Re: sniffer detection on switched based networks

[Rob McMillen <rvmcmil () cablespeed com>]

Take a look at snort's arpspoof preprocessor plugin.

On Wed, 5 Feb 2003, Sangram wrote:

> Hi,
>
> As we know sniffing on swithch based networks is not easy (ignoring the
> monitor port of the switch). Usually a arp spoof, DNS spoof or other such
> attacks have to be launched. There are tools like Dsniff which can
> accomplish this task quite easily.
> Now what I would like to know is there any method / tool or snort ids rule
> set which can detect such sniffers on systems esp on switch based networks.
> And here I am talking of large corporate ethernet networks. The
> considerations are that I dont want to over load the network by probing each
> w/s indivisually. And if the process is automated it would be all the more
> better.
>
> Regards
>
> Sangram Gayal
> Associate Consultant
> Enterprise Security Consulting Group
> Mahindra - British Telecom Ltd.
>
> *********************************************************
> Disclaimer
>
> This message (including any attachments) contains 
> confidential information intended for a specific 
> individual and purpose, and is protected by law. 
> If you are not the intended recipient, you should 
> delete this message and are hereby notified that 
> any disclosure, copying, or distribution of this
> message, or the taking of any action based on it, 
> is strictly prohibited.
>
> *********************************************************
> Visit us at http://www.mahindrabt.com