Internet Security Systems heeft een nieuwe versie uitgebracht van de firewall BlackICE. De software is beschikbaar in een uitvoering voor de pc en voor servers. Het versienummer voor beide uitvoeringen is hetzelfde, namelijk 3.6.coo. BlackICE is een veelzijdige firewall met daarbij een intrusion-detectiesysteem. Zowel de inkomende als uitgaande netwerkstromen worden gecontroleerd en bij een mogelijk vermoeden dat er iets niet klopt wordt de beheerder gewaarschuwd en kan de verbinding gesloten worden. De volledige release notes zijn op deze pagina terug te vinden, dit zijn de belangrijkste veranderingen:
Security Content Updates in 3.6.coo:[break]
- The variable name will now be added to the event details of SIP_Blank_Header_Value when any SIP header is blank.
- A condition under which the intruder and victim addresses would be inverted was removed from HTTP_Lock_Method_DOS, HTTP_IIS_FPSE_Debug_Bo and HTTP_Frontpage_Path.
- A false negative was removed for SSL_SoftEther_Detected - now all ports are inspected for additional cipher specifications.
- A false positive was removed for BGP_Open_Malformed by adding detection of capabilities advertisement.
- The condition has been removed where the first of multiple pam.activex.blacklist tuning parameter values was ignored.
- Detection of a new Slammer worm variant has been added to SQL_SSRP_Stackbo and SQL_SSRP_Slammer_Worm.
- User-defined DNS queries are now detectable on a per-DNS record type basis. The following DNS user-defined tuning parameters have been added (or updated in the case of DNS_Query): pam.userdefined.dns_query.
for DNS 'A' record queries, pam.userdefined.dns_mx_query. for DNS 'MX' record queries, pam.userdefined.dns_ns_query. for DNS 'NS' record queries, pam.userdefined.dns_hinfo_query. for DNS 'hinfo' record queries, pam.userdefined.dns_any_query. for DNS 'any' record queries, pam.userdefined.dns_cname_query. for DNS 'cname' record queries, and pam.userdefined.dns_ptr_query. for DNS 'ptr' record queries. - Logic was added to detect BitTorrent Responses on port 80.
- A false positive was removed from HTTP_PhpRocket_Traversal.
- A false positive was removed from MSRPC_RemoteActivate_Bo where a null-terminated "//" would trigger the event incorrectly.
- A false positive in MSRPC_Anon_User_Enumeration was removed. The event could trigger on connections where the security association was already established but had not been observed.
- A false positive was removed from Content_Incorrect_Extension. The event would incorrectly trigger on a file with riff content and an "mpe" file extension.
- New fingerprints were added to Suspicious_ActiveX_Installer.
- A false positive was removed from HTTP_EZShopper_Search.
- An exit condition was removed after the reporting of HTTP_Long_Header_Name. This allows subsequent HTTP events in the stream, if any, to be reported as well.
- The priority for Content_RAR_Missing_Extension has been changed from high to low because it is not an inherently exploitable event.
- HTML_IE_ActiveX_Loader_Heap_Corruption CLSIDs can now be whitelisted and blacklisted using the tuning parameters pam.content.clsid.activexloaderbo.whitelist pam.content.clsid.activexloaderbo.blacklist. If an element appears in both lists, the whitelist will have priority.
:strip_exif()/i/1123860176.jpg?f=thumbmedium)
/u/63948/beepic.png?f=community){kind=small}
:strip_exif()/u/73426/MMM4.gif?f=community){kind=small}
uitleggen of BlackICE zijn geld waard is t.o.v. de gratis Zone Alarm?
:strip_exif()/u/117615/crop5a317fde62dd5.gif?f=community){kind=small}
:strip_icc():strip_exif()/u/27484/crop5e8b1a80d65af_cropped.jpeg?f=community){kind=small}
