Re: sniffer detection on switched based networks

[Brett Harris <bsdbrett () yahoo com au>]

Hi Sangram,

arpwatch [ http://online.securityfocus.com/tools/142 ]
keeps a database of IP/ARP pairings and generates logs
or emails reporting any changes. That way if a machine
running arpwatch is spoofed, the logs know about it.

Since arpwatch is completely passive (only inspecting
packets, not transmitting any), it won't clog your
network up with any extra packets.

Many operating systems can be told to ignore changes
to their ARP cache, so attempting to spoof that
machine fails, because it won't accept the new MAC
address. 

ettercap [ http://ettercap.sourceforge.net/ ] is a
program that makes arpspoofing mindlessly simple. Its
worth checking out, just to see what wouldbe badguy's
can use. Ettercap have forums on their page which
sometimes deal with topics of detection/prevention
etc.

I'm not aware of much else that can be done to detect
such attacks, particularly passively.

Hope this was some help

regards

Brett
bmh.youth-it.com

> As we know sniffing on swithch based networks is not
> easy (ignoring the
> monitor port of the switch). Usually a arp spoof,
> DNS spoof or other such
> attacks have to be launched. There are tools like
> Dsniff which can
> accomplish this task quite easily.
> Now what I would like to know is there any method /
> tool or snort ids rule
> set which can detect such sniffers on systems esp on
> switch based networks.
> And here I am talking of large corporate ethernet
> networks. The
> considerations are that I dont want to over load the
> network by probing each
> w/s indivisually. And if the process is automated it
> would be all the more
> better.
>
> Regards
>
> Sangram Gayal


http://movies.yahoo.com.au - Yahoo! Movies
- What's on at your local cinema?