Home page logo

bugtraq logo Bugtraq mailing list archives

Re: detecting sniffers is downright easy
From: holland () Telchar Jpl Nasa Gov (Ronald Holland)
Date: Wed, 10 May 1995 08:40:28 -0700 (PDT)

On Wed, 10 May 1995, Dr. Frederick B. Cohen wrote:

All current (2) programs can be detected by comparing the OS programs
with their original distribution versions using MD5 or a similar
cryptographic checksum technique.  This has been widely published for
over 5 years.

Thus, not only is detection of all Unix-based real-world sniffers not
impossible or infeasible, it is downright easy and simple. 

Correct me if I am wrong,  but the sniffers we have seen here do not 
modify any OS programs.  The OS program may have been trojaned as a 
separate attack to provide entry points,  but the sniffer itself does not 
modify anything (Other than putting /dev/nit into promiscuos mode on 

Assuming that you are correct,  all I have to do is get our 10,000 
machines to run tripwire and the 400 part-time system administrators to 
be observant...

easy.... simple.... I don't think so, Fred...

Ron Holland                holland () telchar jpl nasa gov
Communications, Computer & Network Services
JPL / NASA - Pasadena, CA

Visualize Whirled Peas... Ummmm.. Make that World Peace!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]