Black Ice 3.6

Discussion in 'other firewalls' started by lynchknot, Mar 17, 2005.

Thread Status:
Not open for further replies.
  1. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    Looks like you got someone trying to detect your OS. Interesting..

    I don't expect to see too much coming in here. BlackIce seems pretty thorough though. So that's good. When you think about it, you don't really need to see all the noise that comes in all the time anyway, just the possible threats and more serious stuff. Who cares about the other noise that you typically see in firewall logs. It's always the same.

    I like it a lot. The only thing I might wish for is a little more flexibility in app control. But I think it's pretty much all I need. I tested it with Avast and it's proxy stuff last night and they work fine together. For me the two seem to be a pretty good solution.

    One thing I kinda like is the app execution control. I like the idea of knowing if something new is executing.
     
  2. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    Whoa! I enabled sound then opened Outlook express and heard a bunch of beeps
    I think yellow alerts are of limited concern. I will try to set for orange and red. :blink:
     

    Attached Files:

    Last edited: Mar 23, 2005
  3. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,166
    Location:
    PA
    I've tried BI with other firewalls, and sometimes BI would disable - it worked fine alone. I could try Outpost with it, though.
     
  4. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    BI wanting UDP now

    [​IMG]

    I'm curious about this. Is it blocked automatically or do I need to "block for a day/week/etc?

    [​IMG]

    hehe, it's "Tigerdirect" - why are they scanning me? 199.181.77.54

     
    Last edited: Mar 23, 2005
  5. Beefcarver

    Beefcarver Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    263
    Location:
    michigan
    click on tools, Edit BlackIce settings. then you can manage the way things are protected. I have mine set at Paranoid Block all unsolicited inbound traffic.
    also check Enable auto Blocking. Your gonna see intruders trying to attack and what they are looking for and who they are. But believe me your Protected.

    hope this helps. Filter by event severity is just a color chart.

    advanced Firewall settings allows you to set up your own firewall Rules. Some are already set by default.

    hope I helped you as Im a Paid subscriber of 3 years of Black Ice.
     
  6. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    Thanks for your post. Hasn't someone yet made a secure configuration rules with most widely used apps - so we can just copyto.
     
  7. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    So far, I've not had to use the firewall rules at all. I disabled the rule that allowed 113 by default. Don't want that inbound. Otherwise, everything seems to work fine without any extraneous rules. If you want to block or allow certain addresses or ports then the rules would come in handy.
     
  8. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    Hello kerodo, do i need to allow net bios for blackice in outpost? I have nothing set for "always trust" should I for BI? I'm not on a network.
     

    Attached Files:

  9. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    No idea lynchknot, however, I would think you can block NetBios without any problems...
     
  10. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    I'm not understanding what netbios is and why all those IP's want to connect to that specific port.
     
  11. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    I know next to nothing about NetBios, but it could be that your system is using NetBios name lookups for DNS resolution for BI. Possibly?
     
  12. Grumble

    Grumble Registered Member

    Joined:
    Apr 25, 2004
    Posts:
    185
    Location:
    the sunshine state
    It looks like BLACKD.EXE is trying to use Netbios Name Service at those remote addresses to try and identify those IP numbers, no?
     
  13. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Part of the backtrace utility of BI will resort to a NetBios name look-up, not something you probably want unless you do not mind your system directly contacting those remote systems trying to determine their computer name. As a rule you should never allow NetBios out to the Internet. One of the hazards of this built in functionality of some firewalls, so much for stealth if you are doing traceroutes and name look-ups ;) You may want to check your BI settings and see if you can disable those look-ups of systems showing up in the logs.

    Regards,

    CrazyM
     
  14. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    port 137 is blocked as default in BI. I don't understand why/how BI is still trying to connect. Outpost will always deny it anyway.


    **edit - ok it's on the BackTrace tab - NetBIOS node status - I unchecked it
     
  15. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    Thanks for that bit of info. I've disabled it on mine too.

    Interesting side note.. I installed your Outpost/BI combo today just for fun, and found that all traffic was controlled by Outpost, with nothing getting in to BI at all. It's interesting how things work differently on different systems. I'm on Win2k here, if that makes any difference. BI didn't ask for permission to do anything either. It's as if it didn't exist, with all the action going to Outpost.

    Anyway, I'm back to just pure BI now.
     
  16. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    CrazyM, what is the danger of allowing such Netbios lookups? Is it just that you would lose your stealth status? Or are there further dangers?
     
  17. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    It just strikes me as odd with all the marketing by firewall vendors about how firewall "X" will make you invisible (stealth) to hackers, but at the same time market included backtrace options like traceroute and in the case of BI NetBios name look-up which will have your system probing the systems probing you o_O

    So for the most part it is just a "stealth" thing. As most of these probes are automated scans, worms from compromised systems, etc. looking for vulnerable systems the security risk is probably minimal. In the rare case where someone may be looking at your system/network in particular you have to ask yourself would you want to be showing up in their logs as a result of using these features? There are plenty of online resources for this.

    As for NetBios specifically, as I noted above, it is best practice to filter this from leaving/entering your system/network.

    Regards,

    CrazyM
     
  18. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    Really - nothing at all? I don't see BI trying netbios anymore but there is quite a bit of this:(I'm going to reset for "partial" seeing that this is all it wants)

    [​IMG]


    Check the amount of probes here:

    http://i154.exs.cx/img154/7115/bi0ft.jpg




    So i'm wondering - does this pair make a good team or is it just a waste of cpu - which I might add, the computer feels no different.
     
    Last edited: Mar 28, 2005
  19. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    Ok, good point CrazyM, and thanks.. I notice that BI doesn't seem to care much about stealth to begin with since it allows my system to respond to pings, although it stealths regular tcp ports scans and so on. Interesting philosophy. :) I understand you can change the ping reply in the firewall.ini file also. Haven't tried that though.

    At any rate, I've turned off the Netbios lookup stuff as mentioned above.
     
  20. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    Lynchknot, I would probably go with one or the other, and not run both at the same time. I was trying Kerio 2 and CHX-I earlier (last night) and decided against that also. Just seems to be best to stick with one firewall at a time. That's my pref anyway.. :)
     
  21. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    Well, it does not seem to make any (negative) difference. I have noticed that sometimes BI catches a port scan and sometimes outpost does. If it doesn't hurt then I suppose it doesn't matter. I wish there was a safe way to test if Bi coiud actually catch something Outpost is incapable of..
     
  22. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    My best guess is that both or either of them would catch everything. Outpost will block all incoming packets by default, and BI should too, however it looks like BI will do more analysis of what's coming in than Outpost. So I suppose it just depends on whether you want to know if a particular threat is occuring or not. Either product should block everything though. Or at least that's my take on things.. BI will scan your browser traffic for threats though, where Outpost will not. So there's one difference..

    I kinda like these firewalls and AVs that scan your web traffic... hopefully catching anything bad before it hits your HD. Or at least that's what I'm hoping they do... :)
     
    Last edited: Mar 28, 2005
  23. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
  24. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    Have you looked at Tiny 6.5 Pro? It has an IDS/IPS and many other nice things. A little hard to decipher at first, but interesting...
     
  25. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    I hear it's hard to get to know. If it's anything like snort, forget it. I don't have that much patience and time. Thanks. ;)

    BTW, there's is a project that is making a 'user friendly' snort installation at http://www.engagesecurity.com/products/eaglex/
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.