OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 2nd quarter (Apr-Jun) 1995: Re: detecting sniffers is downright easy

Re: detecting sniffers is downright easy

Perry E. Metzger (perryimsi.com)
Wed, 10 May 1995 11:34:29 -0400 

Dr. Frederick B. Cohen says:
> I thought I would mention that detecting sniffers from a real-world
> point of view is downright easy in almost all cases.

> The vast majority of real-world sniffers reported to date are software
> sniffers of one of two varieties:
> 
> 	1 - DOS programs using the network interface in promiscuous mode.
> 	2 - Unix programs modifying OS software to observe packets.
> 
> The total number of (1) programs in widespread use comes to only 10-20
> and is certainly under 100.  Current virus scanning technology makes
> detection of these cases trivial by simply adding patterns for them into
> your existing virus scanning software.

What if it isn't your machine? What if the sniffer is running on a tap
on your network? This is by far the case that my clients have to worry
about the most.

> All current (2) programs can be detected by comparing the OS programs
> with their original distribution versions using MD5 or a similar
> cryptographic checksum technique.

Again, what if it isn't your machine?

As I've said, repeatedly, if you have three or four thousand machines
in a dozen cities on three continents (a common enough situation)
there are literally tens of thousands of miles of cabling that you do
not control and have no way to physically secure. Cryptography is, in
the real world, the only practical method to secure your lines -- you
can't guarantee that the physical lines are secure in the real world.

Therefore, your initial comment:
> I thought I would mention that detecting sniffers from a real-world
> point of view is downright easy in almost all cases.
is as bogus as everything else you say.

Perry