RE: Honeynet Alliance Charter Question

[Croad Christopher D Contr AFRL/IFOSS <Christopher.Croad () rl af mil>]

I read it like this...

There are two types of sniffing, active and passive.

Passive sniffing is when you just listen to data coming across the wire.  If
it hits your system, and you have done nothing "shifty" to make it hit your
system, then the sniffing is passive.  Passive to me simply means I hook in
the wire and listen.


If you are doing something to force or help the data to come to your system
( i.e. arp spoofing, mac flooding, system probing) then the sniffing is
active. You have coerced the data to arrive at you in some way.

Chris





-----Original Message-----
From: Adam Carlson [mailto:ajcarlson () ucdavis edu] 
Sent: Tuesday, March 15, 2005 3:43 PM
To: honeypots () securityfocus com
Subject: Honeynet Alliance Charter Question

Greetings all,
    I was wondering if someone could explain to me the meaning and purpose
of the honeynet alliance requirement 4.8 involving data capture.

 From this page:

http://www.honeynet.org/alliance/charter.txt

"4.8  Organizations that deploy honeynets and related technologies for
     data capture must use passive means.  No active means of data
     capture are acceptable under the Alliance.  "

What types of activity would be considered "passive" data capture as opposed
to "active".  I see how tcpdump would be considered passive, while something
like nmap would be considered active, but is there a more formal
definition/description that could be used to help classify data capture
methods when they aren't so obvious?  Having a better understanding of the
intent of this requirement might help me understand how to interpret it as
well.  Please let me know any thoughts you might have. 
Thank you for any assistance, -Adam


--
Clatto Verata Nicto