IDS mailing list archives
Re: sniffer detection on switched based networks
From: Brett Harris <bsdbrett () yahoo com au>
Date: Thu, 6 Feb 2003 12:00:23 +1100 (EST)
Hi Sangram, arpwatch [ http://online.securityfocus.com/tools/142 ] keeps a database of IP/ARP pairings and generates logs or emails reporting any changes. That way if a machine running arpwatch is spoofed, the logs know about it. Since arpwatch is completely passive (only inspecting packets, not transmitting any), it won't clog your network up with any extra packets. Many operating systems can be told to ignore changes to their ARP cache, so attempting to spoof that machine fails, because it won't accept the new MAC address. ettercap [ http://ettercap.sourceforge.net/ ] is a program that makes arpspoofing mindlessly simple. Its worth checking out, just to see what wouldbe badguy's can use. Ettercap have forums on their page which sometimes deal with topics of detection/prevention etc. I'm not aware of much else that can be done to detect such attacks, particularly passively. Hope this was some help regards Brett bmh.youth-it.com
As we know sniffing on swithch based networks is not easy (ignoring the monitor port of the switch). Usually a arp spoof, DNS spoof or other such attacks have to be launched. There are tools like Dsniff which can accomplish this task quite easily. Now what I would like to know is there any method / tool or snort ids rule set which can detect such sniffers on systems esp on switch based networks. And here I am talking of large corporate ethernet networks. The considerations are that I dont want to over load the network by probing each w/s indivisually. And if the process is automated it would be all the more better. Regards Sangram Gayal
http://movies.yahoo.com.au - Yahoo! Movies - What's on at your local cinema?
Current thread:
- sniffer detection on switched based networks Sangram (Feb 05)
- Re: sniffer detection on switched based networks Rob McMillen (Feb 06)
- Re: sniffer detection on switched based networks Brett Harris (Feb 06)
- RE: sniffer detection on switched based networks Angel Rivera (Feb 06)