I don’t get why he uses docker to capture all the traffic from the host. Why not use tcpdump directly?
docker is the new background job, apparently. Maybe he doesn’t know about nohup.
Maybe systemd doesn’t know about nohup. :(
So I did what any self-respecting security professional would do and spent a Friday night writing a tcpdump container and put it on Docker Hub.
I just don’t know what to say about that… guess I’m not a self-respecting security professional! :(
well, he’s not running systemd-docker (yes really) in the shell script so presumably it’ll get terminated in the same way anyway. What a time to be alive!
I’m not saying it’s a useful consideration for anyone’s threat model, but process isolation is the likeliest answer. If the tcpdump docker image drops privileges and has a small userland it could be difficult to escalate from there.
tcpdump itself can drop privileges:
This behavior reminds me of how chrome attempts to detect DNS poisoning attacks, e.g. if aslkdjakrgjalekrgjadlkjg resolves to something, then there is likely an attack underway. Maybe this is how they detect malware that tries to provide bogus certs to chrome? it would be easy to evade if so.