Home page logo

basics logo Security Basics mailing list archives

Re: AW: How to stop Admins from sniffing ?
From: "Bryan S. Sampsel" <bsampsel () libertyactivist org>
Date: Fri, 28 Jul 2006 08:32:21 -0600 (MDT)

Hey List

I work in a small organisation and the system and network administrators
here are constantly monitoring all data in the network. I have seen them
running Etherreal on their systems and from their talks i am sure that
they know who is doing what. I m using windows XP and i have a personal

I think some folks are forgetting that there are non-security reasons to
sniff traffic as a Sys Admin.  The foremost reason is troubleshooting. 
Sometimes, the only way to figure out what is really going on is to see
what the client and server are "saying" to each other.  I've used that
method myself many times to fix problems that had the vendor scratching
their head.

That said, if the IDS picked up some suspicious behavior or someone is
performing a simple network IP usage audit (ping-sweep), than port scans
have their usage in determining if you have a false positive or if an IP
is in use and by whom.

From a "watch everything perspective" -- it's simply not feasible in most
shops in terms of man hours.  Most of us have to let the automated tools,
such as Snort, distill the volume of traffic down and alert us to the
suspicious issues.  Then, we are obligated to check each and every one of
those distilled issues out.  And it's even easier to prevent people from
getting to sites than punishing them afterwards.

Do you have Sys Admins abusing Ethereal?  Hard to say...you sound like a
junior level IT guy without a lot of priveleges.  I'm not knocking you,
but pointing out how you sound in the email.

If you're going to forbidden sites, even if the payload is encrypted via
SSL or SSH, you are going to get caught.  Those packets do contain
information about your source/destination traffic that Ethereal and IDS or
PRoxy solutions will spot.

What little you described doesn't disturb me.  There's simply not enough


Bryan S. Sampsel

This list is sponsored by: Norwich University

The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]