From: *Hobbit* [hobbit@AVIAN.ORG]
Sent: Sunday, July 25, 1999 10:00 PM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Antisniff thoughts

1. For a completely passive box, we set the interface to some bogus IP addr,
or 0.0.0.0 if that works, ifconfig -arp, and hoover away.  Antisniff would
never see the machine because the machine would never answer anything unless
someone could guess the IP address.  Drawback: hard to retrieve logs remotely.

Workaround: one interface as a normal address on a normal reachable net, and a
second interface configured as above sniffing a *different* net.  Useful
setup for remotely-administerable IDS boxes; real address lives on a protected
inside net, sniffing interface plugs in to watch the dirty one but is not
addressable.

Workaround for a single interface:  As the sniffer starts, reset the interface
to bogus-IP/noarp, sniff for a while, quit sniffing, reset to the old
parameters.  Or perhaps dynamically flop modes back and forth depending on
whether we saw traffic for the machine's real address arrive.  A sniffer with
an open nit/dlpi/bpf should be able to go *non*promiscuous and still see if
there's traffic to its own host, and lay low accordingly.

2. Antisniff evasion possibility: enhancement to detect the first couple of
Antisniff probes, and immediately un-promiscuize the card for a while until
we think it's safe to peek out again.  Possibly in a dynamic mode; see #1.

Just a coupla ideas to kick around..

_H*