Intrusion Detection Systems mailing list archives

Re: detecting a sniffer remotely

From: seregon () midsouth rr com (seregon)
Date: Fri, 01 Oct 1999 17:04:28 -0500



Bill Royds wrote:

The L0pht AntiSniff program works by sending packets to all IP numbers and MAC
addresses on a segment.  When a device is in
promiscuous mode, the timing of ping replies and other packet messages will be
different   than when it is not in this mode. By
looking at time delays and other signatures, a probability of sniffing can be
created for each IP. This is not guaranteed to work
and won't work for all sniffers. But it will help to find anything attached to a
IP enabled device which is more likely to be the
intruder sniffing for passwords.


May not be all that helpful for systems where things like ping responses can be
assigned a priority (I think that Tandems allow this).

Regards,
seregon

Current thread:

Re: detecting a sniffer remotely seregon (Oct 01)
- <Possible follow-ups>
- RE: detecting a sniffer remotely Hunt, Charles (Oct 14)
  - Re: RE: detecting a sniffer remotely Trevor Schroeder (Oct 14)
    - Re: detecting a sniffer remotely laurent van-cauwelaert (Oct 14)
    - Re: detecting a sniffer remotely Trevor Schroeder (Oct 14)
    - Re: RE: detecting a sniffer remotely CyberPsychotic (Oct 15)
    - Re: RE: detecting a sniffer remotely Trevor Schroeder (Oct 15)
    - Re: RE: detecting a sniffer remotely Trevor Schroeder (Oct 16)
  - Re: RE: detecting a sniffer remotely CyberPsychotic (Oct 15)
    - Re: RE: detecting a sniffer remotely laurent van-cauwelaert (Oct 16)
- Re: RE: detecting a sniffer remotely Robert Graham (Oct 14)

(Thread continues...)