Hoewel IBM begin deze maand heeft aangegeven de verkoop van BlackICE te stoppen, een jaar nadat ze Internet Security Systems hebben overgenomen, kunnen we toch nog een nieuwe uitgave in de Meuktracker vermelden. De versie-aanduiding van de firewall is aangekomen bij 3.6.cqn en is ten opzichte van de vorige versie uitgebreid met 37 events en 4 blocking responses. De nieuwe uitgave is zoals gewoonlijk in twee smaken verkrijgbaar, namelijk BlackICE PC Protection en BlackICE Server Protection.
Het pakket is een veelzijdige firewall met een volledige intrusiondetectie. Zowel de inkomende als uitgaande netwerkstromen worden gecontroleerd en bij een mogelijk vermoeden dat er iets niet klopt, wordt de beheerder gewaarschuwd en kan de verbinding gesloten worden. De lijst met aanpassingen ziet er als volgt uit:
New Security Content:[break][/break]
ProductCheckName Event Type Risk Netbios_Flood_DoS Denial of Service Low HTTP_CGI_CsGuestbook_Code_Execution Unauthorized Access Attempt High HTTP_PHP_CRLF_Injection Unauthorized Access Attempt Medium Oracle_Listener_Services_DoS Denial of Service Low Helix_Universal_Transport_Overflow Unauthorized Access Attempt High PPTP_PoPToP_Ctrl_Packet_BO Unauthorized Access Attempt Low SMTP_Exchange_Verb_BO Unauthorized Access Attempt High DCOM_SystemActivation_DoS Denial of Service Low Subversion_Date_Parsing_BO Unauthorized Access Attempt High UDP_Squid_WCCP_Overflow Unauthorized Access Attempt Low NDMP_Veritas_BackupExec_ErrorField_BO Denial of Service Low BlackBerry_SRP_DoS Denial of Service Low HTTP_Authentication_Format_String Unauthorized Access Attempt Medium Informix_Username_Overflow Unauthorized Access Attempt High DHCP_ClientID_DoS Denial of Service Low Informix_Long_Username_Overflow Unauthorized Access Attempt High JavaScript_OLE_Overflow Unauthorized Access Attempt High Email_Mailman_Date_DoS Denial of Service Low SMB_BrightStor_Mailslot_Bo Unauthorized Access Attempt High LDAP_OpenLdap_Bind_Dos Denial of Service Low MSRPC_ARCserver_TapeEngine_Bo Unauthorized Access Attempt High TSM_Login_Language_Overflow Unauthorized Access Attempt High MSRPC_WksSvc_UserEnum_DoS Denial of Service Low Helix_DNA_LoadTestPassword_Overflow Unauthorized Access Attempt High Loadrunner_Agent_Field_Overflow Unauthorized Access Attempt High Media_File_BO Unauthorized Access Attempt High CompoundFile_Ole_LoadPicture_Overflow Unauthorized Access Attempt High IMAP_CramMD5_Long_Username Unauthorized Access Attempt High HTTP_Share_Point_XSS Unauthorized Access Attempt Medium SSM_List_BO Unauthorized Access Attempt High JavaScript_XML_CoreSvc_Code_Execution Unauthorized Access Attempt High CSS_String_Heap_Corruption Unauthorized Access Attempt High HTML_IE_TableInfo_Code_Exec Unauthorized Access Attempt High RSS_Vista_Headline_Gadget_Code_Exec Unauthorized Access Attempt High BIFF_Workbook_Index_Mem_Corrupt Unauthorized Access Attempt High MS_WMP_Decompress_Overflow Unauthorized Access Attempt High HTTP_VML_Detected Unauthorized Access Attempt Low
Security Content ImprovementsBlocking was added for the following events:
- Corrected a false negative in the HTTP URL whitelist cache.
- Fixed a false positive in PE_DotNet_Loader_Exec
- Removed a false positive with HTTP_PHP_Transfer_XSS.
- Updated Event Coalescer to discriminate between IP address tuples with different 802.1QA VLAN IDs. The Event Coalescer intelligently combines events having the same characteristics, such as issueID, victim/intruder IP, and victim/intruder port into one event
- Proventia G sensors supporting advanced event reporting no longer appends 'vlan' attribute value pair (AVP) because field is sent natively to SiteProtector. Advanced event reporting contains an internal VLAN ID field.
- Fixed a false negative in MSRPC_Invalid_Request.
- Updated Event Coalescer to support VLAN ID to discriminate between duplicate IP address tuples
- Removed a false positive in SSL_Hello_Msg_DoS by completely parsing Server Key Exchanges.
- Fixed a PAM Internal Error which could occur in response to specific malformed FTP server responses.
- Corrected a false positive and a mis-report of the overflow length in Email_VCF_Overflow and Email_VCF_Mozilla_Overflow.
Blocking was removed for the following events:
- SMTP_Exchange_Verb_BO
- Oracle_AuthAlterSession_SqlExec
- IMAP_Mdaemon_Foldername_DoS
- JavaScript_XML_CoreSvc_Code_Execution
- SMTP_Exchange_Verb_DoS
:strip_exif()/i/1123860176.jpg?f=thumbmedium)
:strip_icc():strip_exif()/u/21673/crop65674aee06c6d_cropped.jpg?f=community){kind=small}
:strip_exif()/u/7329/vliegje.gif?f=community){kind=small}
:strip_exif()/u/175527/waldomonster4.gif?f=community){kind=small}
