> Hi,
>
>> A more direct approach would be to run something like cpm from CERT. cpm
can be run out of cron on unix boxes and checks to see which if any devices
>> are in promiscuous mode by checking the devices status via ioctl's.
>
> If an attacker finds this program he'll modify it so it won't
> report
> anything. This is almost trivial.
This is true of any host based software of course, but it is one step...
> A better approach for an attacker would be load a kernel module (if supported
by the operating system) which does prevent showing the
> PROMISC flag from the ethernet card.
Agreed, also, the attacker would want to load a module to prevent the ethernet
card from responding to frames that are not sent to its MAC address to prevent
active detection by a remote host....
>> For the really paranoid, with source access, one can always wrap/trap the
SIOCSIFFLAGS operation and check to see if IFF_PROMISC is being set, and
> issue a warning.
>
> this would be a good solution. Someone would need to patch the system to get
around this, and to detect this and remove the protection is a
> hard work, too much for most of the script kiddies. btw. linux reports a
"kernel: eth0: Promiscuous mode enabled" ...
As do {Free,Net,Open}BSD
>> Since IFF_PROMISC is already resitricted on *nix systems to euid 0, add code
to write to a log, or send mail if the IFF_PROMISC flag is set.
>
> well - whats the use? If an attacker has got root to run a sniffer, he can
too modify the logs. Solution: send a log message to another host.
> Marc Heuse
True, but the attacker can also disable syslog, add a static route and arp
entry (if needed) for the log host to the localhost...The possibilities are
endless...
Respectfully,
Joshua R. Icore
---
Joshua R. Icore
Network Security Engineer
Decision-Science Applications, Inc.
1110 N. Glebe Rd., Suite 400
Arlington, VA 22201
PGP Key fingerprint = BB E5 D6 01 D7 9A 29 CE 6A 30 8D 99 82 79 11 D6
jicore @
dsava .
com
pager: 1.800.800.7759 (jicore-pager @
dsava .
com)
voice: 703.243.2500
fax: 703.875.9231
|
|
