Re: Counter detect Network Sniffer

[Tod Beardsley <todb () planb-security net>]

Curt Purdy wrote:

> However, I will contend with your statement
> as much network traffic is non-ip dependant i.e. dhcp, arp, etc.  The
> only way you can absolutely guarentee non-detection of a network box
> is to do as I suggested.

Well, iptables rules on your OUTPUT chain and ifconfig -arp should do 
the same trick, but without having to snip a wire (and thus, remotely 
settable). Right?

Snipping wires will be more reliable, and probably the only way to do it 
on Windows, but it's kind of a one-way operation, unless you've trained 
your Asimo how to crimp.

FWIW, uses for a non-promisc sniffer:

Troubleshooting (tcpdump is a hammer, all net OS problems are nails)
Rootkit (or other application) control without binding a TCP/UDP port
Self-training on How Nmap/Nessus Does Its Thing

...that's all I can think of.

-- 
"It's okay to yell 'fire' in a crowded theater
if the theater is actually on fire."
Tod Beardsley | www.planb-security.net


---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at 
http://www.securityfocus.com/sponsor/Astaro_focus-ids_040301
---------------------------------------------------------------------------