IDS mailing list archives
RE: [inbox] Re: Counter detect Network Sniffer
From: "Rob Shein" <shoten () starpower net>
Date: Mon, 1 Mar 2004 16:21:25 -0500
Well, I'd consider it a foregone conclusion that if you're going to deliberately not participate in a network actively, you're not going to configure things so that you're making use of those sorts of protocols. It's a safe bet that "not having a valid local IP" also means not running DHCP, for example :)
-----Original Message----- From: Curt Purdy [mailto:purdy () tecman com] Sent: Monday, March 01, 2004 3:59 PM To: 'Rob Shein'; 'Vel'; 'gatekeeper'; focus-ids () securityfocus com Subject: RE: [inbox] Re: Counter detect Network Sniffer Rob Shein wrote:Actually, this isn't true. There are a number of thingsthat can bedone to avoid detection, like using an IP address that isn't on the correct subnet;<snip>Vel wrote:How can a sniffer be run in non-promiscuous mode ?<snip>It may also not work if sniffer was rannon-promiscuously (i.e.snoop -P)? Is there a way to detect such sniffers? Thanks.You can run in promiscuose mode without fear of detection by cutting the TX wires 1&2 leaving only your RX wires. This is actually my preferred method of running an IDS to evade detection.I am not sure what you are saying of the above (last paragraph) is not true because it is. However, I will contend with your statement as much network traffic is non-ip dependant i.e. dhcp, arp, etc. The only way you can absolutely guarentee non-detection of a network box is to do as I suggested. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions ---------------------------------------- If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke
--------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_focus-ids_040301 ---------------------------------------------------------------------------
Current thread:
- RE: Counter detect Network Sniffer Rob Shein (Mar 01)
- Re: Counter detect Network Sniffer Vel (Mar 01)
- Re: Counter detect Network Sniffer Tillman Hodgson (Mar 01)
- RE: [inbox] Re: Counter detect Network Sniffer Curt Purdy (Mar 01)
- RE: [inbox] Re: Counter detect Network Sniffer Rob Shein (Mar 01)
- RE: [inbox] Re: Counter detect Network Sniffer Curt Purdy (Mar 01)
- Re: Counter detect Network Sniffer Tod Beardsley (Mar 02)
- RE: [inbox] Re: Counter detect Network Sniffer Rob Shein (Mar 02)
- Re: [inbox] Re: Counter detect Network Sniffer Thomas Ptacek (Mar 01)
- Re: Counter detect Network Sniffer Vel (Mar 01)
- Re: Counter detect Network Sniffer Sandro Melo (Mar 02)
- <Possible follow-ups>
- Re: Counter detect Network Sniffer Mike Frantzen (Mar 01)