SUMMARY: Anti-sniffer on Solaris 2.5.1 and 2.6

From: Jerry Lu (oxygen@helix.nih.gov)
Date: Tue Dec 08 1998 - 17:17:00 CST


Thanks to:

Craig Raskin
Shriman Gurung
Raul Garcia
George Gorshkov
And people in news group "comp.security.unix" who tried to help me.

Here's my original question:

===============================================================================
For security reasons, I'd like to install an anti-sniffer software on
Sparc and Ultra machines running Solaris 2.5.1 and 2.6. Does anyone know
any (freeware or commercial) good one other than "check promiscuous
mode" (cpm)? Your suggestions are welcome.
 
BTW, I tried to install the program "check promiscuous mode" on a Sparc 5
running Solaris 2.5.1. I downloaded the source code from
"ftp.cert.org/pub/tools/cpm", which is version 1.2. However, I failed to
compiled the C program, and got the following error:
 
=======================================================
% cc -Bstatic -o cpm cpm.c
"cpm.c", line 17: cannot find include file: <sys/mbuf.h>
"cpm.c", line 38: undefined symbol: SIOCGIFCONF
"cpm.c", line 48: undefined symbol: SIOCGIFFLAGS
cc: acomp failed for cpm.c
=======================================================
 
Has any one ever sucessfully compiled this program on Solaris 2.5.1 (or
2.6). If yes, could you please give me some hints on how to do it? I am
guessing that I either need the file "/usr/include/sys/mbuf.h" for my
OS, or to modify the source code. But not sure where/how to find/do it.
===============================================================================

Summary:
========

Craig Raskin pointed out that there are two issues here:
1. Sniffers running in promiscuous mode.
2. Sniffer does NOT run in promiscuous mode.

Sniffers running in promiscuous mode could be found by programs that check
promiscuous status. But a knowledgeable hacker or a well written sniffer
can sniff stealthily (not running in promiscuous mode), which will not be
detected by any "promiscuous checking program". So, there's really no
program, at least at this moment as I know, can 100% "anti-sniffering".

However, if you still think you need a "promiscuous mode checker", use
"ifstatus" (could be found from
http://www.ciac.org/ciac/ToolsUnixSysMon.html) instead of "cpm" on
Solaris because Solaris doesn't reflect the promiscuous status back to the
upper level. I compiled it on Solaris 2.5.1 without any difficulty and
it works properly. (I also compiled "cpm" on SunOS 4.1.3 successfully)

In fact, even looking at the driver level flags (like ifstatus does) is
know to be unreliable (perticularly on the hme interface). To reliably get
the promiscuous status the program needs to read the per-stream flags for
each possible interface. Unfortunately, this information is very poorly
documented in the haeder files. Jim Mellander from the news group pointed
out that if you're a good programmer and willing to sepnd time on this
issue, could go on a hunt with adb & the /usr/include/sys header files as
a guide.

-------------------------------------------------------------
From: Craig Raskin <raskin@compusec.org>

There are two main issues here. The first would be sniffers running
in promiscuous mode. These are not that common anymore since they
can easily be detected. There are a number of packages out there to
check for this. Once you get one compiled and running, make sure you
check it out to make sure it is working. Put the interface into
promiscuous mode and make sure it will pick it up.
 
The second type of sniffer does NOT run in promiscuous mode. This
will not be picked up by this type of software so it is much harder
to detect. To detect a sniffer running in this fashion, the best
thing would be to periodically run lsof on the machine and check
which software has open network connections.
 
A good way to detect if a scanner is running is to look for large
files on the filesystem and/or attempts to make hidden directories.
Sniffers will quickly generate very large log files.
 
Good luck and hope this helps points you in the right direction.
----------------------------------------------------------------------



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:53 CDT