IDS mailing list archives

RE: [inbox] Re: Counter detect Network Sniffer

From: "Rob Shein" <shoten () starpower net>
Date: Mon, 1 Mar 2004 14:19:43 -0500

Actually, this isn't true.  There are a number of things that can be done to
avoid detection, like using an IP address that isn't on the correct subnet;
all the methods I've seen for promiscuous-mode detection require the ability
to communicate with the sniffing system. Ultimately, if the person sniffing
is somewhat clever (and/or paranoid), it'll be trivial for them to evade
detection as long as they don't want to make use of their system for normal
usage at the same time.

-----Original Message-----
From: Curt Purdy [mailto:purdy () tecman com] 
Sent: Monday, March 01, 2004 1:51 PM
To: 'Vel'; 'Rob Shein'; 'gatekeeper'; focus-ids () securityfocus com
Subject: RE: [inbox] Re: Counter detect Network Sniffer


Vel wrote:

How can a sniffer be run in non-promiscuous mode ?


<snip>

It may also not work if sniffer was ran non-promiscuously (i.e. 
snoop -P)? Is there a way to detect such sniffers? Thanks.


You can run in promiscuose mode without fear of detection by 
cutting the TX wires 1&2 leaving only your RX wires.  This is 
actually my preferred method of running an IDS to evade detection.

Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA
Information Security Engineer
DP Solutions

----------------------------------------

If you spend more on coffee than on IT security, you will be 
hacked. What's more, you deserve to be hacked.
-- White House cybersecurity adviser Richard Clarke



---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_focus-ids_040301
---------------------------------------------------------------------------

Current thread:

RE: Counter detect Network Sniffer Rob Shein (Mar 01)
- Re: Counter detect Network Sniffer Vel (Mar 01)
  - Re: Counter detect Network Sniffer Tillman Hodgson (Mar 01)
  - RE: [inbox] Re: Counter detect Network Sniffer Curt Purdy (Mar 01)
    - RE: [inbox] Re: Counter detect Network Sniffer Rob Shein (Mar 01)
    - RE: [inbox] Re: Counter detect Network Sniffer Curt Purdy (Mar 01)
    - Re: Counter detect Network Sniffer Tod Beardsley (Mar 02)
    - RE: [inbox] Re: Counter detect Network Sniffer Rob Shein (Mar 02)
    - Re: [inbox] Re: Counter detect Network Sniffer Thomas Ptacek (Mar 01)
- Re: Counter detect Network Sniffer Sam f. Stover (Mar 01)
- Re: Counter detect Network Sniffer gatekeeper (Mar 02)
  - Re: Counter detect Network Sniffer Sandro Melo (Mar 02)
- <Possible follow-ups>
- Re: Counter detect Network Sniffer Mike Frantzen (Mar 01)