Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snooper watchers

From: bent () snm com (Ben Taylor)
Date: Wed, 22 Feb 1995 17:20:14 -0500 (EST)

On Wed, 22 Feb 1995, Eric Conrad wrote:


I'm doing some work for a client who has had some suggestions that they
run a program to watch the state of ifconfig, and send mail if the
interface ever goes promiscuous.  This works just fine under SunOS 4.x,
however, their concern is that this does not appear to work for Solaris 2.x.


The first thing many crackers do is replace ifconfig with a trojan that 
won't report when an interface is in promiscuous mode.


Right.  Which is one of the reasons I'm asking.  We are currently using
cpm, but as you pointed out, that could be spoofed.



You could look at 'cpm', which will also show when an interface is 
promiscuous.  It's available from ftp.cert.org.  You're still in the same 
boat if someone replaces it with their own, however.


Well, I assume the next version of cpm should actually do some
sort of code like ifconfig, which means you'd have to spoof that code.
If you don't know what to look for, you may not know what you have to
spoof.  If they reach that point, they're probably recorded.



                              ...Eric



Ben Taylor --- Chief Information Officer --- Smoke N' Mirrors, Inc.
-=-=-=-=-=-=-=-  Services for Systems Integration -=-=-=-=-=-=-=-=-
bent () snm com  "Where the impossible jobs get done!"  (703) 318-1440
           580 Herndon Pkwy, Suite 300, Herndon VA, 22070
Previous By Date Next
Previous By Thread Next

Current thread: