[11160] in bugtraq
Re: Antisniff thoughts
daemon@ATHENA.MIT.EDU (blue0ne)
Wed Jul 28 02:33:55 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <002701bed7c3$401c65b0$0e07090a@cobalt>
Date: Mon, 26 Jul 1999 20:01:59 -0400
Reply-To: blue0ne <coolwhipie@EROLS.COM>
From: blue0ne <coolwhipie@EROLS.COM>
X-To: *Hobbit* <hobbit@AVIAN.ORG>, BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Another way to provide IDS ability and completely pull the NIC of the
network in question, (not to mention create lots of interesting
possibilities), is to apply the use of a Shomiti Century Tap. passively
recreates both rx on a full duplex link, and funnels them off to two twisted
pair cables respectively. PLug these two, or as many as you want really,
into a switch that allows port spanning/mirroring, and voila. I've done
this in many situations, and it works great.
http://www.shomiti.com
I dont work for them, I just use their stuff.
Blue
-----Original Message-----
From: *Hobbit* <hobbit@AVIAN.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM <BUGTRAQ@SECURITYFOCUS.COM>
Date: Monday, July 26, 1999 7:09 PM
Subject: Antisniff thoughts
>1. For a completely passive box, we set the interface to some bogus IP
addr,
>or 0.0.0.0 if that works, ifconfig -arp, and hoover away. Antisniff would
>never see the machine because the machine would never answer anything
unless
>someone could guess the IP address. Drawback: hard to retrieve logs
remotely.
>
>Workaround: one interface as a normal address on a normal reachable net,
and a
>second interface configured as above sniffing a *different* net. Useful
>setup for remotely-administerable IDS boxes; real address lives on a
protected
>inside net, sniffing interface plugs in to watch the dirty one but is not
>addressable.
>
>Workaround for a single interface: As the sniffer starts, reset the
interface
>to bogus-IP/noarp, sniff for a while, quit sniffing, reset to the old
>parameters. Or perhaps dynamically flop modes back and forth depending on
>whether we saw traffic for the machine's real address arrive. A sniffer
with
>an open nit/dlpi/bpf should be able to go *non*promiscuous and still see if
>there's traffic to its own host, and lay low accordingly.
>
>2. Antisniff evasion possibility: enhancement to detect the first couple of
>Antisniff probes, and immediately un-promiscuize the card for a while until
>we think it's safe to peek out again. Possibly in a dynamic mode; see #1.
>
>Just a coupla ideas to kick around..
>
>_H*
