Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: detecting sniffers is downright easy
From: fc () all net (Dr. Frederick B. Cohen)
Date: Wed, 10 May 1995 11:35:49 -0400 (EDT)




Dr. Frederick B. Cohen says:
I thought I would mention that detecting sniffers from a real-world
point of view is downright easy in almost all cases.

The vast majority of real-world sniffers reported to date are software
sniffers of one of two varieties:

    1 - DOS programs using the network interface in promiscuous mode.
    2 - Unix programs modifying OS software to observe packets.

The total number of (1) programs in widespread use comes to only 10-20
and is certainly under 100.  Current virus scanning technology makes
detection of these cases trivial by simply adding patterns for them into
your existing virus scanning software.

What if it isn't your machine? What if the sniffer is running on a tap
on your network? This is by far the case that my clients have to worry
about the most.

This is not a subject for bugtraq, which is only related to Unix security.

All current (2) programs can be detected by comparing the OS programs
with their original distribution versions using MD5 or a similar
cryptographic checksum technique.

Again, what if it isn't your machine?

This is not a subject for bugtraq, which is only related to Unix security.


As I've said, repeatedly, if you have three or four thousand machines
in a dozen cities on three continents (a common enough situation)
there are literally tens of thousands of miles of cabling that you do
not control and have no way to physically secure. Cryptography is, in
the real world, the only practical method to secure your lines -- you
can't guarantee that the physical lines are secure in the real world.

This is not a subject for bugtraq, which is only related to Unix security.


Therefore, your initial comment:
I thought I would mention that detecting sniffers from a real-world
point of view is downright easy in almost all cases.
is as bogus as everything else you say.

Well, of course there a lot of other ways to detect sniffers that are
both inexpensive and highly effective in the environment you describe,
but this is not a subject for bugtraq, which is only related to Unix
security.  So perhaps you should take this discussion elsewhere.

-- 
-----------------
\Management  /\/| 216-686-0090 - PO Box 1480, Hudson, OH 44236
 \        /\/   | Check out info-security heaven and test your system
  \/\  /\/      | for known vulnerabilities (1st time for free) at URL:
     \/Analytics| (scans deeper than SATAN or ISS)  http://all.net:8080
-----------------
   ASIS "Security Management" Articles and Information On-Line
   Read "Protection and Security on the Information Superhighway"
   John Wiley and Sons, 1995 ISBN 0-471-11389-1, 320 pp, $24.95



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault