On Jul 27, 1:15, *Hobbit* wrote:
> Subject: Antisniff thoughts
> 1. For a completely passive box, we set the interface to some bogus IP
> addr, or 0.0.0.0 if that works, ifconfig -arp, and hoover away.
> Antisniff would never see the machine because the machine would never
> answer anything unless someone could guess the IP address. Drawback:
> hard to retrieve logs remotely.
On Solaris you can "snoop" an interface which is down:
# ifconfig -a
lo0: flags=849<UP,LOOPBACK,RUNNING,MULTICAST> mtu 8232
inet 127.0.0.1 netmask ff000000
hme0: flags=863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST> mtu 1500
inet <censored> netmask <censored> broadcast <censored>
ether <censored>
le0: flags=842<BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 0.0.0.0 netmask 0
ether <censored>
# snoop -d le0
Using device /dev/le (promiscuous mode)
202.99.168.11 -> <censored> HTTP (body)
195.101.197.218 -> www.pilotschool.net HTTP C port=37004
<censored> -> 202.99.168.11 HTTP C port=53889
202.99.168.11 -> <cesnored> HTTP (body)
? -> * ETHER Type=9000 (Loopback), size = 60 bytes
^C
#
-Wolfram
--
Email: Wolfram.Schmidtat_private
Voice: +49 711 970 2431
Fax: +49 711 970 2401
Office: Fraunhofer IAO, Holzgartenstr. 17, 70174 Stuttgart, Germany
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:53:41 PDT