Security Basics mailing list archives
RE: TCP/IP services, Win2k, and Snort.
From: "CHRIS GRABENSTEIN" <LFGRABC () LF VCCS EDU>
Date: Wed, 14 May 2003 13:17:42 -0400
I would recommend building or buying a sniffer cable. Take a look at http://www.geocities.com/samngms/sniffing_cable/ This will allow you to receive traffic while making it impossible to send any yourself. |-----Original Message----- |From: dataclaus1 () hushmail com [mailto:dataclaus1 () hushmail com] |Sent: Tuesday, May 13, 2003 8:10 PM |To: security-basics () securityfocus com |Subject: TCP/IP services, Win2k, and Snort. | | | |-----BEGIN PGP SIGNED MESSAGE----- |Hash: SHA1 | |Hello List, | |I have prepped a win2k/snort2.0/mysql/acid standalone box to |listen outside |our firewall. | |In order for MySQL to run, TCP/IP has to be installed (but not |necessarily |active) for an interface. | |In order for ACID to work with IIS, Client for Microsoft Networks has |to be installed (but not necessarily active) for an interface. | |Thus, with a single ethernet card in the box, Local Area |Connection properties |show both TCP/IP and Client for MS Networks. Both check boxes |are empty, | and I get no ping response from the box anymore, and |Promiscan promiscuous |node sensor does not turn it up (but it enumerates by IP address). | |I guess my question is--without an IP address, in pasive sniffer mode, | and setting aside any vulnerabilities in snort (recent RPC and stream4 |fr'instance), can its presence be detected (via MAC address?), and if |so, with TCP/IP turned off for the interface, what kind of exploitation |could it be vulnerable to? I know there are papers about how to detect |promiscuous interfaces. | |Such as: Having obtained the MAC address on the sniffing interface, |could pure 802.b packets be sent to try to crack the box? | |IIS, PHP, and MySQL should all be relatively safe should they |not, because |they are being used via localmachine only (assuming correct |configuration)? | |Thanks, |cm |-----BEGIN PGP SIGNATURE----- |Note: This signature can be verified at |https://www.hushtools.com/verify |Version: Hush 2.3 | | |wkYEARECAAYFAj7BiVQACgkQxfxie4/I/Q8AggCguqTg+tk498jJ6hJwkn/pzcMC9UYA |n35uHneff6sZG9XKswkU3l4bXB28 |=FYY8 |-----END PGP SIGNATURE----- | | | | |Concerned about your privacy? Follow this link to get |FREE encrypted email: https://www.hushmail.com/?l=2 | |Free, ultra-private instant messaging with Hush Messenger |https://www.hushmail.com/services.php?subloc=messenger&l=434 | |Big $$$ to be made with the HushMail Affiliate Program: |https://www.hushmail.com/about.php?subloc=affiliate&l=427 | |--------------------------------------------------------------- |------------ |Thinking About Security Training? You Can't Afford Not To! | |Vigilar's industry leading curriculum includes: Security +, |Check Point, |Hacking & Assessment, Cisco Security, Wireless Security & |more! Register Now! |--UP TO 30% off classes in select cities-- |http://www.securityfocus.com/Vigilar-security-basics |--------------------------------------------------------------- |------------- | | --------------------------------------------------------------------------- Thinking About Security Training? You Can't Afford Not To! Vigilar's industry leading curriculum includes: Security +, Check Point, Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now! --UP TO 30% off classes in select cities-- http://www.securityfocus.com/Vigilar-security-basics ----------------------------------------------------------------------------
Current thread:
- TCP/IP services, Win2k, and Snort. dataclaus1 (May 14)
- RE: TCP/IP services, Win2k, and Snort. Mark Ng (May 15)
- <Possible follow-ups>
- RE: TCP/IP services, Win2k, and Snort. CHRIS GRABENSTEIN (May 15)
- RE: TCP/IP services, Win2k, and Snort. Kurt (May 20)