Bugtraq mailing list archives
Re: Antisniff thoughts
From: coolwhipie () EROLS COM (blue0ne)
Date: Mon, 26 Jul 1999 20:01:59 -0400
Another way to provide IDS ability and completely pull the NIC of the network in question, (not to mention create lots of interesting possibilities), is to apply the use of a Shomiti Century Tap. passively recreates both rx on a full duplex link, and funnels them off to two twisted pair cables respectively. PLug these two, or as many as you want really, into a switch that allows port spanning/mirroring, and voila. I've done this in many situations, and it works great. http://www.shomiti.com I dont work for them, I just use their stuff. Blue -----Original Message----- From: *Hobbit* <hobbit () AVIAN ORG> To: BUGTRAQ () SECURITYFOCUS COM <BUGTRAQ () SECURITYFOCUS COM> Date: Monday, July 26, 1999 7:09 PM Subject: Antisniff thoughts
1. For a completely passive box, we set the interface to some bogus IP
addr,
or 0.0.0.0 if that works, ifconfig -arp, and hoover away. Antisniff would never see the machine because the machine would never answer anything
unless
someone could guess the IP address. Drawback: hard to retrieve logs
remotely.
Workaround: one interface as a normal address on a normal reachable net,
and a
second interface configured as above sniffing a *different* net. Useful setup for remotely-administerable IDS boxes; real address lives on a
protected
inside net, sniffing interface plugs in to watch the dirty one but is not addressable. Workaround for a single interface: As the sniffer starts, reset the
interface
to bogus-IP/noarp, sniff for a while, quit sniffing, reset to the old parameters. Or perhaps dynamically flop modes back and forth depending on whether we saw traffic for the machine's real address arrive. A sniffer
with
an open nit/dlpi/bpf should be able to go *non*promiscuous and still see if there's traffic to its own host, and lay low accordingly. 2. Antisniff evasion possibility: enhancement to detect the first couple of Antisniff probes, and immediately un-promiscuize the card for a while until we think it's safe to peek out again. Possibly in a dynamic mode; see #1. Just a coupla ideas to kick around.. _H*
Current thread:
- Antisniff thoughts *Hobbit* (Jul 25)
- Re: Antisniff thoughts David Dyer-Bennet (Jul 26)
- Re: Antisniff thoughts + AASS Patch Mike Perry (Jul 26)
- Re: Antisniff thoughts Craig H. Rowland (Jul 26)
- <Possible follow-ups>
- Re: Antisniff thoughts blue0ne (Jul 26)
- Re: Antisniff thoughts Wolfram Schmidt (Jul 27)