mailing list archives
Re: Antisniff thoughts
From: coolwhipie () EROLS COM (blue0ne)
Date: Mon, 26 Jul 1999 20:01:59 -0400
Another way to provide IDS ability and completely pull the NIC of the
network in question, (not to mention create lots of interesting
possibilities), is to apply the use of a Shomiti Century Tap. passively
recreates both rx on a full duplex link, and funnels them off to two twisted
pair cables respectively. PLug these two, or as many as you want really,
into a switch that allows port spanning/mirroring, and voila. I've done
this in many situations, and it works great.
I dont work for them, I just use their stuff.
From: *Hobbit* <hobbit () AVIAN ORG>
To: BUGTRAQ () SECURITYFOCUS COM <BUGTRAQ () SECURITYFOCUS COM>
Date: Monday, July 26, 1999 7:09 PM
Subject: Antisniff thoughts
1. For a completely passive box, we set the interface to some bogus IP
or 0.0.0.0 if that works, ifconfig -arp, and hoover away. Antisniff would
never see the machine because the machine would never answer anything
someone could guess the IP address. Drawback: hard to retrieve logs
Workaround: one interface as a normal address on a normal reachable net,
second interface configured as above sniffing a *different* net. Useful
setup for remotely-administerable IDS boxes; real address lives on a
inside net, sniffing interface plugs in to watch the dirty one but is not
Workaround for a single interface: As the sniffer starts, reset the
to bogus-IP/noarp, sniff for a while, quit sniffing, reset to the old
parameters. Or perhaps dynamically flop modes back and forth depending on
whether we saw traffic for the machine's real address arrive. A sniffer
an open nit/dlpi/bpf should be able to go *non*promiscuous and still see if
there's traffic to its own host, and lay low accordingly.
2. Antisniff evasion possibility: enhancement to detect the first couple of
Antisniff probes, and immediately un-promiscuize the card for a while until
we think it's safe to peek out again. Possibly in a dynamic mode; see #1.
Just a coupla ideas to kick around..