Great Circle Associates Firewalls
(February 1998) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: anti-sniffer warfare
From: Marc Heuse <Marc . Heuse @ mail . DeuBa . COM>
Date: Mon, 2 Feb 1998 08:57:56 +0100 (CET)
To: jicore @ dsava . com (Icore, Joshua)
Cc: firewalls @ greatcircle . com
In-reply-to: <98Jan30 . 123222est . 26885 @ virginia . dsava . com> from "Icore, Joshua" at "Jan 30, 98 12:35:03 pm" 
Hi,

> A more direct approach would be to run something like cpm from CERT.   cpm can 
> be run out of cron on unix boxes and checks to see which if any devices are in 
> promiscuous mode by checking the devices status via ioctl's.

If an attacker finds this program he'll modify it so it won't report
anything. This is almost trivial.

A better approach for an attacker would be load a kernel module (if
supported by the operating system) which does prevent showing the PROMISC
flag from the ethernet card.

> For the really paranoid, with source access, one can always wrap/trap the 
> SIOCSIFFLAGS operation and check to see if IFF_PROMISC is being set, and issue 
> a warning.

this would be a good solution. Someone would need to patch the system to
get around this, and to detect this and remove the protection is a hard
work, too much for most of the script kiddies.
btw. linux reports a "kernel: eth0: Promiscuous mode enabled" ...

> Since IFF_PROMISC is already resitricted on *nix systems to euid 0, add code
> to write to a log, or send mail if the IFF_PROMISC flag is set.

well - whats the use? If an attacker has got root to run a sniffer, he can
too modify the logs. Solution: send a log message to another host.


Mit freundlichen Gruessen,
				Marc Heuse


This message and any statements expressed therein are those of myself
and not of the Deutsche Bank AG or its subsidiary companies.



Type Bits/KeyID    Date       User ID
pub  2048/DB5C03C5 1997/09/23 Marc Heuse <marc .
 heuse @
 mail .
 deuba .
 com>

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i

mQENAzQnbFEAAAEIAL/tj4hn/DVjEWAZhuqRdxZQDy5B+gZbE0CD/mUnZqpem+9L
KY+I8te7jMfTQExzqn5jYb5BaibT0SbEBWSx9Gha8EiBLAVcAjvrXpV+HJLcnPRG
YDk5a3s7GrA+QVHbbd9DWgqjMfUMw9oUDAhhjgK20SeOtFGBD2U17GkQF6TK7EjC
CTOuz2Hx/tisDuroJJnxZdbLNvCceOf/D/bbFcR7DfnEJWJ3f9JC4fibZMlX5rXL
Ct/TKhZMd4d42uL7L4KvkT5JCnFuEw1jRDPpBjZ030cK2uWCM//iEVLGmGKOs6Pg
o3Lfnnd6I6bTPHgrNsapNWmocbIGDC/4w9tcA8UABRG0Jk1hcmMgSGV1c2UgPG1h
cmMuaGV1c2VAbWFpbC5kZXViYS5jb20+iQEVAwUQNCdsUQwv+MPbXAPFAQFWEwf5
AWt6PbKLLCCBPnzBMdXatKEJvNzrZRXNSpbgKQUDAKApRUnOkDJ9yp3tfJG0/BsL
XBf+ldmjjoo/OZeWhIhNb71bbCs8BK7/YK5LKef2eq4pzSiWYosrOfjlfyOVhAiP
AiWYtK/HBELy6Zs8QwoPX0QX0+R2+ocMS0TDz7nwBgO5wcj3yMU0geTrnlDpJdj1
RgFQLE6T9qO5coRjj1EAoT5gQMxP9L4TQuifYiQ6S2vh6blr3amjPohKSDzZ62/x
rQ1KMXJd7MlMQndn8UwKt4XgoFIsZOFRrkDiXfm6zFnH40UcotoA+Ygojp52+Y6A
MuixTDbuf3Jph2jEG6r4Dw==
=/n63
-----END PGP PUBLIC KEY BLOCK-----
Indexed By Date Previous: RE: Printing firewall-1 rules
From: Robert Ståhlbrand <robert . stahlbrand @ nmac . ericsson . se>
Next: WEB Authentication
From: Manuel . Gil @ gecits-eu . com
Indexed By Thread Previous: Re: anti-sniffer warfare
From: Doug Hughes <Doug . Hughes @ Eng . Auburn . EDU>
Next: Re: anti-sniffer warfare
From: "Icore, Joshua" <jicore @ dsava . com>
Google
 
Search Internet Search www.greatcircle.com