Dailydave mailing list archives
Re: Sniffing is not the easy answer, Kate.
From: "Andrew R. Reiter" <arr () watson org>
Date: Tue, 11 Oct 2005 11:40:34 -0400 (EDT)
interesting paper along these lines (from a couple years ago): http://public.lanl.gov/radiant/pubs/ticket/PAM-2002-TICKET.pdf Cheers, Andrew On Tue, 11 Oct 2005, Dave Aitel wrote: :I know I sound like Kate Moss here, but: Sniffing is not the easy answer. :Making sniffing solutions is like betting that over the next decade or so, :cpu*memory > bandwidth*protocol complexity. I just can't see that happening. It :used to be plausible because there were a lot of shortcuts you could take - :signatures, for example - that would help out. These days, everyone knows :signatures are broken and you have to parse every protocol to do whatever it is :you are trying to do. Of course it's possible you don't have all the :information you need to do whatever it is you want to do: deep down, sniffing :solutions are essentially a tax on network segmentation. : :One of the things I think that is going to change the balance of the equation :is a forced honesty among sniffing solutions vendors. For example, CANVAS 7 is :a Service Oriented Architecture. What this means to sniffing companies is that :they never get to see the algorithm that generates our nops. Our shellcode :polymorphism routines can remain hidden, and evolve over short periods of time, :and still be used by a wide number of people. :The internal algorithm that powers an exploit can remain unspoken - you send us :the binary for su, we return you a root shell. It allows for coordination on a :mass scale - if I've hacked 2^16 machines (or some smaller number of networks + :spoofing), I can scan you on each port from a separate IP address. : :That's my thought for the day. Now I'm going to go teach class - I'm missing :fabulous 8-bug Microsoft Christmas! This is the first Microsoft Christmas with :a public BinNavi to help you produce quick repros :(http://www.immunitysec.com/products-binnavi.shtml). :> : :-dave : : : -- arr () watson org
Current thread:
- Sniffing is not the easy answer, Kate. Dave Aitel (Oct 11)
- Re: Sniffing is not the easy answer, Kate. Ron Gula (Oct 11)
- RE: Sniffing is not the easy answer, Kate. Paul Melson (Oct 11)
- Re: Sniffing is not the easy answer, Kate. byte_jump (Oct 11)
- RE: Sniffing is not the easy answer, Kate. Paul Melson (Oct 11)
- RE: Sniffing is not the easy answer, Kate. Sash (Oct 11)
- Re: Sniffing is not the easy answer, Kate. byte_jump (Oct 11)
- Re: Sniffing is not the easy answer, Kate. Andrew R. Reiter (Oct 11)