Bugtraq mailing list archives
Re: detecting sniffers is downright easy
From: patrick () oes amdahl com (Patrick Horgan)
Date: Wed, 10 May 1995 07:48:35 +0800
The vast majority of real-world sniffers reported to date are software sniffers of one of two varieties: 1 - DOS programs using the network interface in promiscuous mode. 2 - Unix programs modifying OS software to observe packets. The total number of (1) programs in widespread use comes to only 10-20 and is certainly under 100. Current virus scanning technology makes detection of these cases trivial by simply adding patterns for them into
This is quite strange! I've never heard of a trojan horse or virus-like sniffer! People just run the sniffer software.
your existing virus scanning software. HOWEVER - since bugtraq is ONLY concerned with Unix security holes, this is not relevant to this list and should be taken elsewhere. All current (2) programs can be detected by comparing the OS programs with their original distribution versions using MD5 or a similar cryptographic checksum technique. This has been widely published for over 5 years.
Again, sniffer programs on unix don't modify system software, they just run. I think you're confused here.
Thus, not only is detection of all Unix-based real-world sniffers not impossible or infeasible, it is downright easy and simple.
It can be, but not the way you're talking about. And the original poster of the thread asked how you can tell if a sniffer is running on your network, not how to tell if your system software has been modified. This is quite out there for one of your posts, you usually have better knowledge of the field. Makes me wonder if someone didn't forge mail from you, but looking at the headers everything seems ok. Methinks you should just drop this thread, the longer it goes the stranger you look. Patrick _______________________________________________________________________ / These opinions are mine, and not Amdahl's (except by coincidence;). \ | (\ | | Patrick J. Horgan Amdahl Corporation \\ Have | | patrick () amdahl com 1250 East Arques Avenue \\ _ Sword | | Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will | | FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel | \___________________________O16-2294________________________\)__________/
Current thread:
- Re: detecting sniffers is downright easy Patrick Horgan (May 09)
- Re: detecting sniffers is downright easy Dr. Frederick B. Cohen (May 10)
- <Possible follow-ups>
- Re: detecting sniffers is downright easy Caspar Arquint (May 10)
- Re: detecting sniffers is downright easy Eric Murray (May 12)
- Re: detecting sniffers is downright easy Julian Assange (May 14)