Home page logo

bugtraq logo Bugtraq mailing list archives

Re: detecting sniffers is downright easy
From: fc () all net (Dr. Frederick B. Cohen)
Date: Wed, 10 May 1995 10:54:19 -0400 (EDT)

This is quite strange!  I've never heard of a trojan horse or virus-like
sniffer!  People just run the sniffer software.

Not under Unix they don't.  The physical interface is not available, and thus
they must modify the OS in some way in order to do the sniffing.

All current (2) programs can be detected by comparing the OS programs
with their original distribution versions using MD5 or a similar
cryptographic checksum technique.  This has been widely published for
over 5 years.

Again, sniffer programs on unix don't modify system software, they just
run.  I think you're confused here.

By definition, a program run as root is system software.  I don't think I am

Thus, not only is detection of all Unix-based real-world sniffers not
impossible or infeasible, it is downright easy and simple. 

It can be, but not the way you're talking about.  And the original poster
of the thread asked how you can tell if a sniffer is running on your
network, not how to tell if your system software has been modified.

But of course the former question is not relevant to bugtraq (per the
widely hailed charter) while the latter both answers the question and is
relevant to bugtraq.  But I am glad to hear that someone on bugtraq
finally agrees that detecting a sniffer is not impossible.

This is quite out there for one of your posts, you usually have
better knowledge of the field.  Makes me wonder if someone didn't 
forge mail from you, but looking at the headers everything seems ok.

Indeed - forging email in Unix is quite easy with most smtp programs I
have seen in the past, however, I doubt if this particular posting was

Methinks you should just drop this thread, the longer it goes the 
stranger you look.

\Management  /\/| 216-686-0090 - PO Box 1480, Hudson, OH 44236
 \        /\/   | Check out info-security heaven and test your system
  \/\  /\/      | for known vulnerabilities (1st time for free) at URL:
     \/Analytics| (scans deeper than SATAN or ISS)  http://all.net:8080
   ASIS "Security Management" Articles and Information On-Line
   Read "Protection and Security on the Information Superhighway"
   John Wiley and Sons, 1995 ISBN 0-471-11389-1, 320 pp, $24.95

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]