> > > Dr. Frederick B. Cohen says: > > I thought I would mention that detecting sniffers from a real-world > > point of view is downright easy in almost all cases. > > > The vast majority of real-world sniffers reported to date are software > > sniffers of one of two varieties: > > > > 1 - DOS programs using the network interface in promiscuous mode. > > 2 - Unix programs modifying OS software to observe packets. > > > > The total number of (1) programs in widespread use comes to only 10-20 > > and is certainly under 100. Current virus scanning technology makes > > detection of these cases trivial by simply adding patterns for them into > > your existing virus scanning software. > > What if it isn't your machine? What if the sniffer is running on a tap > on your network? This is by far the case that my clients have to worry > about the most. This is not a subject for bugtraq, which is only related to Unix security. > > > All current (2) programs can be detected by comparing the OS programs > > with their original distribution versions using MD5 or a similar > > cryptographic checksum technique. > > Again, what if it isn't your machine? This is not a subject for bugtraq, which is only related to Unix security. > > As I've said, repeatedly, if you have three or four thousand machines > in a dozen cities on three continents (a common enough situation) > there are literally tens of thousands of miles of cabling that you do > not control and have no way to physically secure. Cryptography is, in > the real world, the only practical method to secure your lines -- you > can't guarantee that the physical lines are secure in the real world. This is not a subject for bugtraq, which is only related to Unix security. > > Therefore, your initial comment: > > I thought I would mention that detecting sniffers from a real-world > > point of view is downright easy in almost all cases. > is as bogus as everything else you say. Well, of course there a lot of other ways to detect sniffers that are both inexpensive and highly effective in the environment you describe, but this is not a subject for bugtraq, which is only related to Unix security. So perhaps you should take this discussion elsewhere. -- ----------------- \Management /\/| 216-686-0090 - PO Box 1480, Hudson, OH 44236 \ /\/ | Check out info-security heaven and test your system \/\ /\/ | for known vulnerabilities (1st time for free) at URL: \/Analytics| (scans deeper than SATAN or ISS) http://all.net:8080 ----------------- ASIS "Security Management" Articles and Information On-Line Read "Protection and Security on the Information Superhighway" John Wiley and Sons, 1995 ISBN 0-471-11389-1, 320 pp, $24.95