-
September 14th, 2005, 03:21 AM
#1
Snort, IDS detection
Hi, does anyone know if there are ways to detect if a network has a snort machine running on the subnet?
-
September 14th, 2005, 03:37 AM
#2
Re: Snort, IDS detection
Card in promiscuous mode? i dont use napstar i use winnuke
JeffK
-
September 14th, 2005, 04:44 AM
#3
Member
Searching for cards in promiscuous mode will tell you the existence of a sniffer?
How do you determine that is a Snort?
-
September 14th, 2005, 01:44 PM
#4
If a network tap is used, there is no way to tell.
-
September 14th, 2005, 02:48 PM
#5
You might want to try sentinel or sniffdet. These programs are meant to detect any promiscuous cards on a network.
Good luck
The command completed successfully.
\"They drew first blood not me.\"
-
September 14th, 2005, 04:04 PM
#6
As others have noted, you can only detect if a nic is in promiscuous mode... But you cannot tell if that machine is running snort or not.. Unless you can login and do a ps..
So to answer you question, no, you cannot tell if snort is running on that subnet..
There were some vulnerabilities in older versions of snort though.. But that would mean sending some bad packets and hoping snort dies.. No way to know for sure..
Oliver's Law:
Experience is something you don't get until just after you need it.
-
September 14th, 2005, 04:13 PM
#7
Re: Snort, IDS detection
Originally posted here by rowdy_yates
Hi, does anyone know if there are ways to detect if a network has a snort machine running on the subnet?
Yes... just start running port scans and vuln scans against the network. The snort admin (wearing his "SNORT SAVED MY BACON!" t-shirt) will come and find you. That would be a pretty good indication to me that snort is running on their network.
Or, try to place a sniffer at the gateway. If you see traffic going to snort related sites... (rules updates, etc.) Then you'd also have a pretty good indication that snort is running.
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
-
September 14th, 2005, 05:28 PM
#8
thanks.
i just was reading this article of IDS vs NADS and it got me thinking -- is there a singature for the signature analysis machines?
-
September 14th, 2005, 08:31 PM
#9
This is a new area for me. Can someone briefly explain how you detect cards in promiscuous mode? Not necessarily the software one uses, although that would be helpful...what the software is actually DOING.
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
-
September 14th, 2005, 08:53 PM
#10
Originally posted here by zencoder
This is a new area for me. Can someone briefly explain how you detect cards in promiscuous mode? Not necessarily the software one uses, although that would be helpful...what the software is actually DOING.
proDETECT "proDETECT is an open source promiscuous mode scanner with a GUI. It uses ARP packet analyzing technique to detect adapters in promiscuous mode. This tool can be used by security administrators to detect sniffers in a LAN. It can be scheduled for regular scanning over periods. It also has some advanced reporting capabilities such as SMTP reporting. Full source code is included." read more...
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|