[638] in Intrusion Detection Systems
Sniffer Detection
daemon@ATHENA.MIT.EDU (Nathan Gentry)
Sun Feb 25 19:45:11 1996
From: Nathan Gentry <ngentry@ibl.bm>
To: "'ids@uow.edu.au'" <ids@uow.edu.au>
Date: Sat, 24 Feb 1996 14:17:03 -0500
Reply-To: ids@uow.edu.au
Chris Steel wrote:
>>What about sniffing inside a firewall. Is there any way yet of =
possibly detecting a sniffer?
I participated in a study of this sometime back. Summary, not very =
likely. =20
A sniffer opens a network adapter in promiscuous mode (all packets =
accepted regardless of destination address). On Ethernet detection was =
almost impossible. A 10BaseT port that is open but has not seen any =
packets transmitted was a trait of the commercial sniffers.
On Token Ring, the sniffer would have to participate in the Ring Poll. =
You can scan DLC addresses for manufacturer prefixes of known sniffer =
makers. Also in an IBM environment, most commercial sniffers will =
respond to Lan Network Manager polls with an "IBMNM Trace Tool Present" =
broadcast.
Using sniffer software on a general purpose workstation seemed to be =
undetectable on both topologies.
FWIW,
Nathan
~~~~~~~~~@~~~~~~~~~~~~~~~~~~@~~~~~~~~~~~~~~~~~~@~~~~~~~~~~
Nathan Gentry =09
VP Network Services
Spectrum Technologies, Bermuda
Internetworking and Security Consultants
(441) 296-2578 Tel ngentry@ibl.bm
(441) 296-2581 Fax spectrum@ibl.bm
~~~~~~~~~@~~~~~~~~~~~~~~~~~~@~~~~~~~~~~~~~~~~~~@~~~~~~~~~~
