Re: NtWakO BlackICE sig missing

["Graham, Robert (ISS Atlanta)" <rgraham () iss net>]

In regards to the "advisory" posted February 14th:
> NtWaK0 Advisory
> Affected         : BlackIce 2.9 car Latest with patch
> Type             : DOS attacks with URG Flag Set ARE NOT LOGGED


Official Response:

As far as I can tell, this "advisory" states that the IDS
doesn't have a signature that somebody expected it to have. I 
am not sure that this is really bugtraq material. However,
customers have asked about this bugtraq posting and want an
official vendor response. This response is that we are looking
at the signature to see if we want to add it.

On the other hand, there have been cases before of vendors not
quite understanding the nature of the "bug" that was presented
to them. If I have misinterpreted the "advisory", please
send me e-mail.


Unofficial Response:

One of our engineer describes the problem as:

> Yes, it is true that we do not announce when we see TCP 
> packets with just the URG bit set.  However, there are 
> many other unusual combinations of TCP bits that we 
> don't announce, because of the fear of false positives.  
> We currently announce TCP flag combinations which are 
> characteristicly sent by scanning programs such as Queso 
> and nmap.  We also announce combinations which have 
> caused some TCP implementations to crash.  But my 
> fear-of-false-positives means that we don't announce 
> ALL possible illegal combinations; after all, we don't 
> want to start World War III - see 
> http://www.washingtonpost.com/wp-dyn/articles/A6846-2002Feb13.html  
> Of course, detecting the URG bit by itself could be 
> added trivially.

If people can point me to something well-known that uses
URG by itself, then we'll of course add that signature.
I would also be interested in any other IDS that supports
this signature; if somebody else triggers on it, it is more
likely to be important.

The reason I describe this as the "unofficial" response is 
that there is a little trick you can use to add this 
signature. However, it is UNSUPPORTED, UNTESTED, and POORLY 
DOCUMENTED. As an official from the company, I can't recommend
you use this feature, but it may be interesting for 
entertainment purposes. Add the following lines to the 
"blackice.ini" file:

trons = enabled
trons.rule = alert tcp any any -> any any (msg:"URG Scan";flags:U;)
trons.filename = trons-needs-filename-even-if-dont-exist

I can't stress enough that this feature is unsupported and that 
you can't get any help from us about this feature at this time. 
However, you might find documentation somewhere on the net :-).
As a user, I added those lines and transmitted the packet
described in the NtWaK0 message, and BlackICE triggered on it.



Robert Graham
Internet Security Systems

PS: I'll be putting up a small TRONS document up on my personal
website tomorrow. The link will be:
http://robertgraham.com/pubs/ids/trons.html