|
ClearICE
Report Utility for BlackICE If you can't find your answer here, check the ClearICE FAQ
If you are running ClearICE 3.0, 4.0 or the Network ICE Special Edition you must purchase and install the latest ClearICE full release. ClearICE is fully compatible with the new BlackICE PC Protection release from Internet Security Systems. The Date and Time of the CLEARICE.EXE file should match the date and time in the latest update link shown above. If it doesn't match then you need to download the update.
|
||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||
|
Top Virus Alerts! |
||||||||||||||||||||||||||||
| Cyber Hood Watch is a non-profit organization dedicated to educating the users of Internet technologies regarding their safety and security online. Please take a moment to visit their site for more information. Brady & Associates, LLC is a proud sponsor of Cyber Hood Watch. | ||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||
|
Before reporting attacks it is necessary to determine the level of threat to your system the attack poses. The reporting of attacks could have been more automated, however, the choice not to do so is a very conscious one on my part for a very good common sense reason. It is imperative that good old human judgment be used in determining what attacks should actually be reported. BlackICE Defender gives us a severity number that is calculated based upon specific criteria about the attack when it is intercepted. My rule of thumb is to report attacks if they
are of a severity of 4 or above. The reason for this is simple. Attacks below 4, in my opinion, are handled adequately by BlackICE in terms of the action it takes against the attack. It also helps the ISPs that would receive attack reports to not be overwhelmed by reports of superfluous attack reports. Please use good judgment in reporting attacks, ensuring the cooperation of the ISPs in helping to curb the rising incidence of hacking on the Internet. PRIOR to reporting BlackICE Defender log entries from the Shields Up ( www.grc.com ) web site, or any other port-scanning web sites, it is YOUR RESPONSIBILITY to determine whether these log entries are actual attacks! These log entries may be created as a result of your interaction with the web site. It is possible, however, that a skillful hacker could disguise their activities by masquerading as one of these web sites in order to sneak past your defenses. Be aware of your security testing efforts and the effects they might have on BlackICE Defender or any other firewall or intrusion detection system you may have in place. Check with the Network ICE Knowledge Base and other Internet resources to determine whether the log entries pose any kind of threat to your computer security. Thank you for using ClearICE ! |
||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||
|
Using ClearICE - The Quick Start Guide SETTING THE OPTIONS Step 1. Click Options FILE PATH SETTINGS ClearICE automatically points to the BlackICE Defender log file, attack-list.csv file in the folder where BlackICE is installed on your computer. The default location is the "Program Files\Network ICE\BlackICE" folder.
If you have installed BlackICE
Defender into a different folder, press the "Open Folder" button
next to the BlackICE Attack File Path entry field to browse your hard disk
to the folder where BlackICE Defender
is installed. We recommend Smart WhoIs as it seems to be the fastest of the three applications in returning the information regarding the Intruder IP address.
If you would like to purchase Smart WhoIs,
CLICK
HERE. To use Smart WhoIs, point to the special interface file
SWLAUNCHER.EXE in the ClearICE folder. ALARM SETTINGS
Most of these settings are self-explanatory. Alarm Interval is the period of time that must pass before detecting new log entries in the BlackICE Attack-list.CSV file. The default is 60 seconds. (6,000 milliseconds) The minimum value is 10 seconds (600 milliseconds). Alarm Recycle is a multiplier value used in controlling the periodicity of the import process. It works in conjunction with the Alarm Interval. As an example, the Alarm Interval default is 6000, or 60 seconds. The Alarm Recycle default is a 1. This equates to performing the import once every 60 seconds. Now if you want to perform the import say every minute and a half, you can set the Alarm Interval to 3000 (30 seconds) and the Alarm Recycle to 3 and you will be able to do a check on the BlackICE log file every 90 seconds. This must function this way as the Windows timer functionality has a problem with intervals greater than 65 seconds. The Alarm Recycle is very flexible. With the new implementation you can now set ClearICE to perform an import at intervals GREATER than the previous maximum of 1 minute. For example, with an Alarm Interval of 6000 and an Alarm Recycle of 1440 you can set ClearICE to perform a BlackICE log file check and import data once a day. Primary Sound and Secondary Sound allow you to select the appropriate wave file to play when an intrusion is detected. The Secondary Sound will continue to sound each time the Alarm Interval cycles in order to remind you to check the database for new entries. You can silence the Secondary Sound by pressing the "Intruder" button located on the toolbar of the main ClearICE window. Alarm Period Enable allows you to set a period of time when the alarm will sound. The default period, if it is enabled is from 7:00 AM to 11:00 PM. ClearICE will not sound any alarms during the time OUTSIDE of this period.
