Snort, IDS detection
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Snort, IDS detection

  1. #1
    Senior Member
    Join Date
    Dec 2004
    Posts
    137

    Snort, IDS detection

    Hi, does anyone know if there are ways to detect if a network has a snort machine running on the subnet?

  2. #2
    Banned
    Join Date
    Nov 2003
    Posts
    1,161

    Re: Snort, IDS detection

    Card in promiscuous mode? i dont use napstar i use winnuke


    JeffK

  3. #3
    Member
    Join Date
    Aug 2004
    Posts
    95
    Searching for cards in promiscuous mode will tell you the existence of a sniffer?
    How do you determine that is a Snort?

  4. #4
    Senior Member
    Join Date
    Jul 2004
    Posts
    469
    If a network tap is used, there is no way to tell.

  5. #5
    Senior Member br_fusion's Avatar
    Join Date
    Apr 2002
    Posts
    167
    You might want to try sentinel or sniffdet. These programs are meant to detect any promiscuous cards on a network.

    Good luck
    The command completed successfully.


    \"They drew first blood not me.\"

  6. #6
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    As others have noted, you can only detect if a nic is in promiscuous mode... But you cannot tell if that machine is running snort or not.. Unless you can login and do a ps..

    So to answer you question, no, you cannot tell if snort is running on that subnet..

    There were some vulnerabilities in older versions of snort though.. But that would mean sending some bad packets and hoping snort dies.. No way to know for sure..
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  7. #7
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324

    Re: Snort, IDS detection

    Originally posted here by rowdy_yates
    Hi, does anyone know if there are ways to detect if a network has a snort machine running on the subnet?
    Yes... just start running port scans and vuln scans against the network. The snort admin (wearing his "SNORT SAVED MY BACON!" t-shirt) will come and find you. That would be a pretty good indication to me that snort is running on their network.

    Or, try to place a sniffer at the gateway. If you see traffic going to snort related sites... (rules updates, etc.) Then you'd also have a pretty good indication that snort is running.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  8. #8
    Senior Member
    Join Date
    Dec 2004
    Posts
    137
    thanks.

    i just was reading this article of IDS vs NADS and it got me thinking -- is there a singature for the signature analysis machines?

  9. #9
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    This is a new area for me. Can someone briefly explain how you detect cards in promiscuous mode? Not necessarily the software one uses, although that would be helpful...what the software is actually DOING.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  10. #10
    Senior Member
    Join Date
    Dec 2004
    Posts
    137
    Originally posted here by zencoder
    This is a new area for me. Can someone briefly explain how you detect cards in promiscuous mode? Not necessarily the software one uses, although that would be helpful...what the software is actually DOING.


    proDETECT "proDETECT is an open source promiscuous mode scanner with a GUI. It uses ARP packet analyzing technique to detect adapters in promiscuous mode. This tool can be used by security administrators to detect sniffers in a LAN. It can be scheduled for regular scanning over periods. It also has some advanced reporting capabilities such as SMTP reporting. Full source code is included." read more...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •