Another way to provide IDS ability and completely pull the NIC of the
network in question, (not to mention create lots of interesting
possibilities), is to apply the use of a Shomiti Century Tap. passively
recreates both rx on a full duplex link, and funnels them off to two twisted
pair cables respectively. PLug these two, or as many as you want really,
into a switch that allows port spanning/mirroring, and voila. I've done
this in many situations, and it works great.
http://www.shomiti.com
I dont work for them, I just use their stuff.
Blue
-----Original Message-----
From: *Hobbit* <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Monday, July 26, 1999 7:09 PM
Subject: Antisniff thoughts
>1. For a completely passive box, we set the interface to some bogus IP
addr,
>or 0.0.0.0 if that works, ifconfig -arp, and hoover away. Antisniff would
>never see the machine because the machine would never answer anything
unless
>someone could guess the IP address. Drawback: hard to retrieve logs
remotely.
>
>Workaround: one interface as a normal address on a normal reachable net,
and a
>second interface configured as above sniffing a *different* net. Useful
>setup for remotely-administerable IDS boxes; real address lives on a
protected
>inside net, sniffing interface plugs in to watch the dirty one but is not
>addressable.
>
>Workaround for a single interface: As the sniffer starts, reset the
interface
>to bogus-IP/noarp, sniff for a while, quit sniffing, reset to the old
>parameters. Or perhaps dynamically flop modes back and forth depending on
>whether we saw traffic for the machine's real address arrive. A sniffer
with
>an open nit/dlpi/bpf should be able to go *non*promiscuous and still see if
>there's traffic to its own host, and lay low accordingly.
>
>2. Antisniff evasion possibility: enhancement to detect the first couple of
>Antisniff probes, and immediately un-promiscuize the card for a while until
>we think it's safe to peek out again. Possibly in a dynamic mode; see #1.
>
>Just a coupla ideas to kick around..
>
>_H*
