
			Echelon for Dummies
	  A pattern matching high-stealth sniffing network
			Dec 1999 by Mixter

Contents:
- Features
- Deeper meaning
- Installation for dummies

Hi!
Echelon 4 Dummies is a 'distributed' sniffer which I coded/ripped in 30 minutes
from the TFN2 sources. Like my Phantom Sniffer, and Super Sniffer by
ajax@mobis.com, E4D consists of sniffing 'Agents', servers that can be installed
on any number of hosts, and will then sniff traffic and forward the results
via the TFN2 method (random protocol/strong encryption) to a central logging
daemon that handles messages from all the remote hosts.

Features: e4d sniffing agents will monitor ALL local traffic at SOCK_RAW level
(while this doesn't catches all ethernet traffic, it doesn't use PROMISC,
making the server a bitch to detect), and perform pattern matching against a
user-defined list of keywords and -patterns, scanning all UDP/TCP/ICMP packets.
It does only simple token matching, adding Echelon-like intelligent context
matching is left as an exercise to the reader ;P... erm well, and then it sends
packets with matching content via the sneaky methods mentioned above to the
central logging server ("mwh"). Note that this works on all the nice OS's TFN2
compiles on, and is quite portable cause it sniffs at SOCK_RAW level...

Deeper meaning: while this is not the most effective ethernet sniffer, it is
IMNSHO a good proof that remote eavesdropping networks are actually very easily
developed and deployed, and helps understanding how "echelon" actually could
be designed (specially because it also operates over a IP network).
PS: if you're one of the NIDS lovers, note that E4D can also be used as robust
NIDS (well ok, the pattern matching sucks as i mentioned), because it can match
any amount of ascii and binary (i recommend you convert them to hex) patterns,
and is quite effective for sweeping through large amounts of traffic.

Install notices: Before compiling, you can edit the logfile name and the
process name the sniffers will use by editing e4d.h. Make sure to edit the
pattern/keyword list in echelond.c! During compilation, you will be asked
for the MWH host, where all sniffing servers (echelond) will send the
matching traffic to, and for a password (you don't need to remember it in
this program :). Uh yeah, don't forget to actually run mwh on the log host ;P

- Mixter
<mixter@newyorkoffice.com>
