Penetration Testing mailing list archives
Re: Spyware assessment techniques - hub?
From: Packet Man <packetman () altsec info>
Date: Sun, 12 Feb 2006 13:11:30 -0600
Petr.Kazil () eap nl wrote:
If you are doing a host: - interrupt the hosts uplink with a hub and plug your snort box in. You could have this all setup on a laptop.I have tried this but run into problems:- Real hubs are (almost?) impossible to get nowadays. Even the cheapest "hub" is really a switch. If you know where I can find a hub-like network component, then I'll order it right away. - I was able to buy the last real hub from a PC-shop, but it was only 10Mbps and it refused to work with my 100Mb cards and switches.
If you can't do port mirroring on the switch itself, you could build a passive network tap for under US$30.00, or so. Or, the alternative is a commercial network tap for around US$1,000.00. I've been building and using them for several years now, but only recently have started documenting their finer points (NIC selection is critical). For more info on building and using a passive network tap, see my paper at: http://www.altsec.info/passive-network-tap.html I'm working on an updated paper right now regarding the error rates. I've been testing with combinations of NIC's that produce ZERO errors on 100Mb connections. I expect to update the paper with the suggestions within the next week. BTW... a must read for such things is "The TAO of Network Security Monitoring" by Richard Bejtlich. Check out his site at: http://www.taosecurity.com/books.html BTW... since the technique really belongs in the IDS list, I cross-posted this message there. Good luck. -- Excellence in InfoSec and Linux http://www.altsec.info ------------------------------------------------------------------------------Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Spyware assessment techniques Derek Nash (Feb 10)
- Message not available
- Re: Spyware assessment techniques Eric Schultze (Feb 10)
- Message not available
- Re: Spyware assessment techniques Packet Man (Feb 11)
- Re: Spyware assessment techniques Paul Halliday (Feb 11)
- Message not available
- Re: Spyware assessment techniques Ed Hotchkiss (Feb 11)
- Re: Spyware assessment techniques Semper Securus (Feb 11)
- Message not available
- Re: Spyware assessment techniques - hub? Petr . Kazil (Feb 12)
- Re: Spyware assessment techniques - hub? Packet Man (Feb 12)
- Re: Spyware assessment techniques - hub? offset (Feb 12)
- RE: Spyware assessment techniques - hub? Richard Zaluski (Feb 13)
- RE: Spyware assessment techniques - hub? Dan Tesch (Feb 13)
- <Possible follow-ups>
- RE: Spyware assessment techniques Butler, Theodore (Feb 10)
- Re: Spyware assessment techniques Thorsten Holz (Feb 10)
- RE: Spy ware assessment techniques Terry Vernon (Feb 10)
- RE: Spy ware assessment techniques jseitz (Feb 11)
- Re: Spyware assessment techniques Thorsten Holz (Feb 10)