial Response: One of our engineer describes the problem as: > Yes, it is true that we do not announce when we see TCP > packets with just the URG bit set. However, there are > many other unusual combinations of TCP bits that we > don't announce, because of the fear of false positives. > We currently announce TCP flag combinations which are > characteristicly sent by scanning programs such as Queso > and nmap. We also announce combinations which have > caused some TCP implementations to crash. But my > fear-of-false-positives means that we don't announce > ALL possible illegal combinations; after all, we don't > want to start World War III - see > http://www.washingtonpost.com/wp-dyn/articles/A6846-2002Feb13.html > Of course, detecting the URG bit by itself could be > added trivially. If people can point me to something well-known that uses URG by itself, then we'll of course add that signature. I would also be interested in any other IDS that supports this signature; if somebody else triggers on it, it is more likely to be important. The reason I describe this as the "unofficial" response is that there is a little trick you can use to add this signature. However, it is UNSUPPORTED, UNTESTED, and POORLY DOCUMENTED. As an official from the company, I can't recommend you use this feature, but it may be interesting for entertainment purposes. Add the following lines to the "blackice.ini" file: trons = enabled trons.rule = alert tcp any any -> any any (msg:"URG Scan";flags:U;) trons.filename = trons-needs-filename-even-if-dont-exist I can't stress enough that this feature is unsupported and that you can't get any help from us about this feature at this time. However, you might find documentation somewhere on the net :-). As a user, I added those lines and transmitted the packet described in the NtWaK0 message, and BlackICE triggered on it. Robert Graham Internet Security Systems PS: I'll be putting up a small TRONS document up on my personal website tomorrow. The link will be: http://robertgraham.com/pubs/ids/trons.html
