> The L0pht people have my admiration for fully documenting (and > crediting) their approach, but I think they over-hype this tool by > saying that it will detect sniffing -- a green light from their > product does NOT mean you're not being sniffed. Very true. Last time I wanted to set up a sniffer, I ended up adding a BPFONLY interface flag to the kernel, which completely disables the interface for incoming packets except for BPF access (the raw-packet interface on the OS in question was BPF). This would defeat all of AntiSniff's checks (with the possible exception of the response-time check, which would be possible if the machine had another interface that *could* receive packets). And all of the checks assume the machine has an IP address. For its apparently-intended purpose (helping admins tell when their net has been remotely compromised), this is not a problem, since such an intrusion will be little use to an attacker without leaving IP up on the machine...but I *would* have preferred to see this explicitly stated in their doco. der Mouse mouseat_private 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:53:35 PDT