Re: Spyware assessment techniques - hub?

From: Packet Man (packetman@altsec.info)
Date: Sun Feb 12 2006 - 14:11:30 EST

• Next message: Ben Koren: "Re: Deep Freeze"
• Previous message: Thor (Hammer of God): "Re: Testing two bank laptops. winxp vpn client"
• In reply to: Petr.Kazil@eap.nl: "Re: Spyware assessment techniques - hub?"
• Next in thread: offset: "Re: Spyware assessment techniques - hub?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Petr.Kazil@eap.nl wrote:
>>If you are doing a host:
>>- interrupt the hosts uplink with a hub and plug your snort box in.
>>You could have this all setup on a laptop.
>
>
> I have tried this but run into problems:
>
> - Real hubs are (almost?) impossible to get nowadays. Even the cheapest
> "hub" is really a switch. If you know where I can find a hub-like network
> component, then I'll order it right away.
> - I was able to buy the last real hub from a PC-shop, but it was only
> 10Mbps and it refused to work with my 100Mb cards and switches.

If you can't do port mirroring on the switch itself, you
could build a passive network tap for under US$30.00,
or so. Or, the alternative is a commercial network tap
for around US$1,000.00.

I've been building and using them for several years
now, but only recently have started documenting their
finer points (NIC selection is critical). For more
info on building and using a passive network tap, see
my paper at: http://www.altsec.info/passive-network-tap.html

I'm working on an updated paper right now regarding the
error rates. I've been testing with combinations of NIC's
that produce ZERO errors on 100Mb connections. I expect to
update the paper with the suggestions within the next week.

BTW... a must read for such things is "The TAO of Network
Security Monitoring" by Richard Bejtlich. Check out his
site at: http://www.taosecurity.com/books.html

BTW... since the technique really belongs in the IDS
list, I cross-posted this message there.

Good luck.

-- 
Excellence in InfoSec and Linux
http://www.altsec.info
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

• Next message: Ben Koren: "Re: Deep Freeze"
• Previous message: Thor (Hammer of God): "Re: Testing two bank laptops. winxp vpn client"
• In reply to: Petr.Kazil@eap.nl: "Re: Spyware assessment techniques - hub?"
• Next in thread: offset: "Re: Spyware assessment techniques - hub?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:30 EDT