In order to understand why this is happening, you will need to understand and differentiate
between the blocking and the intrusion detection functions.
First, blocking--specifically IP address blocking--can be done as explained by
knowledge base article
q000030.
What this does is basically make your computer invisible to the blocked IP address. From
the point of view of that blocked IP address, your computer is no longer on the Internet.
This doesn't mean that the blocked IP address can no longer transmit traffic to
your computer; it can, but just won't see any responses from your computer.
Intrusion detection is different from blocking. Intrusion detection is always happening
with the program installed. It will continue to monitor traffic directed to your computer
including those from the blocked IP addresses. Note that even though the traffic from
the blocked IP addresses are being monitored, the firewall-component will keep them from reaching
the network applications running on your computer.
This then explains why you continue receiving events from blocked IP addresses.
If you want to actually have our program ignore certain attacks, you can add
the following line to blackice.ini:
trust.pair=IPaddressOfIntruder,IssueCode
Where IPaddressOfIntruder is the IP address of the intruder and IssueCode is the
event code as noted in our
intrusions page. For example,
trust.pair = 161.31.3.4,2002004
The code 2002004 above is the issue code for
SNMP discovery broadcast.
After you add the line, save, and close blackice.ini, the change takes effect within
a couple of seconds.
