Firewalls: Re: prevalence of sniffing ?

Firewalls
(August 1994)

Indexed By Thread: [Previous] [Next]

Subject:	Re: prevalence of sniffing ?
From:	Steven McElwee <steven @ mozart . acpub . duke . edu>
Date:	Mon, 01 Aug 1994 20:28:06 -0400
Cc:	firewalls @ greatcircle . com
In-reply-to:	Your message of "Mon, 01 Aug 1994 13:15:31 +0300." <9408011015 . AA20816 @ libra . math . tau . ac . il>
Reply-to:	steven @ acpub . duke . edu

> > How can you determine if a given machine is running a sniffer?  Check
> > to see if the Ethernet chip on the machine is in "promiscuous" mode.
> > On many machines, "ifconfig" will tell you this; for instance, on my
> > Sun:
> 
> There is a chance, though, that someone not interested in collecting
> sites like baseball cards or just attacking an Internet provider will
> run a sniffer without putting the interface into promiscuous mode.
> That will just get them traffic to and from the machine, but then again,
> that might be just what they want.

Of course, you also need to watch out for a trojaned or altered version of
ifconfig which has been doctored to not print out the word "promiscuous".
Chances are that other binaries such as ps and ls will also be altered to
prevent detection of the sniffer and its associated log files. My current
understanding is that one also needs to watch out for trojaned login and
telnetd programs which allow backdoor access to the sniffer logs. I for one
plan to always keep a known good copy of these programs on a read-only
3.5" floppy disk in the floppy drive of my DECStation. In the next few
days, I expect that the new version of TripWire (expected any day now from
Purdue- thanks to Gene Stafford) with its MD5 signatures will be one of my
"best" friends.

			--Steven McElwee
 --
 ---------------------------------------------------------------------------
 Steven McElwee         |         Email -->      | steven @
 acpub .
 duke .
 edu  
 Academic Computing     |   <-- US Snail Mail    |  
 Duke University        |------------------------|-------------------------
 401 North Building     |  (919) 660-6914 (Work) | (919) 684-8651 (Fax)
 Durham, NC 27706       |                        | (919) 612-1955 (Cellular)
 ---------------------------------------------------------------------------

 -- original message follows --

> From:  adam @
 math .
 tau .
 ac .
 il
> To:  firewalls @
 GreatCircle .
 COM
> Subject:  Re: prevalence of sniffing ?
> Date:  Mon, 1 Aug 1994 13:15:31 +0300 (GMT+0300)

> 
> > How can you determine if a given machine is running a sniffer?  Check
> > to see if the Ethernet chip on the machine is in "promiscuous" mode.
> > On many machines, "ifconfig" will tell you this; for instance, on my
> > Sun:
> 
> There is a chance, though, that someone not interested in collecting
> sites like baseball cards or just attacking an Internet provider will
> run a sniffer without putting the interface into promiscuous mode.
> That will just get them traffic to and from the machine, but then again,
> that might be just what they want.
>  
> 
> -- 
> 
>         ... adam
>

References:

Re: prevalence of sniffing ?
From: adam @ math . tau . ac . il

Indexed By Date	Previous:	Re: screened host configuration From: paul @ hawksbill . sprintmrn . com (Paul Ferguson)
Indexed By Date	Next:	Mail access through a firewall From: spfister @ optimum . com (Steven R. Pfister)
Indexed By Thread	Previous:	Re: prevalence of sniffing ? From: adam @ math . tau . ac . il
Indexed By Thread	Next:	prevalence of sniffing ? From: francis @ avalle . insoft . com (John [Francis] Stracke)