Sniffing is not the easy answer, Kate.

[Dave Aitel <dave () immunitysec com>]

I know I sound like Kate Moss here, but: Sniffing is not the easy 
answer. Making sniffing solutions is like betting that over the next 
decade or so, cpu*memory > bandwidth*protocol complexity. I just can't 
see that happening. It used to be plausible because there were a lot of 
shortcuts you could take - signatures, for example - that would help 
out. These days, everyone knows signatures are broken and you have to 
parse every protocol to do whatever it is you are trying to do. Of 
course it's possible you don't have all the information you need to do 
whatever it is you want to do: deep down, sniffing solutions are 
essentially a tax on network segmentation.

One of the things I think that is going to change the balance of the 
equation is a forced honesty among sniffing solutions vendors. For 
example, CANVAS 7 is a Service Oriented Architecture. What this means to 
sniffing companies is that they never get to see the algorithm that 
generates our nops. Our shellcode polymorphism routines can remain 
hidden, and evolve over short periods of time, and still be used by a 
wide number of people.
The internal algorithm that powers an exploit can remain unspoken - you 
send us the binary for su, we return you a root shell. It allows for 
coordination on a mass scale - if I've hacked 2^16 machines (or some 
smaller number of networks + spoofing), I can scan you on each port from 
a separate IP address.

That's my thought for the day. Now I'm going to go teach class - I'm 
missing fabulous 8-bug Microsoft Christmas! This is the first Microsoft 
Christmas with a public BinNavi to help you produce quick repros 
(http://www.immunitysec.com/products-binnavi.shtml). :>

-dave