Results 1 to 10 of 14

Thread: Article: Stealthful Sniffing, Intrusion Detection and Logging

Hybrid View

  1. #1
    Senior Member
    Join Date
    Nov 2001
    Posts
    742

    Article: Stealthful Sniffing, Intrusion Detection and Logging

    Stealth is a subject I do like and this article opened the eyes for me in many ways. Stealth is a fashinating subject and its now soon time for me to go home from work and play with my new toy, stealth IDS .

    ~micael

    Source: Paranoid Penguin: Stealthful Sniffing, Intrusion Detection and Logging

    Attackers can't rewrite your log files if they can't connect to the log server. Learn the ways of stealth.

    In a column about syslog I mentioned ``stealth logging''--by running your central log server without an IP address, you can hide your central log server from intruders. But log servers aren't the only type of system that can benefit from a little stealth. Network sniffers and network intrusion detection systems (NIDSes) probes can also function perfectly well without IP addresses, making them less vulnerable to network attacks than the systems they protect.
    This month I demonstrate three ways to use the versatile and powerful Snort--as a stealth sniffer, a stealth NIDS probe and a stealth logger--on a network interface with no IP address. If you're already familiar with Snort, I hope you'll see how easily it can be used stealthfully. If you're new to Snort, this article may be a useful crash course for you. All Snort commands and configurations in this article work equally well on interfaces with and without IP addresses.

    Read the full article here.

  2. #2
    Old-Fogey:Addicts founder Terr's Avatar
    Join Date
    Aug 2001
    Location
    Seattle, WA
    Posts
    2,007
    Sceptre, this thread is >3 years old...

    It was funny, I read what I wrote, and was confused: "I didn't post to this thread... oh, 2002..."
    [HvC]Terr: L33T Technical Proficiency

  3. #3
    Junior Member
    Join Date
    Jan 2007
    Posts
    2
    HA, lol...

    I used to be a member on here back then and when I found the article on askApache and did a google about it, this thread popped up.. so I thought, I definately need to rejoin.

    You know snort still uses this exact method to capture packets.. its still a very effective method for sniffing.

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    The title of this thread dates it. The focus on packet sniffing and such has long since passed, being replaced with nice things like regulatory compliance and botnets.

    Slarty's responses are all accurate though.

    AFAIK, promiscuous mode checkers only work with machines whose IP addresses are known, or which can be reached by broadcast. A stealthed machine has NO IP address and does not respond to ANY packet.
    I can confirm this in case no one else did.

    Also, switches aren't going to cache MAC addresses from a stealth unit simply because it won't be aware of an IP and or ARP response/request from said device.

    Old skool stuff is fun to read from time to time.

    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  5. #5
    Senior Member Godsrock37's Avatar
    Join Date
    Jan 2005
    Location
    PA
    Posts
    121
    thats really cool, and convenient. thats what im working on in my server at school, an IDS box with snort on it. My CS prof. has no idea whats going on with his network and he asked me if i could do any sniffing for him, rather than just sniff whenever im in there i decided to set up a snort box for him on FC5. I have two interfaces running, one to log and one to be an interface to monitor. ill definitely have to consider taking off the ip of the monitoring NIC and stealthing it. cool article and thread
    if God was willing to live all out for us, why aren't we willing to live all out for Him? God bless,
    Godsrock37
    my home my forum

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •