RE: [inbox] Re: Counter detect Network Sniffer

["Curt Purdy" <purdy () tecman com>]

Rob Shein wrote:
> Actually, this isn't true.  There are a number of things that
> can be done to
> avoid detection, like using an IP address that isn't on the
> correct subnet;
<snip>

> > Vel wrote:
> >
> > > How can a sniffer be run in non-promiscuous mode ?
> >
> > <snip>
> >
> > > > > It may also not work if sniffer was ran
> non-promiscuously (i.e.
> > > > > snoop -P)? Is there a way to detect such sniffers? Thanks.
>
> > You can run in promiscuose mode without fear of detection by
> > cutting the TX wires 1&2 leaving only your RX wires.  This is
> > actually my preferred method of running an IDS to evade detection.

I am not sure what you are saying of the above (last paragraph) is not true
because it is.  However, I will contend with your statement as much network
traffic is non-ip dependant i.e. dhcp, arp, etc.  The only way you can
absolutely guarentee non-detection of a network box is to do as I suggested.

Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA
Information Security Engineer
DP Solutions

----------------------------------------

If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- White House cybersecurity adviser Richard Clarke


---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at 
http://www.securityfocus.com/sponsor/Astaro_focus-ids_040301
---------------------------------------------------------------------------