mailing list archives
From: hobbit () AVIAN ORG (*Hobbit*)
Date: Sun, 25 Jul 1999 22:00:01 -0400
1. For a completely passive box, we set the interface to some bogus IP addr,
or 0.0.0.0 if that works, ifconfig -arp, and hoover away. Antisniff would
never see the machine because the machine would never answer anything unless
someone could guess the IP address. Drawback: hard to retrieve logs remotely.
Workaround: one interface as a normal address on a normal reachable net, and a
second interface configured as above sniffing a *different* net. Useful
setup for remotely-administerable IDS boxes; real address lives on a protected
inside net, sniffing interface plugs in to watch the dirty one but is not
Workaround for a single interface: As the sniffer starts, reset the interface
to bogus-IP/noarp, sniff for a while, quit sniffing, reset to the old
parameters. Or perhaps dynamically flop modes back and forth depending on
whether we saw traffic for the machine's real address arrive. A sniffer with
an open nit/dlpi/bpf should be able to go *non*promiscuous and still see if
there's traffic to its own host, and lay low accordingly.
2. Antisniff evasion possibility: enhancement to detect the first couple of
Antisniff probes, and immediately un-promiscuize the card for a while until
we think it's safe to peek out again. Possibly in a dynamic mode; see #1.
Just a coupla ideas to kick around..
- Antisniff thoughts *Hobbit* (Jul 26)