There is a way to turn off reporting for false positives. It is pretty easy if you have the ICECap server, but you can manually construct them from the BlackICE Advance Admin Guide. You simply add entries to the blackice.ini (or automatically to the icecap.ini file from the ICECap server):
Example, To not report an issue trust.issue = 2002804 --> Trust issue #2002804 (this does not unblock the probe, but simply not report it with the IDS) Extracting an issue from the default TCP Port Probe: tcpprobe.2003023.22=SSH issue.2003023.name=SSH Port Probe Joe Other negatives are that you can't turn off any of the sigs (for repeated false positives). And some sigs are a little vague in their description, so it won't tell you the difference between a Code Red or a Nimda scan for example, but you probably don't need that much granularity for a personal FW anyway. At that point you'd probably want a dedicated IDS system.
