IDS mailing list archives
RE: Counter detect Network Sniffer
From: "Micheal Thompson" <MThompson () brinkster com>
Date: Sun, 22 Feb 2004 16:09:01 -0500
If in a switched environment the sniffer has to be on a port that is a destination for a SPAN or has poisoned the arp-tables. On Cisco device the command for a span destination is like "monitor session 1 destination fa0/1". If a Sniffer is in promiscuous mode it will not be detected because it is listening only to the traffic on the wire and it will not arp for IPs so, no ARP entry. If it is client computer on the network then it will be even harder to catch because of the normal traffic that is generated. But, what I would do is on windows systems prevent dlls like winpcap or libnetnt.dll from being installed. Linux wise check for snort and other stuff you are aware of. The best defense for preventing sniffing on a network is to make sure every port on the network is connected to a switch not a hub. If it is a managed switch enforce port security (A lot of extra work). Limit access to the management interface and if supported enable arp snooping. Other wise hope the people you are supporting are in the 99.5% range and don’t have a clue what a sniffer is. Micheal Thompson, CISSP Technology is like being blind, going into a room and memorizing where everything is. Then the next day some sick bastard changes it all. -----Original Message----- From: Bill Mok [mailto:billmok2002 () yahoo com hk] Sent: Wednesday, February 18, 2004 10:50 PM To: focus-ids () securityfocus com Subject: Counter detect Network Sniffer Is there any method to detect one using sniffer, say ethereal, in the same network? _________________________________________________________ 必�⒓肌���歌、小星星... 浪漫���� 情心�B�M http://us.rd.yahoo.com/evt=22281/*http://ringtone.yahoo.com.hk/ --------------------------------------------------------------------------- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.securityfocus.com/sponsor/Astaro_focus-ids_040219 --------------------------------------------------------------------------- --------------------------------------------------------------------------- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.securityfocus.com/sponsor/Astaro_focus-ids_040219 ---------------------------------------------------------------------------
Current thread:
- Re: Counter detect Network Sniffer, (continued)
- Message not available
- Re: Counter detect Network Sniffer M. Dodge Mumford (Feb 24)
- RE: Counter detect Network Sniffer Fergus Brooks (Feb 25)
- 答复: Counter detect Network Sniffer Peng Xuena (Feb 25)
- Re: Counter detect Network Sniffer gatekeeper (Feb 24)