IDS mailing list archives
RE: Counter detect Network Sniffer
From: "Fergus Brooks" <fergusb () evolve-online com>
Date: Wed, 25 Feb 2004 09:14:46 +0800
Great method, I hadn't thought of that - will get most but will only get interfaces that aren't in stealth mode, interfaces without an IP address on their sniffing interfaces will not respond to these requests. Also if you are looking for sniffers on your network that may have been placed there by slightly (or very) bent internal or external network/security staff then go no further than checking for ports that are configured as mirror/spanning ports on your switches that shouldn't be. There has been some discussion on this thread about how switches suck for sniffing, especially if they are unconfigurable. Do remember though that locked down switches and no hubs is only part of it. Someone could run a sniffer on one of your servers and get a lot of information regardless of the way that machine connects to the network. I guess this is where HIDS can help. Rgds.. -----Original Message----- From: M. Dodge Mumford [mailto:dodge () nfr net] Sent: Tuesday, 24 February 2004 11:05 PM To: ald2003 () users sourceforge net Cc: Bill Mok; focus-ids () securityfocus com Subject: Re: Counter detect Network Sniffer Aditya, ALD [Aditya Lalit Deshmukh] said:
M. Dodge Mumford- Send packets from bizarre network addresses, and look for DNS PTR requests.how does this work ? guess i will have to look & search with google ...
Pretty simply, really. If you run tcpdump without the -n option, it attempts to resolve IP addresses into domain names. If you inject traffic from (say) 127.1.2.3 (or any other address you should _never_ see on a live network), and then if you see a DNS PTR request for it, you know the host that sent the PTR is sniffing traffic. -- Dodge -- This message has been scanned by AVMail --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Counter detect Network Sniffer Bill Mok (Feb 20)
- Re: Counter detect Network Sniffer Jochen Bartl (Feb 23)
- Re: Counter detect Network Sniffer M. Dodge Mumford (Feb 23)
- Message not available
- Re: Counter detect Network Sniffer M. Dodge Mumford (Feb 24)
- RE: Counter detect Network Sniffer Fergus Brooks (Feb 25)
- Message not available
- Re: Counter detect Network Sniffer Raistlin (Feb 23)
- RE: Counter detect Network Sniffer Poulsennet Securityfocus (Feb 23)
- 答复: Counter detect Network Sniffer Peng Xuena (Feb 25)
- Re: Counter detect Network Sniffer Mike Hoskins (Feb 23)
- Re: Counter detect Network Sniffer Chris Caydes (Feb 23)
- Re: Counter detect Network Sniffer gatekeeper (Feb 24)
- Re: Counter detect Network Sniffer Pablo Scherer (Feb 24)
- <Possible follow-ups>
- Re: Counter detect Network Sniffer Tace (Feb 23)
- RE: Counter detect Network Sniffer Micheal Thompson (Feb 24)