[11137] in bugtraq
Re: (How) Does AntiSniff do what is claimed?
daemon@ATHENA.MIT.EDU (der Mouse)
Tue Jul 27 00:33:42 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Message-Id: <199907261347.JAA02458@Twig.Rodents.Montreal.QC.CA>
Date: Mon, 26 Jul 1999 09:47:55 -0400
Reply-To: der Mouse <mouse@RODENTS.MONTREAL.QC.CA>
From: der Mouse <mouse@RODENTS.MONTREAL.QC.CA>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
> The L0pht people have my admiration for fully documenting (and
> crediting) their approach, but I think they over-hype this tool by
> saying that it will detect sniffing -- a green light from their
> product does NOT mean you're not being sniffed.
Very true.
Last time I wanted to set up a sniffer, I ended up adding a BPFONLY
interface flag to the kernel, which completely disables the interface
for incoming packets except for BPF access (the raw-packet interface on
the OS in question was BPF). This would defeat all of AntiSniff's
checks (with the possible exception of the response-time check, which
would be possible if the machine had another interface that *could*
receive packets).
And all of the checks assume the machine has an IP address. For its
apparently-intended purpose (helping admins tell when their net has
been remotely compromised), this is not a problem, since such an
intrusion will be little use to an attacker without leaving IP up on
the machine...but I *would* have preferred to see this explicitly
stated in their doco.
der Mouse
mouse@rodents.montreal.qc.ca
7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
