[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IDS: building an IDS

To: laurent van-cauwelaert <Laurent.Van-Cauwelaert@epita.fr>, ids@uow.edu.au
Subject: Re: IDS: building an IDS
From: Robert Graham <robert_david_graham@yahoo.com>
Date: Tue, 18 May 1999 19:47:57 -0700 (PDT)
Sender: owner-ids@uow.edu.au

FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems.. Then email questions to ids-owner@uow.edu.au
NOTE: You MUST remove this line from reply messages as it will be filtered.
SPAM: DO NOT send unsolicted mail to this list.
USUB: email "unsubscribe ids" to majordomo@uow.edu.au
---------------------------------------------------------------------------

--- laurent van-cauwelaert <Laurent.Van-Cauwelaert@epita.fr> wrote:

> i ve never even use a computer.

Please use capitalization. All lower-case hurts the eyes.

> question of the day:
> how do i detect sniffer?
> 
> first i ve wanted to send a packet to every possible adress on my
> network and looking if the promiscious bit was set, but with 48 bits
> MAC adress, i think i can suppose that it's quite ineficient and stupid,
> but it works, so i m waiting for some better solution

There is no "promiscuous bit". There is no guaranteed method that works.

The most effective way is to send ARP packets for every IP address on your
segment (usually less than 255 addresses) to a non-broadcast MAC address. Only
machines in promiscuous mode will see those ARP packets and respond. I.e. if
you send ARP:

Ethernet header:   destination MAC address = 00 11 22 33 44 55
ARP header:        IP address = 192.168.10.123

and machine 192.168.10.123 responds, then you know that it is running in
promiscuous mode.

This technique sometimes works on switched networks, because of the way they
flood unknown MAC addresses.

For detecting sniffer's on remote segments, you can try loose source routing in
IP packets in order to force pings to pass by each of the target machines. Look
at the TTL field to descriminate between normal responses and ones that came
back due to the source routing. This technique doesn't work on the Internet in
general because a lot of core routers don't forward source routed packets.

Rob.

_____________________________________________________________
Do You Yahoo!?
Free instant messaging and more at http://messenger.yahoo.com

Prev by Date: IDS: building an IDS
Next by Date: IDS: KISA open TWISTer service : Information Security Trend Service
Prev by thread: Re: IDS: building an IDS
Next by thread: IDS: KISA open TWISTer service : Information Security Trend Service
Index(es):
- Date
- Thread