1. For a completely passive box, we set the interface to some bogus IP addr, or 0.0.0.0 if that works, ifconfig -arp, and hoover away. Antisniff would never see the machine because the machine would never answer anything unless someone could guess the IP address. Drawback: hard to retrieve logs remotely. Workaround: one interface as a normal address on a normal reachable net, and a second interface configured as above sniffing a *different* net. Useful setup for remotely-administerable IDS boxes; real address lives on a protected inside net, sniffing interface plugs in to watch the dirty one but is not addressable. Workaround for a single interface: As the sniffer starts, reset the interface to bogus-IP/noarp, sniff for a while, quit sniffing, reset to the old parameters. Or perhaps dynamically flop modes back and forth depending on whether we saw traffic for the machine's real address arrive. A sniffer with an open nit/dlpi/bpf should be able to go *non*promiscuous and still see if there's traffic to its own host, and lay low accordingly. 2. Antisniff evasion possibility: enhancement to detect the first couple of Antisniff probes, and immediately un-promiscuize the card for a while until we think it's safe to peek out again. Possibly in a dynamic mode; see #1. Just a coupla ideas to kick around.. _H*
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:53:31 PDT