hi,
I had some experiences running some anti-sniffer warfare but I didn't
succeed at all. Some tricks with promisc flag couldn't detect a
IFF_PROMISC set. Well, I set the promisc flag down by using the ifconfig's
"-promisc" flag and I still had some experiences on sniffering my own
computer and, what it's not good, with no detection.
mailto:condor @
uground .
org
Sysadm - http://www.uground.org
Brazil
On Fri, 30 Jan 1998, Icore, Joshua wrote:
> A more direct approach would be to run something like cpm from CERT. cpm can
> be run out of cron on unix boxes and checks to see which if any devices are in
> promiscuous mode by checking the devices status via ioctl's. It would be
> trivial to add the requisit functionality to change this to a daemon on unix,
> though I think it is better if used from cron. It should be possible to have
> this program run on an NT/95 box as well, though the 95 box would be harder to
> validate due to lack of user security.
>
> For the really paranoid, with source access, one can always wrap/trap the
> SIOCSIFFLAGS operation and check to see if IFF_PROMISC is being set, and issue
> a warning. Since IFF_PROMISC is already resitricted on *nix systems to euid 0,
> add code to write to a log, or send mail if the IFF_PROMISC flag is set.
>
> I have found cpm to be a useful *nix tool, but YMMV.
>
> Respectfully,
> Joshua R. Icore
>
> ---
> Joshua R. Icore
>
> Network Security Engineer
> Decision-Science Applications, Inc.
> 1110 N. Glebe Rd., Suite 400
> Arlington, VA 22201
>
> PGP Key fingerprint = BB E5 D6 01 D7 9A 29 CE 6A 30 8D 99 82 79 11 D6
> jicore @
dsava .
com
> pager: 1.800.800.7759 (jicore-pager @
dsava .
com)
> voice: 703.243.2500
> fax: 703.875.9231
>
References:
|
|
