RE: sniffer detection on switched based networks

Adding to Mr. Gaya's request I would also be interested in ways to prevent this type of attack. I apologize for it being slightly off the IDS subject but this is one finding that keeps coming up in vulnerability assessments and the solutions I know about (Switch ACL's restricting individual MAC addresses which requires you inventory each network card's MAC address) are really not practical at all.

-----Original Message-----
From: Sangram [mailto:sangram@mahindrabt.com] Sent: Wednesday, February 05, 2003 12:00 AM To: focus-ids@securityfocus.com
Subject: sniffer detection on switched based networks

Hi,

As we know sniffing on swithch based networks is not easy (ignoring the monitor port of the switch). Usually a arp spoof, DNS spoof or other such attacks have to be launched. There are tools like Dsniff which can accomplish this task quite easily.
Now what I would like to know is there any method / tool or snort ids rule set which can detect such sniffers on systems esp on switch based networks. And here I am talking of large corporate ethernet networks. The considerations are that I dont want to over load the network by probing each w/s indivisually. And if the process is automated it would be all the more better.

Regards

Sangram Gayal
Associate Consultant
Enterprise Security Consulting Group
Mahindra - British Telecom Ltd.

This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited.