Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: (How) Does AntiSniff do what is claimed?

From: mouse () RODENTS MONTREAL QC CA (der Mouse)
Date: Mon, 26 Jul 1999 09:47:55 -0400


The L0pht people have my admiration for fully documenting (and
crediting) their approach, but I think they over-hype this tool by
saying that it will detect sniffing -- a green light from their
product does NOT mean you're not being sniffed.


Very true.

Last time I wanted to set up a sniffer, I ended up adding a BPFONLY
interface flag to the kernel, which completely disables the interface
for incoming packets except for BPF access (the raw-packet interface on
the OS in question was BPF).  This would defeat all of AntiSniff's
checks (with the possible exception of the response-time check, which
would be possible if the machine had another interface that *could*
receive packets).

And all of the checks assume the machine has an IP address.  For its
apparently-intended purpose (helping admins tell when their net has
been remotely compromised), this is not a problem, since such an
intrusion will be little use to an attacker without leaving IP up on
the machine...but I *would* have preferred to see this explicitly
stated in their doco.

                                        der Mouse

                               mouse () rodents montreal qc ca
                     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B
Previous By Date Next
Previous By Thread Next

Current thread: