Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Antisniff thoughts
From: coolwhipie () EROLS COM (blue0ne)
Date: Mon, 26 Jul 1999 20:01:59 -0400


Another way to provide IDS ability and completely pull the NIC of the
network in question, (not to mention create lots of interesting
possibilities), is to apply the use of a Shomiti Century Tap.  passively
recreates both rx on a full duplex link, and funnels them off to two twisted
pair cables respectively.  PLug these two, or as many as you want really,
into a switch that allows port spanning/mirroring, and voila.  I've done
this in many situations, and it works great.

http://www.shomiti.com

I dont work for them, I just use their stuff.

Blue
-----Original Message-----
From: *Hobbit* <hobbit () AVIAN ORG>
To: BUGTRAQ () SECURITYFOCUS COM <BUGTRAQ () SECURITYFOCUS COM>
Date: Monday, July 26, 1999 7:09 PM
Subject: Antisniff thoughts

1. For a completely passive box, we set the interface to some bogus IP
addr,
or 0.0.0.0 if that works, ifconfig -arp, and hoover away.  Antisniff would
never see the machine because the machine would never answer anything
unless
someone could guess the IP address.  Drawback: hard to retrieve logs
remotely.

Workaround: one interface as a normal address on a normal reachable net,
and a
second interface configured as above sniffing a *different* net.  Useful
setup for remotely-administerable IDS boxes; real address lives on a
protected
inside net, sniffing interface plugs in to watch the dirty one but is not
addressable.

Workaround for a single interface:  As the sniffer starts, reset the
interface
to bogus-IP/noarp, sniff for a while, quit sniffing, reset to the old
parameters.  Or perhaps dynamically flop modes back and forth depending on
whether we saw traffic for the machine's real address arrive.  A sniffer
with
an open nit/dlpi/bpf should be able to go *non*promiscuous and still see if
there's traffic to its own host, and lay low accordingly.

2. Antisniff evasion possibility: enhancement to detect the first couple of
Antisniff probes, and immediately un-promiscuize the card for a while until
we think it's safe to peek out again.  Possibly in a dynamic mode; see #1.

Just a coupla ideas to kick around..

_H*


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault