Bugtraq mailing list archives

snooper detection

From: fc () all net (Dr. Frederick B. Cohen)
Date: Wed, 10 May 1995 11:26:54 -0400 (EDT)

Are you able to detect someone running snoop on a machine with for instance
tripwire? (Solaris Case study). With an out of the box Solaris machine 
what you are stating in your mail is false.


        If you are saying that Solaris does not provide proper OS
protection for the ethernet interface, this is a major hole.  For
example, if that device is a DMA device, it could be exploited to
overwrite OS memory, etc.  Otherwise, I don't see how you can use
Solaris as a sniffer without getting root access first.  This then is
not a sniffer problem but another security hole.

Or doing a modload onto a SunOS 4.x machine where the module would produce a
device with the proper major and minor numbers of /dev/nit? Would you be able
to detect this? Same could be done on a SunOS 5.x machine...
(modload is NEEDED for instance to be able to have printing services running).


There is no reason you could not detect this and there are several
substantial journal articles addressing these issues in a great deal
of detail (see Computers and Security for the last 5 years).

For both case studies the pre-requisit: be root has been skipped for more or
less obvious reasons...


To reliably detect if root has made a modification, you need to do a
more complex set of checks using hard-to-forge cryptographic checksums
and a system of defense-in-depth.  Again, these have been extensively
addressed in journal articles and in a book titled: "A Short Course on
Computer Viruses - 2nd edition" available through John Wiley and Sons. 

As far as I am aware, current sniffers do not necessitaqte this level
of protection, and since bugtraq is not interested in theoretical
issues, further dicussion of this issue should be taken off-line.

-- 
-----------------
\Management  /\/| 216-686-0090 - PO Box 1480, Hudson, OH 44236
 \        /\/   | Check out info-security heaven and test your system
  \/\  /\/      | for known vulnerabilities (1st time for free) at URL:
     \/Analytics| (scans deeper than SATAN or ISS)  http://all.net:8080
-----------------
   ASIS "Security Management" Articles and Information On-Line
   Read "Protection and Security on the Information Superhighway"
   John Wiley and Sons, 1995 ISBN 0-471-11389-1, 320 pp, $24.95

Current thread:

Anon site needed for FIP Pub 190 Everett F Batey SysAdm (May 08)
- SECURITY META HOTLIST Alberto Verga (May 09)
  - Re: SECURITY META HOTLIST Charles R. Hoynowski (May 10)
- detecting sniffers is downright easy Dr. Frederick B. Cohen (May 10)
  - Re: detecting sniffers is downright easy Kenneth R. van Wyk (May 10)
  - snooper detection Dr. Frederick B. Cohen (May 10)
  - Re: detecting sniffers is downright easy Perry E. Metzger (May 10)
    - Re: detecting sniffers is downright easy Dr. Frederick B. Cohen (May 10)
  - Re: detecting sniffers is downright easy Ronald Holland (May 10)
  - Re: detecting sniffers is downright easy Christopher Klaus (May 10)
  - imp vs. imp. END !! MIGUEL ESTEVES (May 10)
  - Re: detecting sniffers is downright easy Chris Swanson (May 11)
- Re: Anon site needed for FIP Pub 190 Paul C Leyland (May 10)
  - Re: Anon site needed for FIP Pub 190 Mark Joseph Crosbie (May 10)