Not to be oblique, but there are a few points I'd like to raise here before replies start launching in.

1) Sniffers != IDS.

2) Define 'passive mode'.

3) Each IDS has its own methodology of detection, and thus its own methodology of evasion. Also, see 1) above. I could be wrong, but I think there may be a terminology issue here.

4) The l0pht released a tool a few years back to attempt to detect a NIC in promiscuous mode (which is what I think you may be referring to by 'passive' mode). Its name escapes me right now, though, unfortunately. Hopefully someone can fill this blank in for me.

It's called "Anti-Sniff"

http://binaries.it-faq.pl/windows/se...tech-paper.htm

Another excellent overview:

http://www.securityfriday.com/promis...tection_01.pdf

I've used packet excalibur and ethereal to do exactly what you asked about.

Question Refined

*******************************************
Your right Im a bit vauge...

Senario:
If I have compromised a box, and I want to move about the network undetected or as stelthy as possible. How can I detect if there is any sort of listening device on the same network as my jump off? And what would I need to do to obfusicate or blend into normal traffic.

When I say 'passive' I mean driver firmware on the IDS/Sniffer interface has been modified so no bits go on the wire...Its completely invisable...a Hybrid IDS ;)
Yeah, I may have the terminology wrong. Heres a good IDS dictionary [URL=http://www.securityfocus.com/infocus/1728[/URL] (Part 1 of 2)
I actually found Anti-sniff and played with it a bit, (usually find what you are looing for after you post) Nonetheless, is there any other tools that work in a *NIX environment...Im really interested in how DNS traffic and ICMP traffic would fair against an "Hybrid IDS." Thanks

IF one had access to a box (compromised or not), and, for whatever reason, one wanted to initiate network traffic to or from said box and not be noticed, one would be well advised to remember a few things: IDS devcies can run as an agent on the box itself, and IDS may not be in the same LAN broadcast domain as said box.

That said, I find it difficult to believe that an IDS would be set up in the fashion you describe. They generally have to transfer log data and alarms to other machines, so unless it has two interfaces the above scenario is unlikely. And if it has an interface that isn't "passive"....

Entirely possible. Also, if you want to log your IDS' activity without pointing fingers to it, there are plenty of non-IP options for doing so. Logging via serial, for example, or USB or FireWire if you generate tons of data. The data never touches ethernet so you never see it. No modification is required; virtually every IDS on the market supports an option like this.