Re: Interface promiscuity obscurity in Linux

From: Jim Mellander (jmellanderat_private)
Date: Thu Jul 25 2002 - 14:58:57 PDT

Next message: c c: "SQL Server 2000 Buffer Overflows and SQL Inyection vulnerabilities."

Previous message: joshat_private: "KaZaa v1.7.1 Denial of Service Attack"
In reply to: Casper Dik: "Re: Interface promiscuity obscurity in Linux"
Next in thread: Ademar de Souza Reis Jr.: "Re: Interface promiscuity obscurity in Linux"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

My sniffer detector, update, which (unfortunately) is only a binary
release at this moment pending legalities, uses the following technique
for Solaris:

For all possible interfaces (le, hme, etc), find head of stream linked
list for that interface by examining kernel symbols:  for hme, for
instance, the kernel symbol is 'hmestrup'

This points to a linked list of open streams for that interface (the
structure of which is in the header file hme.h, etc).

Walk the list looking at the flag for that stream, until you reach a
null pointer, which is the end of the stream list.

Then check the next possible interface.

Some trickiness in supporting 32 bit & 64 bit kernels in the same
binary.  Unfortunately, it hasn't been updated for sunblade yet..

For solaris x86, a similar approach is used, except there is only one
linked list, but it links back to the beginning.

For Linux 2.2, it actually steps thru the linked list of devices,
ignoring the first one, which is the loopback, then reads the flags from
kernel memory.

Heres a non error-checking code snippet for Solaris hme (details of
32/64 bit stuff omitted):

struct nlist nl[] = {
    { "hmestrup"    },
    { 0             }
};
int retval=0;

/* Open the kernel memory file Read/Write */
memfd=open("/dev/kmem",O_RDWR);

/* Get the namelist entry for the interface */
nlist("/dev/ksyms", nl);

hmeaddr = nl[0].n_value;
while (hmeaddr != NULL)   {
    lseek(memfd,(off_t) hmeaddr, SEEK_SET);
    read(memfd, (void *) &hmestr, (size_t) sizeof(struct hmestr));

    if (hmestr.sb_flags & HMESALLPHYS)  retval++;

    hmeaddr = hmestr.sb_nextp;
}

return retval;

update is available at ftp://lassie.lbl.gov

Casper Dik wrote:
> 
> >The call to ioctl(SIOCGIFFLAGS) reports only promiscuous mode sets by
> >ioctl(SIOCSIFFLAGS).
> 
> This is the same reason why Promiscuous mode is never reported by
> "ifconfig" in Solaris 2.0 and later.
> 
> In Solaris, ifconfig primarily (or perhaps only) deals with the
> "IP (or other network stack) plumbing" on devices; in that context
> the "promiscuous" flag has no meaning either.
> 
> A number of Solaris device drivers export the fact whether they're
> promiscuous using the "kstat" (kernel statistics) interface; unfortunately
> not all devices support that yet.
> 
> $ kstat -p :::promisc
> elxl:0:elxl0:promisc    off
> 
> We need to fix this for most SPARC hardware still.
> 
> Casper

-- 
Jim Mellander
Incident Response Manager
Computer Protection Program
Lawrence Berkeley National Laboratory
(510) 486-7204

Your fortune for today is:

One Bell System - it works.

Next message: c c: "SQL Server 2000 Buffer Overflows and SQL Inyection vulnerabilities."
Previous message: joshat_private: "KaZaa v1.7.1 Denial of Service Attack"
In reply to: Casper Dik: "Re: Interface promiscuity obscurity in Linux"
Next in thread: Ademar de Souza Reis Jr.: "Re: Interface promiscuity obscurity in Linux"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 25 2002 - 15:11:11 PDT