From: Trevor Schroeder [tschroed@ACM.ORG]
Sent: Sunday, July 25, 1999 6:31 PM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Re: (How) Does AntiSniff do what is claimed?

On Sun, 25 Jul 1999, Nick Lamb wrote:

> If AntiSniff becomes popular, I'd estimate only a few months grace
> before Black Hats have made a reduced-functionality sniffer which slips
> under AntiSniff's radar. I don't have any use for such a tool, but if
> I did I doubt I'd need more than a week or two to get it right.

At the risk of harping on the AntiSniff topic, the previous thread on an
Rx-only NIC provides an excellent example.  Go to
http://www.zweknu.org/tech.php3 for a guide to creating a totally passive
NIC complete with diagrams.

In the event that you can't do that, a fairly fascist set of firewall rules
on the sniffing host SHOULD keep your host from responding to any of the
L0pht probes.

What AntiSniff will do is protect you against newbies who don't think to
cover themselves or system crackers who might otherwise use a legitimate
host to illegitimately sniff traffic on a privileged net.  The latter case
is the real value, IMHO.  They can't disable the host's network interface
for normal use and thus it certainly SHOULD be detectable.
.......................................................................
: "Welcome to NSA's Web Server!"                   : Trevor Schroeder :
:                     -- National Security Agency  : tschroed@acm.org :
:........... http://www.zweknu.org/ for PGP key and more .............: