RE: sniffer detection on switched based networks

["Angel Rivera" <arivera () mitre org>]

Adding to Mr. Gaya's request I would also be interested in ways to prevent
this type of attack. I apologize for it being slightly off the IDS subject
but this is one finding that keeps coming up in vulnerability assessments
and the solutions I know about (Switch ACL's restricting individual MAC
addresses which requires you inventory each network card's MAC address) are
really not practical at all.

-----Original Message-----
From: Sangram [mailto:sangram () mahindrabt com]
Sent: Wednesday, February 05, 2003 12:00 AM
To: focus-ids () securityfocus com
Subject: sniffer detection on switched based networks


Hi,

As we know sniffing on swithch based networks is not easy (ignoring the
monitor port of the switch). Usually a arp spoof, DNS spoof or other such
attacks have to be launched. There are tools like Dsniff which can
accomplish this task quite easily.
Now what I would like to know is there any method / tool or snort ids rule
set which can detect such sniffers on systems esp on switch based networks.
And here I am talking of large corporate ethernet networks. The
considerations are that I dont want to over load the network by probing each
w/s indivisually. And if the process is automated it would be all the more
better.

Regards

Sangram Gayal
Associate Consultant
Enterprise Security Consulting Group
Mahindra - British Telecom Ltd.

*********************************************************
Disclaimer

This message (including any attachments) contains
confidential information intended for a specific
individual and purpose, and is protected by law.
If you are not the intended recipient, you should
delete this message and are hereby notified that
any disclosure, copying, or distribution of this
message, or the taking of any action based on it,
is strictly prohibited.

*********************************************************
Visit us at http://www.mahindrabt.com