[654] in Intrusion Detection Systems
Re: Sniffer Detection
daemon@ATHENA.MIT.EDU (Michel Lavondes)
Sun Mar 3 11:09:34 1996
To: ids@uow.edu.au
In-Reply-To: Your message of "Mon, 26 Feb 1996 07:52:40 CST."
<199602261352.HAA09836@shiva.ee.siue.edu>
Date: Thu, 29 Feb 1996 10:52:44 +0000
From: Michel Lavondes <lavondes@tidtest.total.fr>
Reply-To: ids@uow.edu.au
In message <199602261352.HAA09836@shiva.ee.siue.edu>, Arve Kjoelen writes:
> > >>What about sniffing inside a firewall. Is there any way yet of possibly
>*detecting a
> sniffer?
> >
> > I participated in a study of this sometime back. Summary, not very likely.
> <snip>
>
> Unless, of course, the network admin has access to all machines within the
> firewall and (s)he can get the NIC to report that it is in promiscuous
> mode.
>
> -Arve.
>
> akjoele@ee.siue.edu
This may have been suggested before, but what about tricking the
machine into answering a packet it would receive only if in
promiscuous mode ? For instance, send it a packet with its own
IP address as destination, but with the wrong MAC address ? AFAIR,
most implementations don't bother to check for inconsistencies.
Am I missing something ?
Michel Lavondes (lavondes@tidtest.total.fr)
#include <disclaimer.h>
** CDA warning : don't read this if you're under 18 **
Don't whistle while you piss
Hagbard Celine
