Bugtraq mailing list archives
Re: detecting sniffers is downright easy
From: fc () all net (Dr. Frederick B. Cohen)
Date: Wed, 10 May 1995 11:35:49 -0400 (EDT)
Dr. Frederick B. Cohen says:I thought I would mention that detecting sniffers from a real-world point of view is downright easy in almost all cases.The vast majority of real-world sniffers reported to date are software sniffers of one of two varieties: 1 - DOS programs using the network interface in promiscuous mode. 2 - Unix programs modifying OS software to observe packets. The total number of (1) programs in widespread use comes to only 10-20 and is certainly under 100. Current virus scanning technology makes detection of these cases trivial by simply adding patterns for them into your existing virus scanning software.What if it isn't your machine? What if the sniffer is running on a tap on your network? This is by far the case that my clients have to worry about the most.
This is not a subject for bugtraq, which is only related to Unix security.
All current (2) programs can be detected by comparing the OS programs with their original distribution versions using MD5 or a similar cryptographic checksum technique.Again, what if it isn't your machine?
This is not a subject for bugtraq, which is only related to Unix security.
As I've said, repeatedly, if you have three or four thousand machines in a dozen cities on three continents (a common enough situation) there are literally tens of thousands of miles of cabling that you do not control and have no way to physically secure. Cryptography is, in the real world, the only practical method to secure your lines -- you can't guarantee that the physical lines are secure in the real world.
This is not a subject for bugtraq, which is only related to Unix security.
Therefore, your initial comment:I thought I would mention that detecting sniffers from a real-world point of view is downright easy in almost all cases.is as bogus as everything else you say.
Well, of course there a lot of other ways to detect sniffers that are
both inexpensive and highly effective in the environment you describe,
but this is not a subject for bugtraq, which is only related to Unix
security. So perhaps you should take this discussion elsewhere.
--
-----------------
\Management /\/| 216-686-0090 - PO Box 1480, Hudson, OH 44236
\ /\/ | Check out info-security heaven and test your system
\/\ /\/ | for known vulnerabilities (1st time for free) at URL:
\/Analytics| (scans deeper than SATAN or ISS) http://all.net:8080
-----------------
ASIS "Security Management" Articles and Information On-Line
Read "Protection and Security on the Information Superhighway"
John Wiley and Sons, 1995 ISBN 0-471-11389-1, 320 pp, $24.95
Current thread:
- Anon site needed for FIP Pub 190 Everett F Batey SysAdm (May 08)
- SECURITY META HOTLIST Alberto Verga (May 09)
- Re: SECURITY META HOTLIST Charles R. Hoynowski (May 10)
- detecting sniffers is downright easy Dr. Frederick B. Cohen (May 10)
- Re: detecting sniffers is downright easy Kenneth R. van Wyk (May 10)
- snooper detection Dr. Frederick B. Cohen (May 10)
- Re: detecting sniffers is downright easy Perry E. Metzger (May 10)
- Re: detecting sniffers is downright easy Dr. Frederick B. Cohen (May 10)
- Re: detecting sniffers is downright easy Ronald Holland (May 10)
- Re: detecting sniffers is downright easy Christopher Klaus (May 10)
- imp vs. imp. END !! MIGUEL ESTEVES (May 10)
- Re: detecting sniffers is downright easy Chris Swanson (May 11)
- Re: Anon site needed for FIP Pub 190 Paul C Leyland (May 10)
- Re: Anon site needed for FIP Pub 190 Mark Joseph Crosbie (May 10)
- SECURITY META HOTLIST Alberto Verga (May 09)