OPERATIONAL SETTINGS
Minimize on Start - allows ClearICE to be minimized to the system tray upon start up. Empty Import Database - Allows you to clear the ClearICE database prior to importing. This is very useful if you want to import a large file. If you have this checkbox enabled, the Duplicate Filter Enable is turned off. You should not use this setting unless you actually want to delete all of the records in the ClearICE database and import all records in the Attack-list.csv file. Duplicate Filter Enable - Allows you to skip over duplicate records that have already been imported into the ClearICE database. This enables you to import only the new attacks. If you turn this checkbox on (This should be the normal setting) then the Empty Import Database checkbox is turned off. Email Attack Popup Disable - disables the popup message of instructions that normally pops up when you press the Email Attack button. Auto Import Disable - disables the automatic import feature and requires manual importing of the data. Attack Count Threshold - used for display purposes. If the number of attacks for an entry exceeds this value, the count is displayed as red numbers.
CUSTOM MESSAGES
(suggested verbiage) Green Alert: (Severity threshold: 2) Yellow Alert: (Severity threshold: 3) Red Alert: (Severity threshold 4) |
||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||
|
USING CLEARICE
Step 2. Importing the BlackICE Defender Log file Step 3. Sorting the data |
||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||
|
Step 4. Reporting Attacks - Quick Start instructions When "Email Attack" is clicked, a green dot appears in the second column from the left, indicating that the attack has been "reported". This reminder will be retained, even if you "Import" again. A message is also displayed as follows:
If multiple attack rows are to be reported, use the "Multi-Record Export Method" detailed below, to create a file for attaching to the email. NOTE! Most ISPs WILL
NOT ACT upon reports submitted in this fashion. Unless you
specifically know that the ISP will accept multiple record reports, DO
NOT USE THEM!
3. CREATE THE EMAIL MESSAGE 4. SEND THE EMAIL MESSAGE For more details regarding reporting attacks click HERE!
|
||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||
|
BROWSE WINDOW FEATURES BROWSE | VIEW BLACKICE ATTACK LIST FILE opens a display of the raw data in the log. No data operations are possible.
BROWSE | BROWSE INTRUSIONS opens the primary
ClearICE window. The logged records are displayed as rows, with each field in a separate column, and can be Sorted, Tagged and Exported. Initially, all records appear.
The icons on the tool bar located below the menu bar are used to navigate through the rows. The function of each will pop up when the mouse is hovered over the icon for a second. "By Intruder Name" displays the rows in Intruder Name order. All of the attacks from an Intruder Name are displayed together. This allows you to easily see all of the intrusions received from a specific Intruder in order to determine any specific trends in the attacks. A "Custom View" tab will appear if you create a custom view with the View Wizard. If you want to do some other type of sort that is not provided for by
the tabs, you can right click on the column header of any of the columns
displayed in the browse and select the type of sort you would like to
execute. USER-DEFINED VIEWS NEW FEATURE!
You will notice at the top of the Browse Intrusions window there are 2 drop down list fields. The Queries group and the View group. These fields are used to interact with the ClearICE database in order to perform ad-hoc queries to reduce the complexity of the data in the list and customizable user defined list box views in order to reduce the complexity of the data displayed on the screen. The modules used in the Browse Intrusions procedure, Query Wizard, View Wizard and Spreadsheet Wizard (used to export data) provide a consistent interface for working with the ClearICE database. The Report Wizard also provides the ability to produce user-defined reports that may be printed to hard copy or other electronic output. All you have to do is follow the prompts for each of the wizards and make the appropriate decisions to produce the desired results. Any custom view that was in effect when you exit the Browse Intrusions window, will be re-established when you open the Browse Intrusions window again. You can return to the Default view by pressing the "Reset View" button or selecting "Default View" from the drop field list. TAGGING SUBSETS OF RECORDS FOR PROCESSING
Located at the bottom of the Browse Intrusions window is the ClearICE tagging interface. A series of buttons that are used to select records from the database for specific handling such as reporting or deletion. Tagging is used in preparation for exporting multiple selected rows as a group to an external file, for attaching to an email or processing in a spreadsheet. Click on the first row to be exported, then click the "Tag" button. A red dot will appear in the row's left column, indicating that the row is Tagged. Now click the tag column of all other rows in the group to be exported. A row's tag can be removed by clicking the tag column again.
Several other buttons are also provided for mass tagging operations: GRAPHING INTRUSION DATA
Clicking on the Graphs menu on the Menu bar or the Graphs button on the Browse Intrusions window will execute the graphing functions of the data in the ClearICE data file. As shown above, you can graph by Severity, Issue Name (intrusion type) and Date (by Month). Right clicking on any of the graphs will allow you to print the graph or save it to a file. Future enhancements will allow you to embed graphs in the hardcopy reports.
MULTI-RECORD EXPORTING
TO EXCEL, HTML, CSV AND DBF Pressing the Export Data button located on the Browse Intrusions window will allow you to customize the creation of an export file in one of several different formats. Excel spreadsheet, CSV, HTML and dBase files. IMPORTANT NOTE! You MUST have MS Office installed for the export to execute successfully.
Your feedback is appreciated!
Please click on the email link below and send me your comments. |
||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||