Bugtraq mailing list archives
Re: detecting sniffers is downright easy
From: cds () SSDS com (Chris Swanson)
Date: Thu, 11 May 1995 14:50:10 -0700 (PDT)
Greetings, I think you underestimate the problem. Actually, most Unix sniffers do not "modify the kernel" as you state. Most Unixes have a promiscuous mode interface built-in (w/o it you can not do ARP/RARP, etc), /dev/nit in BSD based systems is a good example. The only way the kernel checksum that you recommended would work, would be if the promiscuous mode interface were configured out of the kernel. While this is desirable, in certain cases, it can not be done. Also, the software scan will only work on machines that you know about and control. If someone gains physical access to your net (trivial in most real-world situations), they can plug an "enabled" system in and sniff. In reallity detecting sniffers is quite difficult. You must control all of the systems on the net, they must be secure, and the net must have physical security (where most organizations REALLY fall down). Regards, -+Chris +-------------------------+------------------------+-------------------------+ | @@@ @@@ @@@@ @@@ | SSDS, Inc. | Chris Swanson | | @ @ @ @ @ | Minneapolis Operations | Engineer | | @@@ @@@ @ @ @@@ | 8841 Nicollet Ave S. | Tel: (612)/888-4045 | | @ @ @ @ @ | Bloomington, MN | FAX: (612)/888-4066 | | @@@@ @@@@ @@@@ @@@@ | 55420 | Email: cds () ssds com | +-------------------------+------------------------+-------------------------+ | ** The Intelligent Network Computing Company ** | +----------------------------------------------------------------------------+ On Wed, 10 May 1995, Dr. Frederick B. Cohen wrote:
Date: Wed, 10 May 1995 05:19:13 -0400 (EDT) From: Dr. Frederick B. Cohen <fc () all net> To: bugtraq () fc net Subject: detecting sniffers is downright easy Since so many bugtraq people have pointed out that this is a practical list where the distinction between possible and feasible is not important and we are only concerned with real-world issues, I thought I would mention that detecting sniffers from a real-world point of view is downright easy in almost all cases. The vast majority of real-world sniffers reported to date are software sniffers of one of two varieties: 1 - DOS programs using the network interface in promiscuous mode. 2 - Unix programs modifying OS software to observe packets. The total number of (1) programs in widespread use comes to only 10-20 and is certainly under 100. Current virus scanning technology makes detection of these cases trivial by simply adding patterns for them into your existing virus scanning software. HOWEVER - since bugtraq is ONLY concerned with Unix security holes, this is not relevant to this list and should be taken elsewhere. All current (2) programs can be detected by comparing the OS programs with their original distribution versions using MD5 or a similar cryptographic checksum technique. This has been widely published for over 5 years. Thus, not only is detection of all Unix-based real-world sniffers not impossible or infeasible, it is downright easy and simple. -- ----------------- \Management /\/| 216-686-0090 - PO Box 1480, Hudson, OH 44236 \ /\/ | Check out info-security heaven and test your system \/\ /\/ | for known vulnerabilities (1st time for free) at URL: \/Analytics| (scans deeper than SATAN or ISS) http://all.net:8080 ----------------- ASIS "Security Management" Articles and Information On-Line Read "Protection and Security on the Information Superhighway" John Wiley and Sons, 1995 ISBN 0-471-11389-1, 320 pp, $24.95
Current thread:
- SECURITY META HOTLIST, (continued)
- SECURITY META HOTLIST Alberto Verga (May 09)
- Re: SECURITY META HOTLIST Charles R. Hoynowski (May 10)
- detecting sniffers is downright easy Dr. Frederick B. Cohen (May 10)
- Re: detecting sniffers is downright easy Kenneth R. van Wyk (May 10)
- snooper detection Dr. Frederick B. Cohen (May 10)
- Re: detecting sniffers is downright easy Perry E. Metzger (May 10)
- Re: detecting sniffers is downright easy Dr. Frederick B. Cohen (May 10)
- Re: detecting sniffers is downright easy Ronald Holland (May 10)
- Re: detecting sniffers is downright easy Christopher Klaus (May 10)
- imp vs. imp. END !! MIGUEL ESTEVES (May 10)
- Re: detecting sniffers is downright easy Chris Swanson (May 11)
- Re: Anon site needed for FIP Pub 190 Paul C Leyland (May 10)
- Re: Anon site needed for FIP Pub 190 Mark Joseph Crosbie (May 10)
- SECURITY META HOTLIST Alberto Verga (May 09)