The Goal and Purpose of AntiSniff
As with all tools there is no “one size fits all”. The industry clambers for the silver bullet tool. A tool that comes directly off the shelf, needs no configuration or modifications, has one hundred percent accuracy, and is completely foolproof. Such a tool does not exist in the security world.
AntiSniff raises the bar. It is, in lieu of better terminology, the start of an arms-race. Previously there existed no commercial tool to do what AntiSniff does. It has been run in large scale organizations with great results and accuracy. So what does it do and what does it not do?
Detect machines on an Ethernet/IP network segment that are promiscuously monitoring traffic not destined to them. The first release is designed to work on flat non-switched environments.
When an intruder obtains elevated privileges on a remote system a few things can usually be expected. The machine is placed in promiscuous mode to monitor traffic on the network. This often times rewards the intruder with usernames, accounts, passwords, community strings, e-mail, and usage statistics to name just a few. Knowing which machines on the network are in promiscuous mode often points to machines that are already compromised. Once a machine is compromised it is not uncommon for the holes that were exploited to be fixed and backdoors to be installed allowing future remote access. A machine in this state might very well pass network security scanning software checks with flying colors. A tool was needed to detect this situation.
What it will not detect:
If a machine on the network has no IP address, no IP stack associated with any of its interfaces, or has no ability to be communicated with over the network then AntiSniff will not detect it.
This is perfectly acceptable, as such a machine would not be compromised over the network in the first place. If the machine were compromised over the network and the network interface was removed this should be noticeable many other ways (i.e. shouts down the hallway of “hey Joe! The R&D server stopped working!” are a dead giveaway to a problem of some sort). If the device in question is a physical machine that must be monitored or controlled in person, such as a dedicated hardware sniffer, then physical access to the network in question has been obtained. This is a completely different problem. In addition, such physical network tap devices are usually quite good at monitoring for runt frames, duplicate IP addresses, etc. but are usually quite poor at correlating data inside the packets for malicious purposes.
There will be other situations that arise with similar nuances. However, these will be the minority and often legitimate systems as opposed to compromised multi-user machines.
The Arms Race:
Can AntiSniff be defeated? Yes – anything can be defeated. Does this matter? Not nearly as much as one might think. Currently, the methods of evading AntiSniff deal with either making an interface non-addresable or adding in logic to the promiscuous network monitoring program to stop monitoring the network when it sees tell tale signs of AntiSniff running.
The former is not an issue, the reasoning already having been discussed above. The latter, while a fun exercise, is less of an issue than one might expect. First, if the monitoring agent turns itself off when it believes AntiSniff to be running then it defeats, or severely impacts, the purpose of it being on the system in the first place. Second, the signature of AntiSniff can be modified by the user. With modifiable signatures the task of determining what is and what is not AntiSniff running on the network should be much less accurate.
It is not our goal to fix the security posture of the world with a single product. Merely to improve the current status and sufficiently raise the bar that attacks intrusions are measured against.