OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Lars Borland (lborland_at_TriadAssoc.com)
Date: Fri Jan 31 2003 - 15:42:16 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    There is software like WildPacket's EtherPeek that is able to detect
    "error packets". I imagine a failing NIC would generate lots and
    therefore give itself away. I understand what Eli is saying regarding
    this but, depending on the errors, I'd think some of them would make it
    to the IP layer.

    I also just read this off the WildPackets/EtherPeek site and I think I
    may be wasting my time with this... "Error Packet Capture: EtherPeek
    has the ability to capture error packets on the network. These errors
    include: Runt, Oversize, Frame Alignment, and CRC. Most adapters on the
    market discard error packets automatically. To capture errors, you must
    use one of the supported error capture cards with a special WildPackets
    driver installed." If most modern NICs discard error packets then
    there's neither any harm done nor will any error packets be seen by
    Snort prior to being discarded (without the spiffy/castrated NIC and
    WildPackets Drivers(TM) that is). Thanks for bearing with me regarding
    this.

    Talk to you all later, Lars.

    -----Original Message-----
    From: twig les [mailto:twiglesyahoo.com]
    Sent: Friday, January 31, 2003 11:50 AM
    To: Lars Borland; Morgan R. Elmore; snort-userslists.sourceforge.net
    Subject: RE: [Snort-users] A Couple of Questions

    I have caught an errant NIC before (bad driver) using
    the eval of sniffer pro. All I noticed was that one workstation was
    blabbing ten times more than the others and the lady sitting at the
    station was in finance and had no idea what a driver was.

    As for Snort detecting this, the NIC would have to
    break a rule and send bad packets like same
    source/dest or something. I have seen our glorious
    firewall vendor do this many times, and when
    tcpdumping the packets to see wth is going on the
    packets had bad checksums and were being dropped at
    the switch interface.

    -------------------------------------------------------
    This SF.NET email is sponsored by:
    SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
    http://www.vasoftware.com
    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users