Re: IDS: building an IDS

[Ace24 <ace24@gmx.net>]

FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems.. Then email questions to ids-owner@uow.edu.au
NOTE: You MUST remove this line from reply messages as it will be filtered.
SPAM: DO NOT send unsolicted mail to this list.
USUB: email "unsubscribe ids" to majordomo@uow.edu.au
---------------------------------------------------------------------------

Wednesday, 19 May 1999, laurent wrote:

> HI there,

> i m specially looking for information on : everything
Check out http://www.nfr.net for an IDS (research version is
free/includes source code)

> how do i detect sniffer?

> first i ve wanted to send a packet to every possible adress on my
> network and looking if the promiscious bit was set, but with 48 bits
> MAC adress, i think i can suppose that it's quite ineficient and stupid,
> but it works, so i m waiting for some better solution

Well only way to really test is on the machine itself, but a good way
is to check through hacked arp packets (as noted by Robert Graham).
Check out neped, it does exactly that: http://www.apostols.org/projectz/neped
There is a complete explanation on how it works. Sadly its in
spanish, but if you go to the bottom of the page, there is a link to
the latest version of the program.

> laurent van cauwelaert (shredder for my friends)
> van-ca_l@epita.fr

Sorry for the delay in replying, i've been way too busy :/


- Ace24 (ace24@gmx.net)
Senior Admin at morrilton.net
PGP key available, mail ace24@gmx.net with "PGP KEY REQUEST" in the subject line.