RE: tcpdump installation on unix firewall?

["Ryan Russell" <Ryan.Russell () sybase com>]

> Well tcpdump requires root privilege or needs to be setuid root, or
> run as root,  in order to set promisc mode and run correctly.  So
> just having it on the firewall won't do you any harm if you remove
> the setuid bit (probably disabled by default anyways).

Haven't tried the setuid thing with TCPDump.  It's definately not on by default.
That would be a Bad Thing (tm).

I did try this once with snoop on a Solaris 2.6 box.  It refused to run.
Mixed feelings about that... I can appreciate the reasoning...
but I don't always appreciate tools saving me from myself.

> 3DES encrypting a firewall tools directory might be going a little
> too far.  You should always pay attention to local security.  But
> generally speaking, if someone has access to your machine other than
> the proper authorities - game over, dude.

Indeed.

I attended MJR's talk at Blackhat recently.  I really enjoyed the part
about custom burglar alarms and booby traps.  Anyone considered
leaving TCPDump there on purpose, and running Antisniff on a
neighboring machine?

                              Ryan