Re: sniffer/promisc detector

["Alexei Roudnev" <alex () relcom net>]

The best anty-sniffer is HoneyPot (it is a method, not a tool). Create so
many false information (and track it's usage) that hackers will be catched
before they do something really wrong.

Who do not know - look onto the standard, cage like, mouse - trap with a
piece of cheese inside. -:)

----- Original Message ----- 
From: "Rubens Kuhl Jr." <rubens () email com>
To: <nanog () merit edu>
Sent: Friday, January 16, 2004 3:18 PM
Subject: Re: sniffer/promisc detector


> That is a battle that was lost at its beginning: the Ethernet 802.1d
> paradigm of "don't know where to send the packet, send it to all ports,
> forget where to send packets every minute" is the weak point.
> There are some common mistakes that sniffing kits do, that can be used to
> detect them (I think antisniff implements them all), but a better approach
> is to make to promisc mode of no gain unless the attacker compromises the
> switch also. In Cisco-world, the solution is called Private VLANs.
> Nortel/Bay used to have ports that could belong to more than one VLAN,
> probably every other swith vendor has its own non-IEEE 802 compliant way
of
> making a switched network more
> secure.
>
>
> Rubens
>
>
> ----- Original Message ----- 
> From: "Gerald" <gcoon () inch com>
> To: <nanog () merit edu>
> Sent: Friday, January 16, 2004 8:35 PM
> Subject: sniffer/promisc detector
>
>
> > Subject says it all. Someone asked the other day here for sniffers. Any
> > progress or suggestions for programs that detect cards in promisc mode
or
> > sniffing traffic?
> >
> > Gerald