Re: snooper watchers

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Dave Schweisguth: "Re: CERT Advisory CA-95:05.sendmail.vulnerabilities (fwd)"
• Previous message: Casper Dik: "Re: snooper watchers"
• In reply to: Ben Taylor: "snooper watchers"
• Next in thread: Ben Taylor: "Re: snooper watchers"

> I'm doing some work for a client who has had some suggestions that they
> run a program to watch the state of ifconfig, and send mail if the
> interface ever goes promiscuous.  This works just fine under SunOS 4.x,
> however, their concern is that this does not appear to work for Solaris 2.x.

The first thing many crackers do is replace ifconfig with a trojan that 
won't report when an interface is in promiscuous mode.

You could look at 'cpm', which will also show when an interface is 
promiscuous.  It's available from ftp.cert.org.  You're still in the same 
boat if someone replaces it with their own, however.

                              ...Eric

• Next message: Dave Schweisguth: "Re: CERT Advisory CA-95:05.sendmail.vulnerabilities (fwd)"
• Previous message: Casper Dik: "Re: snooper watchers"
• In reply to: Ben Taylor: "snooper watchers"
• Next in thread: Ben Taylor: "Re: snooper watchers"