Another way to provide IDS ability and completely pull the NIC of the network in question, (not to mention create lots of interesting possibilities), is to apply the use of a Shomiti Century Tap. passively recreates both rx on a full duplex link, and funnels them off to two twisted pair cables respectively. PLug these two, or as many as you want really, into a switch that allows port spanning/mirroring, and voila. I've done this in many situations, and it works great. http://www.shomiti.com I dont work for them, I just use their stuff. Blue -----Original Message----- From: *Hobbit* <hobbitat_private> To: BUGTRAQat_private <BUGTRAQat_private> Date: Monday, July 26, 1999 7:09 PM Subject: Antisniff thoughts >1. For a completely passive box, we set the interface to some bogus IP addr, >or 0.0.0.0 if that works, ifconfig -arp, and hoover away. Antisniff would >never see the machine because the machine would never answer anything unless >someone could guess the IP address. Drawback: hard to retrieve logs remotely. > >Workaround: one interface as a normal address on a normal reachable net, and a >second interface configured as above sniffing a *different* net. Useful >setup for remotely-administerable IDS boxes; real address lives on a protected >inside net, sniffing interface plugs in to watch the dirty one but is not >addressable. > >Workaround for a single interface: As the sniffer starts, reset the interface >to bogus-IP/noarp, sniff for a while, quit sniffing, reset to the old >parameters. Or perhaps dynamically flop modes back and forth depending on >whether we saw traffic for the machine's real address arrive. A sniffer with >an open nit/dlpi/bpf should be able to go *non*promiscuous and still see if >there's traffic to its own host, and lay low accordingly. > >2. Antisniff evasion possibility: enhancement to detect the first couple of >Antisniff probes, and immediately un-promiscuize the card for a while until >we think it's safe to peek out again. Possibly in a dynamic mode; see #1. > >Just a coupla ideas to kick around.. > >_H*
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:53:52 PDT