September 23rd, 2002 08:05 AM
Article: Stealthful Sniffing, Intrusion Detection and Logging
Stealth is a subject I do like and this article opened the eyes for me in many ways. Stealth is a fashinating subject and its now soon time for me to go home from work and play with my new toy, stealth IDS .
Source: Paranoid Penguin: Stealthful Sniffing, Intrusion Detection and Logging
Attackers can't rewrite your log files if they can't connect to the log server. Learn the ways of stealth.
In a column about syslog I mentioned ``stealth logging''--by running your central log server without an IP address, you can hide your central log server from intruders. But log servers aren't the only type of system that can benefit from a little stealth. Network sniffers and network intrusion detection systems (NIDSes) probes can also function perfectly well without IP addresses, making them less vulnerable to network attacks than the systems they protect.
This month I demonstrate three ways to use the versatile and powerful Snort--as a stealth sniffer, a stealth NIDS probe and a stealth logger--on a network interface with no IP address. If you're already familiar with Snort, I hope you'll see how easily it can be used stealthfully. If you're new to Snort, this article may be a useful crash course for you. All Snort commands and configurations in this article work equally well on interfaces with and without IP addresses.
Read the full article here.
January 9th, 2007 06:04 PM
Sceptre, this thread is >3 years old...
It was funny, I read what I wrote, and was confused: "I didn't post to this thread... oh, 2002..."
[HvC]Terr: L33T Technical Proficiency
January 9th, 2007 07:38 PM
I used to be a member on here back then and when I found the article on askApache and did a google about it, this thread popped up.. so I thought, I definately need to rejoin.
You know snort still uses this exact method to capture packets.. its still a very effective method for sniffing.
January 10th, 2007 09:40 PM
The title of this thread dates it. The focus on packet sniffing and such has long since passed, being replaced with nice things like regulatory compliance and botnets.
Slarty's responses are all accurate though.
I can confirm this in case no one else did.
AFAIK, promiscuous mode checkers only work with machines whose IP addresses are known, or which can be reached by broadcast. A stealthed machine has NO IP address and does not respond to ANY packet.
Also, switches aren't going to cache MAC addresses from a stealth unit simply because it won't be aware of an IP and or ARP response/request from said device.
Old skool stuff is fun to read from time to time.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
January 10th, 2007 10:59 PM
thats really cool, and convenient. thats what im working on in my server at school, an IDS box with snort on it. My CS prof. has no idea whats going on with his network and he asked me if i could do any sniffing for him, rather than just sniff whenever im in there i decided to set up a snort box for him on FC5. I have two interfaces running, one to log and one to be an interface to monitor. ill definitely have to consider taking off the ip of the monitoring NIC and stealthing it. cool article and thread
if God was willing to live all out for us, why aren't we willing to live all out for Him? God bless,
my home my forum