It still doesn't do things like list the source port of the offending attack. It still reports things like traceroutes as suspicious activity. It's not so much that BlackIce is a bad product, it's the fact that most of the users who use it and the other software packages like it are generally not very clued and will fly off the handle reporting all sorts of things as attacks or attempts to access their computer. I've actually spent an entire weekend being paged by our NOC to deal with someone who had BlackIce, and another program that would e-mail abuse@ for the IP address it considered to be attacking, in this case what it was saying was a UDP flood coming from various IP's of equipment we have. One thing led to another, and it turned out he was being UDP flooded by streaming media servers (RTSP anyone?), and his automated reporting facility was mailing these complaints out to the NOC. We had another person who was screaming bloody murder about being hacked, when he was tracerouted to twice over a 24 hour period. That hardly counts as an intrusion. Generally, if someone is having an issue and all they have to go in is BlackIce output, we need pretty evident proof that there's an actual problem. One cool feature is the fact that BlackIce can detect certain types of traffic, like nmap scans, queso, snmp queries, and the like. But if all I've got to go on is a 5 packet 'UDP flood,' the source IP, the destination IP, and the destination port, it gets old quick. Couldn't it just look at the source port and say "This looks like RTSP," or "This is only 5 packets, probably not a big deal." It really depends on how sensitive the person who has it sets it, but I've yet to see anyone who doesn't set it as high as it will go. A warning that says it might be as ultra-paranoid as a strung out conspiracy theorist at the highest settings might not be a bad idea. I think the last version we looked at was the latest version available in July/August. We were looking at it to use as a firewalling solution for our mobile users, but we just couldn't deal with the amount of calls people would make to us saying they were being scanned by all the local windows machines on the network while they were in the office, or countless other issues. We're still looking at other solutions, but few really have any sort of centralized monitoring/reporting ability. -- Joseph W. Shaw Sr. Network Security Specialist for Big Company not to be named because I don't speak for them here. I have public opinions, and they don't. On Fri, 3 Nov 2000, Rishi Singh wrote:
That was a very old version of BlackIce Defender you are referring to. I know exactly which version you are talking about as I had similar problems with it. However NetworkIce seems to be a pretty responsive company when it comes to complaints and I beta test their products for them.
All of the dev/null stuff has been eliminated in the last few releases, including erroneous reports and extraneous information. You should try it now, I think you will be more impressed than the experiences you had with the older version.