Hi, does anyone know if there are ways to detect if a network has a snort machine running on the subnet?
Printable View
Hi, does anyone know if there are ways to detect if a network has a snort machine running on the subnet?
Card in promiscuous mode? i dont use napstar i use winnuke ;)
JeffK
Searching for cards in promiscuous mode will tell you the existence of a sniffer?
How do you determine that is a Snort?
If a network tap is used, there is no way to tell.
You might want to try sentinel or sniffdet. These programs are meant to detect any promiscuous cards on a network.
Good luck
As others have noted, you can only detect if a nic is in promiscuous mode... But you cannot tell if that machine is running snort or not.. Unless you can login and do a ps..
So to answer you question, no, you cannot tell if snort is running on that subnet..
There were some vulnerabilities in older versions of snort though.. But that would mean sending some bad packets and hoping snort dies.. No way to know for sure..
Yes... just start running port scans and vuln scans against the network. The snort admin (wearing his "SNORT SAVED MY BACON!" t-shirt) will come and find you. That would be a pretty good indication to me that snort is running on their network. ;)Quote:
Originally posted here by rowdy_yates
Hi, does anyone know if there are ways to detect if a network has a snort machine running on the subnet?
Or, try to place a sniffer at the gateway. If you see traffic going to snort related sites... (rules updates, etc.) Then you'd also have a pretty good indication that snort is running.
thanks.
i just was reading this article of IDS vs NADS and it got me thinking -- is there a singature for the signature analysis machines?
This is a new area for me. Can someone briefly explain how you detect cards in promiscuous mode? Not necessarily the software one uses, although that would be helpful...what the software is actually DOING.
Quote:
Originally posted here by zencoder
This is a new area for me. Can someone briefly explain how you detect cards in promiscuous mode? Not necessarily the software one uses, although that would be helpful...what the software is actually DOING.
proDETECT "proDETECT is an open source promiscuous mode scanner with a GUI. It uses ARP packet analyzing technique to detect adapters in promiscuous mode. This tool can be used by security administrators to detect sniffers in a LAN. It can be scheduled for regular scanning over periods. It also has some advanced reporting capabilities such as SMTP reporting. Full source code is included." read more...