Bugtraq mailing list archives
snooper detection
From: fc () all net (Dr. Frederick B. Cohen)
Date: Wed, 10 May 1995 11:26:54 -0400 (EDT)
Are you able to detect someone running snoop on a machine with for instance tripwire? (Solaris Case study). With an out of the box Solaris machine what you are stating in your mail is false.
If you are saying that Solaris does not provide proper OS protection for the ethernet interface, this is a major hole. For example, if that device is a DMA device, it could be exploited to overwrite OS memory, etc. Otherwise, I don't see how you can use Solaris as a sniffer without getting root access first. This then is not a sniffer problem but another security hole.
Or doing a modload onto a SunOS 4.x machine where the module would produce a device with the proper major and minor numbers of /dev/nit? Would you be able to detect this? Same could be done on a SunOS 5.x machine... (modload is NEEDED for instance to be able to have printing services running).
There is no reason you could not detect this and there are several substantial journal articles addressing these issues in a great deal of detail (see Computers and Security for the last 5 years).
For both case studies the pre-requisit: be root has been skipped for more or less obvious reasons...
To reliably detect if root has made a modification, you need to do a more complex set of checks using hard-to-forge cryptographic checksums and a system of defense-in-depth. Again, these have been extensively addressed in journal articles and in a book titled: "A Short Course on Computer Viruses - 2nd edition" available through John Wiley and Sons. As far as I am aware, current sniffers do not necessitaqte this level of protection, and since bugtraq is not interested in theoretical issues, further dicussion of this issue should be taken off-line. -- ----------------- \Management /\/| 216-686-0090 - PO Box 1480, Hudson, OH 44236 \ /\/ | Check out info-security heaven and test your system \/\ /\/ | for known vulnerabilities (1st time for free) at URL: \/Analytics| (scans deeper than SATAN or ISS) http://all.net:8080 ----------------- ASIS "Security Management" Articles and Information On-Line Read "Protection and Security on the Information Superhighway" John Wiley and Sons, 1995 ISBN 0-471-11389-1, 320 pp, $24.95
Current thread:
- Anon site needed for FIP Pub 190 Everett F Batey SysAdm (May 08)
- SECURITY META HOTLIST Alberto Verga (May 09)
- Re: SECURITY META HOTLIST Charles R. Hoynowski (May 10)
- detecting sniffers is downright easy Dr. Frederick B. Cohen (May 10)
- Re: detecting sniffers is downright easy Kenneth R. van Wyk (May 10)
- snooper detection Dr. Frederick B. Cohen (May 10)
- Re: detecting sniffers is downright easy Perry E. Metzger (May 10)
- Re: detecting sniffers is downright easy Dr. Frederick B. Cohen (May 10)
- Re: detecting sniffers is downright easy Ronald Holland (May 10)
- Re: detecting sniffers is downright easy Christopher Klaus (May 10)
- imp vs. imp. END !! MIGUEL ESTEVES (May 10)
- Re: detecting sniffers is downright easy Chris Swanson (May 11)
- Re: Anon site needed for FIP Pub 190 Paul C Leyland (May 10)
- Re: Anon site needed for FIP Pub 190 Mark Joseph Crosbie (May 10)
- SECURITY META HOTLIST Alberto Verga (May 09)