Re: Antisniff thoughts

From: blue0ne (coolwhipieat_private)
Date: Mon Jul 26 1999 - 17:01:59 PDT

Next message: David Dyer-Bennet: "Re: Antisniff thoughts"

Previous message: Robert Watson: "Re: Troff dangerous."
Maybe in reply to: *Hobbit*: "Antisniff thoughts"
Next in thread: David Dyer-Bennet: "Re: Antisniff thoughts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Another way to provide IDS ability and completely pull the NIC of the
network in question, (not to mention create lots of interesting
possibilities), is to apply the use of a Shomiti Century Tap.  passively
recreates both rx on a full duplex link, and funnels them off to two twisted
pair cables respectively.  PLug these two, or as many as you want really,
into a switch that allows port spanning/mirroring, and voila.  I've done
this in many situations, and it works great.

http://www.shomiti.com

I dont work for them, I just use their stuff.

Blue
-----Original Message-----
From: *Hobbit* <hobbitat_private>
To: BUGTRAQat_private <BUGTRAQat_private>
Date: Monday, July 26, 1999 7:09 PM
Subject: Antisniff thoughts


>1. For a completely passive box, we set the interface to some bogus IP
addr,
>or 0.0.0.0 if that works, ifconfig -arp, and hoover away.  Antisniff would
>never see the machine because the machine would never answer anything
unless
>someone could guess the IP address.  Drawback: hard to retrieve logs
remotely.
>
>Workaround: one interface as a normal address on a normal reachable net,
and a
>second interface configured as above sniffing a *different* net.  Useful
>setup for remotely-administerable IDS boxes; real address lives on a
protected
>inside net, sniffing interface plugs in to watch the dirty one but is not
>addressable.
>
>Workaround for a single interface:  As the sniffer starts, reset the
interface
>to bogus-IP/noarp, sniff for a while, quit sniffing, reset to the old
>parameters.  Or perhaps dynamically flop modes back and forth depending on
>whether we saw traffic for the machine's real address arrive.  A sniffer
with
>an open nit/dlpi/bpf should be able to go *non*promiscuous and still see if
>there's traffic to its own host, and lay low accordingly.
>
>2. Antisniff evasion possibility: enhancement to detect the first couple of
>Antisniff probes, and immediately un-promiscuize the card for a while until
>we think it's safe to peek out again.  Possibly in a dynamic mode; see #1.
>
>Just a coupla ideas to kick around..
>
>_H*

Next message: David Dyer-Bennet: "Re: Antisniff thoughts"
Previous message: Robert Watson: "Re: Troff dangerous."
Maybe in reply to: *Hobbit*: "Antisniff thoughts"
Next in thread: David Dyer-Bennet: "Re: Antisniff thoughts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:53:52 PDT