Honeypots: RE: undetectable NIC in promiscuous mode

[Jose_Maria_Gonzalez () dell com]

Yes indeed Daniel. In fact I have set-up something similar to what you just described below. 

Curt Purdy has pointed something out  very interesting. The best way to make sure that our IDS in undetectable is to 
cut the TX pair.. Thanks Purdy again

Rgds,
Jose


> -----Original Message-----
> From: Daniel F. Chief Security Engineer -
> [mailto:danielf () supportteam net]
> Sent: 05 March 2004 18:28
> To: Gonzalez, Jose_Maria
> Subject: Re: undetectable NIC in promiscuous mode
>
>
> If it's plugged into a cisco or similar switch that you can 
> get snmp stats 
> from you will see only inbound traffic on that switch port, 
> and no output. 
>
> Otherwise, no it is not detectable by any means that Im aware of.  
>
> Also if you have Cisco or mangable switches you can use 
> spanning tree to dump 
> all traffic for the switch or just the switches uplink to 
> that port and have 
> a most excellent IDS sensor that is undetectable. I do this 
> myself. I also 
> have a second NIC in the IDS sensor on a private network 
> (both physical and 
> IP) on which I do all my logging and reporting through. 
>
> hope this helps. 
>
> On Friday 05 March 2004 03:40, Jose_Maria_Gonzalez () dell com wrote:
> > Hi There,
> >
> > Correct me if I am wrong but would a host with a NIC in 
> promiscuous mode
> > with no IP set-up be detectable?
> >
> > Thanking you in advance,
> >
> > Rgds,
> > Jose Gonzalez
> -- 
> _,.-:*"``'*:-.,_,.-:*"``'*:-.,_,.-:*"``'*:-.,_,.-:*"``'*:-.,_,
> .-:*"``'*:-.,_
> Daniel Fairchild - Chief Security Officer | danielf () supportteam net
> The distance between nothing and infinity is always the same 
> no matter how 
> close you get to nothing.