The best anty-sniffer is HoneyPot (it is a method, not a tool). Create so many false information (and track it's usage) that hackers will be catched before they do something really wrong. Who do not know - look onto the standard, cage like, mouse - trap with a piece of cheese inside. -:) ----- Original Message ----- From: "Rubens Kuhl Jr." <rubens@email.com> To: <nanog@merit.edu> Sent: Friday, January 16, 2004 3:18 PM Subject: Re: sniffer/promisc detector
That is a battle that was lost at its beginning: the Ethernet 802.1d paradigm of "don't know where to send the packet, send it to all ports, forget where to send packets every minute" is the weak point. There are some common mistakes that sniffing kits do, that can be used to detect them (I think antisniff implements them all), but a better approach is to make to promisc mode of no gain unless the attacker compromises the switch also. In Cisco-world, the solution is called Private VLANs. Nortel/Bay used to have ports that could belong to more than one VLAN, probably every other swith vendor has its own non-IEEE 802 compliant way
of
making a switched network more secure.
Rubens
----- Original Message ----- From: "Gerald" <gcoon@inch.com> To: <nanog@merit.edu> Sent: Friday, January 16, 2004 8:35 PM Subject: sniffer/promisc detector
Subject says it all. Someone asked the other day here for sniffers. Any progress or suggestions for programs that detect cards in promisc mode
or
sniffing traffic?
Gerald