Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > IDS-list> 1999-q4

IDS Archives: Re: IDS: RE: detecting a sniffer remotely

Re: IDS: RE: detecting a sniffer remotely

Robert Graham (robert_david_grahamyahoo.com)
Thu, 14 Oct 1999 06:34:39 -0700 (PDT)

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Dug Song: "Re: IDS: Fragmentation Question"
Previous message: Robert Graham: "Re: IDS: Does anyone have the NAI advisory IDS product vulnerabilities paper?"
Maybe in reply to: Conacher, Christopher J: "IDS: Does anyone have the NAI advisory IDS product vulnerabilities paper?"

FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
USUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
---------------------------------------------------------------------------

---
--- "Hunt, Charles" <chuntikon.com> wrote:
> have you tried l0pht's antisniff product?
> ---
> Hi there,
> 
> I've tried to detect a sniffer (ethernet card in PROMISCOUS)
> remotely whithout result.
> 
> Does anyone knows if it's possible to detect remotely a sniffing host
> (specially whithout knowing its IP or MAC address.
AntiSniff has a small bag of tricks, but they are not very reliable -- it isn't
supposed to be. In the range of technologies, something like a packet filering
firewall is absolutely reliable, intrusion detection technology is somewhat
reliable, but detecting sniffers is very hit or miss. If it doesn't work, there
are a huge numbers of variables that would affect why.
Yes, it is possible detect a remotely sniffing host with knowing it's IP
address or MAC address. Send out a ping to an IP address, then sniff yourself
to see if anybody does a reverse lookup on it. That is one of the many tricks
in AntiSniff's bag-o-tricks, but of course lots of sniffers don't do
reverse-DNS lookups; some wait until a user actually does a protocol decode on
the contents, which may be months later.
You might consider the little "sniffer detection guide" at:
http://www.robertgraham.com/pubs/sniffing-faq.html#detect
=====
Robert Graham
"Anxiously awaiting the millenium so I can start programming
dates with 2-digits again."
__________________________________________________
Do You Yahoo!?
Bid and sell for free at http://auctions.yahoo.com

Next message: Dug Song: "Re: IDS: Fragmentation Question"
Previous message: Robert Graham: "Re: IDS: Does anyone have the NAI advisory IDS product vulnerabilities paper?"
Maybe in reply to: Conacher, Christopher J: "IDS: Does anyone have the NAI advisory IDS product vulnerabilities paper?"

This archive was generated by hypermail 2.0b3 on Thu Oct 14 1999 - 19:03:19 CDT