John Conover wrote:
[ ... ]
>> A mild one. For example, I believe there was
recently a security bug in
>> tcpdump's string handling which could be exploited
by tcpdump seeing a
>> maliciously-crafted packet. Running the NIC in
promisc mode means that packet
>> just has to go by, rather than being sent
specificly to the machine running the
>> sniffer...
>>
>> In other words, it's not a great idea to run a
sniffer on your most important
>> fileserver or whatever, rather than an isolated
laptop or other test system.
>
> Thanks, Chuck; That's the kind of stuff I was concerned
about.
Sure, you're welcome. The issue is much like building out
(or writing code
for) a firewall or router or IDS.
Anything which gets exposed to untrusted traffic ought to be
considered "at
risk", and the software ought to be written with
extreme care to not trust the
data-- don't trust an IP packet to really tell you what size
it is (you may not
have sniffed all of that data, depending on how you
configured PCAP or BPF),
don't trust Content-length headers in email or HTTP traffic
to be valid without
double-checking (trying to memcpy -1 bytes makes programs
unhappy [1]), don't
trust headers to be of reasonable size, etc.
If at all possible, anything running a sniffer ought to be
dedicated for the
purpose, or only used for brief periods by a human sysadmin
(ie, not running
forever under the incurious gaze of a daemon). If possible
and convenient, the
rest of your network should not trust or depend on your
sniffer box at all.
--
-Chuck
[1]: On the other hand, being able to drop -1 gold pieces in
Hack could be
considered a feature, at least to most people. 
_______________________________________________
freebsd-questions freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-que
stions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribefreebsd.org"
|