> Are you able to detect someone running snoop on a machine with for instance > tripwire? (Solaris Case study). With an out of the box Solaris machine > what you are stating in your mail is false. If you are saying that Solaris does not provide proper OS protection for the ethernet interface, this is a major hole. For example, if that device is a DMA device, it could be exploited to overwrite OS memory, etc. Otherwise, I don't see how you can use Solaris as a sniffer without getting root access first. This then is not a sniffer problem but another security hole. > Or doing a modload onto a SunOS 4.x machine where the module would produce a > device with the proper major and minor numbers of /dev/nit? Would you be able > to detect this? Same could be done on a SunOS 5.x machine... > (modload is NEEDED for instance to be able to have printing services running). There is no reason you could not detect this and there are several substantial journal articles addressing these issues in a great deal of detail (see Computers and Security for the last 5 years). > For both case studies the pre-requisit: be root has been skipped for more or > less obvious reasons... To reliably detect if root has made a modification, you need to do a more complex set of checks using hard-to-forge cryptographic checksums and a system of defense-in-depth. Again, these have been extensively addressed in journal articles and in a book titled: "A Short Course on Computer Viruses - 2nd edition" available through John Wiley and Sons. As far as I am aware, current sniffers do not necessitaqte this level of protection, and since bugtraq is not interested in theoretical issues, further dicussion of this issue should be taken off-line. -- ----------------- \Management /\/| 216-686-0090 - PO Box 1480, Hudson, OH 44236 \ /\/ | Check out info-security heaven and test your system \/\ /\/ | for known vulnerabilities (1st time for free) at URL: \/Analytics| (scans deeper than SATAN or ISS) http://all.net:8080 ----------------- ASIS "Security Management" Articles and Information On-Line Read "Protection and Security on the Information Superhighway" John Wiley and Sons, 1995 ISBN 0-471-11389-1, 320 pp, $24.95