Vulnerability Development mailing list archives
RE: Firewall and IDS, (the second way).
From: "Benjamin P. Grubin" <bgrubin () pobox com>
Date: Sat, 16 Mar 2002 00:01:05 -0500
I'm sorry, but your description of promiscuous mode detection is a little off. For latency-based testing you do not need to know what the "normal" ping response of a host is. What you need is to test on the local LAN itself. At that point you begin pinging the machine you are testing, note the response time, and then flood the network with traffic destined for an invalid ethernet address. If the machine (or one of the multiple machines) you are pinging exhibits markedly increased ping response times after the flood is introduced, it is likely in promiscuous mode. I don't remember the details of Mudge's talk on the matter, but this method has been around for quite a while--albeit it wasn't highly publicized until the l0pht developed Anti-Sniff. IIRC, Anti-Sniff had a few other methods for testing--including OS-specific "fingerprinting" for promiscuous-mode behavior, and monitoring the network for odd DNS requests that a compromised host might be originating in an attempt to resolve IP's of sniffed traffic. IMHO these other two methods are window dressing.. The latency testing is the only method that is likely to work, and is usable against virtually every OS/platform--regardless of version. Cheers, Benjamin P. Grubin, CISSP, GIAC
-----Original Message----- From: Zow Terry Brugger [mailto:zow () llnl gov] Sent: Friday, March 15, 2002 9:27 PM To: sekure () hadrion com br Cc: vuln-dev () securityfocus com Subject: Re: Firewall and IDS, (the second way).Hi,Hello!I'm "walking" by the internet finding aboutpaper/techniques that can beused to detect systemn with IDS installed. Try to detect snort/snort+aide/quinds/.../ somebody know something like it ??I recall Munge giving a talk at BlackHat Las Vegas in 2000 about something they were doing at @stake/l0ft for detecting sniffers. The idea was to allow sysadmins to detect if one of their machines had been hacked and was acting as a sniffer. The idea was that by putting the interface into promiscuous mode, the machine would take longer to respond to ping packets because there was more traffic for the kernel's IP stack to analyze (whereas usually it'll be filtered out by the NIC). The same should hold true for NIDS, with a couple caviots: 1. You'd need to know what ping time to expect if the NIC wasn't running in promiscuous mode in order to calculate a delta, 2. A popular technique to secure NIDS is to not allow them to respond to traffic on the network that they're listening to (that is, bring up, but don't configure) the interface. Doing so will pretty much eliminate the ability to use this technique. In other words, I wouldn't go around trying to use such a technique to detect NIDS - it'll probably have just the opposite effect of allowing them to detect you. -"Zow" from StandardDisclaimer import *
Current thread:
- Firewall and IDS, (the second way). sekure (Mar 15)
- Re: Firewall and IDS, (the second way). Zow (Mar 15)
- RE: Firewall and IDS, (the second way). Benjamin P. Grubin (Mar 16)
- Re: Firewall and IDS, (the second way). Bryan Burns (Mar 16)
- RE: Firewall and IDS, (the second way). Dom De Vitto (Mar 16)
- Re: Firewall and IDS, (the second way). Michel Arboi (Mar 16)
- Re: Firewall and IDS, (the second way). Timothy J. Miller (Mar 19)
- Re: Firewall and IDS, (the second way). Anthony Stevens (Mar 20)
- <Possible follow-ups>
- Re: Firewall and IDS, (the second way). Marco Ivaldi (Mar 18)
- RE: Firewall and IDS, (the second way). PJD (Mar 19)
- Re: Firewall and IDS, (the second way). Zow (Mar 20)
- RE: Firewall and IDS, (the second way). Pedro Quintanilha (Mar 19)
- RE: Firewall and IDS, (the second way). Bojan Zdrnja (Mar 20)
(Thread continues...)
- Re: Firewall and IDS, (the second way). Zow (Mar 15)