Re: Sniffing is not the easy answer, Kate.

["Andrew R. Reiter" <arr () watson org>]

interesting paper along these lines (from a couple years ago):

http://public.lanl.gov/radiant/pubs/ticket/PAM-2002-TICKET.pdf

Cheers,
Andrew

On Tue, 11 Oct 2005, Dave Aitel wrote:

:I know I sound like Kate Moss here, but: Sniffing is not the easy answer.
:Making sniffing solutions is like betting that over the next decade or so,
:cpu*memory > bandwidth*protocol complexity. I just can't see that happening. It
:used to be plausible because there were a lot of shortcuts you could take -
:signatures, for example - that would help out. These days, everyone knows
:signatures are broken and you have to parse every protocol to do whatever it is
:you are trying to do. Of course it's possible you don't have all the
:information you need to do whatever it is you want to do: deep down, sniffing
:solutions are essentially a tax on network segmentation.
:
:One of the things I think that is going to change the balance of the equation
:is a forced honesty among sniffing solutions vendors. For example, CANVAS 7 is
:a Service Oriented Architecture. What this means to sniffing companies is that
:they never get to see the algorithm that generates our nops. Our shellcode
:polymorphism routines can remain hidden, and evolve over short periods of time,
:and still be used by a wide number of people.
:The internal algorithm that powers an exploit can remain unspoken - you send us
:the binary for su, we return you a root shell. It allows for coordination on a
:mass scale - if I've hacked 2^16 machines (or some smaller number of networks +
:spoofing), I can scan you on each port from a separate IP address.
:
:That's my thought for the day. Now I'm going to go teach class - I'm missing
:fabulous 8-bug Microsoft Christmas! This is the first Microsoft Christmas with
:a public BinNavi to help you produce quick repros
:(http://www.immunitysec.com/products-binnavi.shtml). :>
:
:-dave
:
:
:

--
arr () watson org