mailing list archives
detecting sniffers is downright easy
From: fc () all net (Dr. Frederick B. Cohen)
Date: Wed, 10 May 1995 05:19:13 -0400 (EDT)
Since so many bugtraq people have pointed out that this is a practical
list where the distinction between possible and feasible is not
important and we are only concerned with real-world issues, I thought I
would mention that detecting sniffers from a real-world point of view is
downright easy in almost all cases.
The vast majority of real-world sniffers reported to date are software
sniffers of one of two varieties:
1 - DOS programs using the network interface in promiscuous mode.
2 - Unix programs modifying OS software to observe packets.
The total number of (1) programs in widespread use comes to only 10-20
and is certainly under 100. Current virus scanning technology makes
detection of these cases trivial by simply adding patterns for them into
your existing virus scanning software. HOWEVER - since bugtraq is ONLY
concerned with Unix security holes, this is not relevant to this list
and should be taken elsewhere.
All current (2) programs can be detected by comparing the OS programs
with their original distribution versions using MD5 or a similar
cryptographic checksum technique. This has been widely published for
over 5 years.
Thus, not only is detection of all Unix-based real-world sniffers not
impossible or infeasible, it is downright easy and simple.
\Management /\/| 216-686-0090 - PO Box 1480, Hudson, OH 44236
\ /\/ | Check out info-security heaven and test your system
\/\ /\/ | for known vulnerabilities (1st time for free) at URL:
\/Analytics| (scans deeper than SATAN or ISS) http://all.net:8080
ASIS "Security Management" Articles and Information On-Line
Read "Protection and Security on the Information Superhighway"
John Wiley and Sons, 1995 ISBN 0-471-11389-1, 320 pp, $24.95