> The L0pht people have my admiration for fully documenting (and
> crediting) their approach, but I think they over-hype this tool by
> saying that it will detect sniffing -- a green light from their
> product does NOT mean you're not being sniffed.
Very true.
Last time I wanted to set up a sniffer, I ended up adding a BPFONLY
interface flag to the kernel, which completely disables the interface
for incoming packets except for BPF access (the raw-packet interface on
the OS in question was BPF). This would defeat all of AntiSniff's
checks (with the possible exception of the response-time check, which
would be possible if the machine had another interface that *could*
receive packets).
And all of the checks assume the machine has an IP address. For its
apparently-intended purpose (helping admins tell when their net has
been remotely compromised), this is not a problem, since such an
intrusion will be little use to an attacker without leaving IP up on
the machine...but I *would* have preferred to see this explicitly
stated in their doco.
der Mouse
[EMAIL PROTECTED]
7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
