> A more direct approach would be to run something like cpm from CERT. cpm can
> be run out of cron on unix boxes and checks to see which if any devices are in
> promiscuous mode by checking the devices status via ioctl's.
If an attacker finds this program he'll modify it so it won't report
anything. This is almost trivial.
A better approach for an attacker would be load a kernel module (if
supported by the operating system) which does prevent showing the PROMISC
flag from the ethernet card.
> For the really paranoid, with source access, one can always wrap/trap the
> SIOCSIFFLAGS operation and check to see if IFF_PROMISC is being set, and issue
> a warning.
this would be a good solution. Someone would need to patch the system to
get around this, and to detect this and remove the protection is a hard
work, too much for most of the script kiddies.
btw. linux reports a "kernel: eth0: Promiscuous mode enabled" ...
> Since IFF_PROMISC is already resitricted on *nix systems to euid 0, add code
> to write to a log, or send mail if the IFF_PROMISC flag is set.
well - whats the use? If an attacker has got root to run a sniffer, he can
too modify the logs. Solution: send a log message to another host.
Mit freundlichen Gruessen,
This message and any statements expressed therein are those of myself
and not of the Deutsche Bank AG or its subsidiary companies.
Type Bits/KeyID Date User ID
pub 2048/DB5C03C5 1997/09/23 Marc Heuse <marc .
-----BEGIN PGP PUBLIC KEY BLOCK-----
-----END PGP PUBLIC KEY BLOCK-----