[30] in Intrusion Detection Systems
Watcher: A "Smart"& Nasty Sniffer
daemon@ATHENA.MIT.EDU (Vin McLellan)
Fri Mar 31 02:32:34 1995
Date: Wed, 29 Mar 1995 12:35:26 -0500
To: ids@uow.edu.au
From: vin@shore.net (Vin McLellan)
Reply-To: ids@uow.edu.au
This is obviously "tease 'em in-the-shadow-of-Satan" marketing, but it is
in the nature of things that a few hundred clever kids will sit down to
write comparable software after they read this announcement. Now consider,
what percentage of real threats come over the Net, and what percentage are
homegrown <behind the firewall> among disgruntled employees?
Suerte,
Vin
>------ ------fwd from Bugtraq ------- ------- ---------
>
>From: Mike Neuman <mcn@EnGarde.com>
>Date: Wed, 29 Mar 1995 15:54:17 -0600
>Subject: Network Monitoring and Control (announcement)
>
> Hello,
>
> I'm going to send this message to bugtraq, comp.security.*, and alt.security,
>so I apologize if you see it more than once. Bugtraq WAS first on my list,
>so I deserve some credit for that. :-)
>
> My company has written a program called "Watcher" which allows a system
>administrator to monitor all login and mail connections on his network, in
>real-time. The administrator can log data to either a text file or a raw
>packet file which can later be replayed through Watcher. Most importantly,
>Watcher allows the admin to CONTROL network users by instantly terminating
>any connection, setting up makeshift firewalls, or even TAKING OVER
>(hijacking) any connection.
>
> Watcher has a graphical (and text) interface which displays a list of
>every network login session. The admin can select from this list which brings
>up a terminal emulator window. The admin then sees EXACTLY what the user is
>seeing, and what the user is typing. On this window there're also controls
>to log the connection, as well as to use the active countermeasures as
>described above.
>
> Watcher is an extremely valuable tool for monitoring network activity
>in real-time. Aside from the obvious security applications, Watcher could also
>be used to debug network problems, or even to assist users of machines who
>need help.
>
> As with any security program, Watcher can be seriously abused to the point
>of rendering firewalls, and all one-time authentication systems worthless
>(including smartcards, challenge/response schemes, pre-arranged password
>sequences, default unencrypted kerberos, etc).
>
> For a description of Watcher, as well as a screenshot and a discussion of
>the features (both defensive and offensive) Watcher offers, take a look at:
>
>http://www.c3.lanl.gov/~mcn/watcher.html
>
> NOTE: Watcher has NOTHING to do with LANL.GOV! If you have questions or
>complaints, come to me and my company.
>
> Watcher is not yet available commercially. We haven't decided what to do
>with it yet (commercial or free?). Until now, we've been using it primarily
>for our penetration testing and network security consulting for our clients.
>I'm only making this announcement because the existance and availability of
>such technology needs to be considered. In addition, since I put up the page
>yesterday (and made NO announcements), over 60 people have accessed it (out of
>the usual 2 or 3 who access my home page daily). In order to prevent
>confusion,
>I thought I would announce this publicly.
>
> A paper on the Watcher is being submitted to the Computer Security
>Applications Conference (CFP is due in 2 days). I will be putting a copy of
>this paper up as soon as possible (assuming CSAC has no objections).
>
> Feel free to contact us if you have any questions or comments.
>
>- -Mike
>- --
>Mike Neuman (mcn@EnGarde.com) - EN GARDE SYSTEMS - Computer Security Consulting
>http://www.c3.lanl.gov/~mcn - http://www.cec.wustl.edu/~dmm2/egs/egs.html
>===============================================================================
>"Most of these should be 'void', but the people who defined the STREAMS
> data structures for S[ystem] 5 didn't understand data types." - Solaris source
>
--
Vin McLellan +The Privacy Guild+ <vin@shore.net> USA
Tel. (617) 884-5546 Mail: 53 Nichols St., Chelsea, Ma. 02150
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'''''''
