RE: Counter detect Network Sniffer

From: Fergus Brooks (fergusb_at_evolve-online.com)
Date: 02/25/04

  • Next message: Michael Stone: "Re: Is IDS/IPS worthless?" 
    To: <focus-ids@securityfocus.com>
Date: Wed, 25 Feb 2004 09:14:46 +0800

    Great method, I hadn't thought of that - will get most but will only get
    interfaces that aren't in stealth mode, interfaces without an IP address on
    their sniffing interfaces will not respond to these requests.

    Also if you are looking for sniffers on your network that may have been
    placed there by slightly (or very) bent internal or external
    network/security staff then go no further than checking for ports that are
    configured as mirror/spanning ports on your switches that shouldn't be.

    There has been some discussion on this thread about how switches suck for
    sniffing, especially if they are unconfigurable. Do remember though that
    locked down switches and no hubs is only part of it. Someone could run a
    sniffer on one of your servers and get a lot of information regardless of
    the way that machine connects to the network. I guess this is where HIDS can
    help.

    Rgds..

     

     

    -----Original Message-----
    From: M. Dodge Mumford [mailto:dodge@nfr.net]
    Sent: Tuesday, 24 February 2004 11:05 PM
    To: ald2003@users.sourceforge.net
    Cc: Bill Mok; focus-ids@securityfocus.com
    Subject: Re: Counter detect Network Sniffer

    Aditya, ALD [Aditya Lalit Deshmukh] said:
    > M. Dodge Mumford
    > > - Send packets from bizarre network addresses, and look for DNS PTR
    > > requests.
    >
    > how does this work ? guess i will have to look & search with google ...

    Pretty simply, really. If you run tcpdump without the -n option, it attempts
    to resolve IP addresses into domain names. If you inject traffic from (say)
    127.1.2.3 (or any other address you should _never_ see on a live network),
    and then if you see a DNS PTR request for it, you know the host that sent
    the PTR is sniffing traffic. 

    -- 
Dodge
--
This message has been scanned by AVMail
---------------------------------------------------------------------------
---------------------------------------------------------------------------
  • Next message: Michael Stone: "Re: Is IDS/IPS worthless?"

    Relevant Pages

    • Re: A Solution for sniffing
      ... I've only heard/read of ways to protect against attacks on switches ... If you're a sniffer, your machine should be as discreet as you want it to be ... >Subject: Re: A Solution for sniffing ... >causing more problems associated with flooding a network. ...
      (Security-Basics)
    • Re: Solaris 10 - Bridging Network Interfaces?
      ... If you used separate switches, ... brochure on using internet protocol network multipathing... ... bandwidth using multiple ethernet interfaces, ... IPMP is good for failover. ...
      (comp.unix.solaris)
    • Re: Solaris 10 - Bridging Network Interfaces?
      ... I am in the process of configuring SUN Trunking 3.1 on an E2900 (using two CE interfaces). ... What the network people tell me is that they cannot enable this if we connect to two switches, but only if they are connected to one switch. ... Prior to moving ahead with SUN Trunking 3.1, I was approached with a brochure on using internet protocol network multipathing... ...
      (comp.unix.solaris)
    • Re: Solaris 10 - Bridging Network Interfaces?
      ... brochure on using internet protocol network multipathing... ... wondering if the multipathing would let me use redundant switches. ... bandwidth using multiple ethernet interfaces, ... Link Aggregation do this, ...
      (comp.unix.solaris)
    • Re: Monitoring Network activity
      ... > monitor the network activity. ... Note that it is not a true sniffer, ... Note that if you have switches on your network, ...
      (microsoft.public.windowsxp.security_admin)