RE: Firewall and IDS, (the second way).

["Dom De Vitto" <Dom () DeVitto com>]

http://www.securityfriday.com/promiscuous_detection_01.pdf 

Is an excellent paper that details much safer, better ways.

Basically, my IP and MAC are:
e.g.
 217.169.21.113        00-e0-29-29-04-2d     dynamic
And so my NIC picks up the frame, passes to the OS which checks it's
destined for me, and OS responds accordingly.

But if I put a local arp entry of 
 217.169.21.113        ff-ff-ff-ff-ff-ff
That the bcast, so the NIC still picks up the frame and the OS sees
it's a bcast and responds accordingly.

But oddly, all OSes match "looser" than the NIC, and some match a lot
"looser".
E.g. an arp entry of 
 217.169.21.113        ff-ff-ff-ff-ff-fe
will allow peers to ping my box, if it's Linux or MS and in PROMISCIOUS
MODE.

In fact, from the one table they present you can send just THREE frames,
and detect if the host NIC is in prom. mode and also say if it's 9x, NT
or Linux.
(tests for Solaris, BSDs etc were not done)

Great paper, much better that flooding the network with crap in the hope
the NIC/OS can't cope (and many now *can* cope, easily)

Of course the best thing is that you can probably just send directed
RARPs,
which (I'd image) most IDSs don't have rules to spot...

;-)

Dom
 |-----Original Message-----
 |From: Zow Terry Brugger [mailto:zow () llnl gov] 
 |Sent: Saturday, March 16, 2002 2:27 AM
 |To: sekure () hadrion com br
 |Cc: vuln-dev () securityfocus com
 |Subject: Re: Firewall and IDS, (the second way). 
 |
 |
 |> Hi,
 |
 |Hello!
 |
 |> I'm "walking" by the internet finding about 
 |paper/techniques that can 
 |> be used to detect systemn with IDS installed. Try to detect 
 |> snort/snort+aide/quinds/.../ somebody know something like it ??
 |
 |I recall Munge giving a talk at BlackHat Las Vegas in 2000 
 |about something 
 |they were doing at @stake/l0ft for detecting sniffers. The 
 |idea was to allow 
 |sysadmins to detect if one of their machines had been hacked 
 |and was acting as 
 |a sniffer. The idea was that by putting the interface into 
 |promiscuous mode, 
 |the machine would take longer to respond to ping packets 
 |because there was 
 |more traffic for the kernel's IP stack to analyze (whereas 
 |usually it'll be 
 |filtered out by the NIC). The same should hold true for NIDS, 
 |with a couple 
 |caviots:
 |
 |1. You'd need to know what ping time to expect if the NIC 
 |wasn't running in 
 |promiscuous mode in order to calculate a delta,
 |
 |2. A popular technique to secure NIDS is to not allow them to 
 |respond to 
 |traffic on the network that they're listening to (that is, 
 |bring up, but don't 
 |configure) the interface. Doing so will pretty much eliminate 
 |the ability to 
 |use this technique.
 |
 |In other words, I wouldn't go around trying to use such a 
 |technique to detect 
 |NIDS - it'll probably have just the opposite effect of 
 |allowing them to detect 
 |you.
 |
 |-"Zow"
 |
 |from StandardDisclaimer import *
 |
 |
 |