OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Matt Priestley (mpriestMICROSOFT.COM)
Date: Fri Apr 27 2001 - 17:16:52 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    If you do choose to launch a sniffer service upon detection of certain
    circumstances, you should be aware that you might be making yourself
    vulnerable to bugs in the sniffer itself, like MS00-083
    (http://microsoft.com/technet/security/bulletin/MS00-083.asp)
     
    For example, if I were an attacker and knew or suspected that your
    sniffer contained a buffer overrun, I might trip your detection system
    and then start firing away on the network with attacks against the
    sniffer itself. With an automated system like yours, this would lead to
    a compromise.
     
    -matthew Priestley
    mpriestmicrosoft.com

            -----Original Message-----
            From: Bill Fitzpatrick
            Sent: Fri 4/27/2001 1:03 PM
            To: FOCUS-MSSECURITYFOCUS.COM
            Cc:
            Subject: Re: Batch Netmon?
            
            

            Hi,
            
            You can do this with netmon, as it actually does support several
    different
            command line options at launch.
            
            Check out KB Article Q158744 or the Network Monitor help files
    that come
            with Systems Management Server. (The netmon help files don't
    seem to
            document this feature.)
            
            -Bill
            
            
            -----Original Message-----
            From: H C [mailto:keydet89YAHOO.COM]
            Sent: Friday, April 27, 2001 7:43 AM
            To: FOCUS-MSSECURITYFOCUS.COM
            Subject: Re: Batch Netmon?
            
            
            Here's what I would recommend. Install snort, and
            then the Resource Kit utility 'soon.exe' (is there a
            'now.exe'?). When you suspect something is going on,
            you can submit an AT command to the system to run a
            batch file for snort w/ the correct command line
            switches (so you won't have to memorize them).
            
            Carv
            
            
            --- "Wangler, Dan" <dwanglerTI.COM> wrote:
    > Listeners
    >
    > I am trying to find a way to turn packet sniffing on
    > from an NT and/or W2K
    > Server whenever I think something suspicious may be
    > happening, be it
    > intruder or misuse. I have a service running that
    > monitors certain
    > activity. Since netmon is distributed with NT and
    > W2K servers, is there a
    > way to turn on netmon and direct the output to a
    > file without bringing up
    > the GUI? I do not want to have to install another
    > package is it is not
    > necessary.
    >
    > Thanks
    >
    > Dan Wangler
    > Security Engineering and Development
    > IT Security Team
    > Texas Instruments, Inc.
    >
            
            
            __________________________________________________
            Do You Yahoo!?
            Yahoo! Auctions - buy the things you want at great prices
            http://auctions.yahoo.com/