On Mon, 27 Sep 1999, Ryan Russell wrote:
> >I am trying to determine how I can tell if my 2.5.1, 2.6, and 2.7
> >solaris boxs are in promiscious mode. Any ideas?
>
> I'm assuming you mean determining remotely? If you're on
> the box, I think there is a command to see it. Of course, those
> commands are sometimes modified to hide the fact.
Actually I just started at a company that has HORRIBLE security
and I want to make sure my dmz is clean and free of sniffers
and crackers before I start locking it down. So I do want
to find out on each machine locally.. not remotely.
> Take a good look at the documentation for Antisniff from the
> L0pht. Most of the known techniques for finding promiscuous
> boxes are outlined there.
It would be possible to use this tool but there is already a
sniffer out there that can avoid this detection I believe.
> >Is there a way I can modify my solaris
> >boxes so they cant go into promiscious mode?
>
> You could try some kernel mods, but this wouldn't stop some
> attackers who break root... they can put it back. You typically
> need root to go promiscuous anyway, so i don't know that it would
> be worth the effort.
Yes but anything I can throw in front of a cracker is a bonus:)
(firm believer in security in layers).
> >I assume this would
> >break arp?
>
> No, ARP relies on layer 2 broadcasts, so all machines will get the packets
> without that.
Thanks..
Mike
Wake up Mike..
The Matrix has you.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
