Its not in the Advanced Admin guide because I don't write the guide anymore. :-) (My company did all the tech docs for Network ICE and I was the original author of the BI Advanced Admin Guide. Our doc contract was terminated when ISS took over.)
One of these days, if I ever have time, I'll have to write some "Dummies Guide to BlackICE" that explains how to do all this cool stuff with BlackICE. For example - did you know you can feed Snort signatures into BlackICE? You can. Its easy. ___________________________________ Andrew Plato, CISSP President/Principal Consultant Anitian Enterprise Security 503-644-5656 Office 503-644-8574 Fax 503-201-0821 Mobile www.anitian.com ___________________________________ -----Original Message----- From: UOL - IPSYSTEMS [mailto:[EMAIL PROTECTED] Sent: November 11, 2003 1:37 PM To: Andrew Plato Subject: Re: [ISSForum] Add Custom rulez to Auto-Block in Blackice Server Andrew...THANKS VERY MUCH! We need to block some file types from download and block who try to.... Works perfectly. Are there any documentation about this? I have the advanced adm guide for BI but it does not say nothing about this... IP|RST for exemple ... :) Regards, Luiz ----- Original Message ----- From: "Andrew Plato" <[EMAIL PROTECTED]> To: "UOL - IPSYSTEMS" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Tuesday, November 11, 2003 7:15 PM Subject: RE: [ISSForum] Add Custom rulez to Auto-Block in Blackice Server Yes. You can configure BlackICE to block any signature you want. 1. Browse out to the directory where BI is installed. Make a backup copy of the issuelist.csv 2. Open up the issue-list.csv in excel (or similar spreadsheet program). 3. Locate the signatures you want to block. 4. Change the IMPACT column for that signature to IP|RST 5. Stop the BI engine 6. Save the file (make sure to save it as a CSV file and not excel) 7. Restart BI. Whenever the signature(s) you selected are triggered, the agent will block the offending IP. I've used this to stop spammers who routinely cause "Email Error" signatures. You can also distribute this via ICEcap/SiteProtector by creating your own "versions" of the agent. For example, you could create a special 7.0 ebc build that would have these signature changes in them. Just go to the Versions directory under desktop controller. Make a copy of the directory for the version you want to customize and rename the directory (I usually name them "7.0 ebc-1" or something like that). Customize the issuelist.csv file stored in that directory. Then use that version in a poilicy to generate an agent build. The only catch is that you'll have to propagate such customizations to each new version that comes down from ISS - which can be a pain. NOTE: None of this is supported by ISS. ___________________________________ Andrew Plato, CISSP President/Principal Consultant Anitian Enterprise Security 503-644-5656 Office 503-644-8574 Fax 503-201-0821 Mobile www.anitian.com ___________________________________ -----Original Message----- From: UOL - IPSYSTEMS [mailto:[EMAIL PROTECTED] Sent: November 11, 2003 9:29 AM To: [EMAIL PROTECTED] Subject: [ISSForum] Add Custom rulez to Auto-Block in Blackice Server Importance: High Hi, I'd customize Blackice.ini with new issues. We'd like that this new "attacks / issues" will be automatically blocked. This issues for now, is only being logged to BlackIce Gui... How can I configure Blackice to Auto-Block my customized settings? Regards, Luiz _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
