RE: Detecting Network Sniffers ???

From: Amin Tora (atora_at_EPLUS.com)
Date: 05/29/04

  • Next message: Greg: "Attacks against Spamkiller?" 
    Date: Sat, 29 May 2004 11:02:30 -0400
To: <security-basics@securityfocus.com>

     

    >>Can somebody guide me on detecting a sniffer on my network. can i
    >>still=20 detect a sniffer even if the computer running the sniffer has

    >>disabled the=20 TCP/IP stack

    >Just out of curiosity, how would someone be able to sniff if they
    disabled the TCP/IP stack?
    >Are you saying that they'd capture all ethernet frames, and then parse
    those apart? If the
    >IP stack is disabled (and not replaced), then how would the IP packets
    be parsed, or passed
    >up to the application layer?

    Quick Comment on this:

    There are IDS systems that allow for this {i.e. ISS, Snort, etc..} and
    there are also freeware kernel level drivers that replace the binding
    and requirement for the OS TCP/IP and handle packets in raw format and
    convert to readable data for the intended use...

    The reason this works is that it doesn't rely on the TCP/IP stack,
    rather the whole TCP/IP stack is 'replaced' for this purpose by it's own
    "stack" that binds to the NIC.

    See:

    "3.1 How do I setup snort on a 'stealth' interface?" at
    http://www.snort.org/docs/FAQ.txt
     This shows how to configure a stealth interface on {BSD,LINUX,WINx} for
    SNORT

    "Network Sensor Stealth Configuration", on pg. 157 at
    http://documents.iss.net/literature/RealSecure/RS_NetSensor_IG_7.0.pdf
    This shows how to configure ISS RealSecure in Stealth mode where the
    listening interface has no protocol stack bound to it.

    Amin Tora, CISSP, CHSP
    Security Consultant
    ePlus Technology Inc.
    13595 Dulles Technology Drive
    Herndon, VA 20171
    office: 703-793-1330
    cell: 703-675-0738
    web: http://www.eplustechnology.com
    email: atora-at-eplus.com

    **NOTICE**
    ------------------------------------------
    THE INFORMATION CONTAINED IN THIS ELECTRONIC TRANSMISSION AND ANY
    ATTACHMENTS HERETO IS CONSIDERED PROPRIETARY AND CONFIDENTIAL.
    DISTRIBUTION OF THIS MATERIAL TO ANYONE OTHER THAN THE ADDRESSED IS
    PROHIBITED. ANY DISCLOSURE, COPYING, DISTRIBUTION OR USE OF THE CONTENTS
    OF THIS TRANSMISSION OR ANY ATTACHMENTS HERETO FOR ANY REASON OTHER THAN
    THEIR INTENDED PURPOSE IS PROHIBITED. IF YOU HAVE RECEIVED THIS
    TRANSMISSION IN ERROR, PLEASE CONTACT THE SENDER.
    ------------------------------------------

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------

  • Next message: Greg: "Attacks against Spamkiller?"