[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sentry
Subject:    Re: [Abacus] Stealth / Advanced Stealth modes on other platforms ?
From:       "Craig H. Rowland" <crowland () nemesis ! psionic ! com>
Date:       2000-01-10 16:39:13
[Download RAW message or body]

> Hi again, 
> 
> I'm not much of a tcp/ip programmer myself, but I would *really* like to
> have the Stealth/Advanced Stealth features ported to my OS of choice, IRIX.
> Do you know what it would take to make the port? Are there any known
> difficulties here?

The issue is more legacy than anything else. The problem is how most UNIX
systems handle raw sockets for TCP/UDP protocols. Specifically, most all
of them allow a raw socket to be used for ICMP traffic
reading/writing. However, for TCP and UDP the sockets cannot be used for
reading. For this situation you actually have to open the network
interface into promiscuous mode to read packets. This is fine of course,
but it leads to compatibility problems between systems and may lead to
heavy system overhead if you do a lot of packet processing off the
interface directly.

Of course some systems make this task really easy. Linux for example
allows one to simply open a raw socket for reading and writing with no
questions asked. This is the way it should be IMHO, but I'm not an OS
designer so there may be some good reasons why the other major Unix
versions don't do this (anyone with a good answer please let me know
because I've not been able to come up with one). I know some of the BSD
versions have facilities to do something similar, but I haven't had time
to investigate it too closely.

So you ask why not put it in using something like libpcap which is a
portable packet capturing interface? Well this is a possibility, but it
is counter to some of my design goals:

1) Work on many platforms without porting.
2) Be as simple as possible.
3) Don't cause heavy system overhead.

Of course libpcap fulfills number (1) but fails on numbers (2) and
(3). Not to say I won't do it in the future, but I need to address a few
issues. Namely, the PortSentry code needs to be re-architected to
handle things a little better. The stealh modes for Linux were an add-on
and the tool was not designed initially to have stealth support. I would
like to re-work major areas before I add in a complicated piece of code
like libpcap. Additionally, I need to audit libpcap to make sure it
doesn't introduce any vulnerabilities. I haven't looked at it yet, but it
is a big piece of software and there are lots of areas for people to play
games with packets so I want to make sure there aren't any
problems. I'm just paranoid that way.

So the short answer is: Yes all platforms will have the support. I just
need to take care of some issues first. Since the year has begun I've been
able to get some more time to work on things. Hopefully I can have a
solution for you soon.

-- Craig

[prev in list] [next in list] [prev in thread] [next in thread]