Security Basics mailing list archives

TCP/IP services, Win2k, and Snort.

From: <dataclaus1 () hushmail com>
Date: Tue, 13 May 2003 17:09:56 -0700


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello List,

I have prepped a win2k/snort2.0/mysql/acid standalone box to listen outside
our firewall.

In order for MySQL to run, TCP/IP has to be installed (but not necessarily
active) for an interface.

In order for ACID to work with IIS, Client for Microsoft Networks has
to be installed (but not necessarily active) for an interface.

Thus, with a single ethernet card in the box, Local Area Connection properties
show both TCP/IP and Client for MS Networks.  Both check boxes are empty,
 and I get no ping response from the box anymore, and Promiscan promiscuous
node sensor does not turn it up (but it enumerates by IP address).

I guess my question is--without an IP address, in pasive sniffer mode,
 and setting aside any vulnerabilities in snort (recent RPC and stream4
fr'instance), can its presence be detected (via MAC address?), and if
so, with TCP/IP turned off for the interface, what kind of exploitation
could it be vulnerable to?  I know there are papers about how to detect
promiscuous interfaces.

Such as:  Having obtained the MAC address on the sniffing interface,
could pure 802.b packets be sent to try to crack the box?

IIS, PHP, and MySQL should all be relatively safe should they not, because
they are being used via localmachine only (assuming correct configuration)?

Thanks,
cm
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3

wkYEARECAAYFAj7BiVQACgkQxfxie4/I/Q8AggCguqTg+tk498jJ6hJwkn/pzcMC9UYA
n35uHneff6sZG9XKswkU3l4bXB28
=FYY8
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Big $$$ to be made with the HushMail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427

---------------------------------------------------------------------------
Thinking About Security Training? You Can't Afford Not To!

Vigilar's industry leading curriculum includes:  Security +, Check Point, 
Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now!
--UP TO 30% off classes in select cities-- 
http://www.securityfocus.com/Vigilar-security-basics
----------------------------------------------------------------------------

Current thread:

TCP/IP services, Win2k, and Snort. dataclaus1 (May 14)
- RE: TCP/IP services, Win2k, and Snort. Mark Ng (May 15)
- <Possible follow-ups>
- RE: TCP/IP services, Win2k, and Snort. CHRIS GRABENSTEIN (May 15)
  - RE: TCP/IP services, Win2k, and Snort. Kurt (May 20)