On Jul 27, 1:15, *Hobbit* wrote: > Subject: Antisniff thoughts > 1. For a completely passive box, we set the interface to some bogus IP > addr, or 0.0.0.0 if that works, ifconfig -arp, and hoover away. > Antisniff would never see the machine because the machine would never > answer anything unless someone could guess the IP address. Drawback: > hard to retrieve logs remotely. On Solaris you can "snoop" an interface which is down: # ifconfig -a lo0: flags=849<UP,LOOPBACK,RUNNING,MULTICAST> mtu 8232 inet 127.0.0.1 netmask ff000000 hme0: flags=863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST> mtu 1500 inet <censored> netmask <censored> broadcast <censored> ether <censored> le0: flags=842<BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 0.0.0.0 netmask 0 ether <censored> # snoop -d le0 Using device /dev/le (promiscuous mode) 202.99.168.11 -> <censored> HTTP (body) 195.101.197.218 -> www.pilotschool.net HTTP C port=37004 <censored> -> 202.99.168.11 HTTP C port=53889 202.99.168.11 -> <cesnored> HTTP (body) ? -> * ETHER Type=9000 (Loopback), size = 60 bytes ^C # -Wolfram -- Email: Wolfram.Schmidtat_private Voice: +49 711 970 2431 Fax: +49 711 970 2401 Office: Fraunhofer IAO, Holzgartenstr. 17, 70174 Stuttgart, Germany
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:53:41 PDT