Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: detecting sniffers is downright easy
From: perry () imsi com (Perry E. Metzger)
Date: Wed, 10 May 1995 11:34:29 -0400


Dr. Frederick B. Cohen says:
I thought I would mention that detecting sniffers from a real-world
point of view is downright easy in almost all cases.

The vast majority of real-world sniffers reported to date are software
sniffers of one of two varieties:

      1 - DOS programs using the network interface in promiscuous mode.
      2 - Unix programs modifying OS software to observe packets.

The total number of (1) programs in widespread use comes to only 10-20
and is certainly under 100.  Current virus scanning technology makes
detection of these cases trivial by simply adding patterns for them into
your existing virus scanning software.

What if it isn't your machine? What if the sniffer is running on a tap
on your network? This is by far the case that my clients have to worry
about the most.

All current (2) programs can be detected by comparing the OS programs
with their original distribution versions using MD5 or a similar
cryptographic checksum technique.

Again, what if it isn't your machine?

As I've said, repeatedly, if you have three or four thousand machines
in a dozen cities on three continents (a common enough situation)
there are literally tens of thousands of miles of cabling that you do
not control and have no way to physically secure. Cryptography is, in
the real world, the only practical method to secure your lines -- you
can't guarantee that the physical lines are secure in the real world.

Therefore, your initial comment:
I thought I would mention that detecting sniffers from a real-world
point of view is downright easy in almost all cases.
is as bogus as everything else you say.

Perry



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault