Black ICE 2.5 Events, False Positives and Custom Attack Signatures

The major challenge for administrators of Intrusion Detection Systems is distinguishing between events that are genuine malicious activity and those that are false positives. This paper aims to help BlackICE IDS administrators by identifying and classifying some events frequently seen by IDS agents in two common deployments – on a DMZ web server and on systems within an internal (mainly Microsoft) network.

Network ICE do provide BlackICE event (‘intrusion’) descriptions in an online database, but many of these need further research before they can be classified satisfactorily. This paper includes additional research into some common events.

The nature of BlackICE’s detection engine means that certain generic events may be triggered by different attacks (e.g. the HTTP field with binary event). IDS administrators are encouraged to further research all reported events thoroughly and to not assume event X is a result of attack Y.

The last section of the paper covers an unsupported method of creating custom BlackICE attack signatures that may prove useful in certain circumstances. A custom attack signature could be used to detect a new attack in the period between the attack being first identified and the vendor releasing an official attack signature update.

Please note that an in-depth discussion of incident handling and response procedures is not part of this research. Other papers available from SANS address such issues.