[Snort-devel] Promiscious detection

Johan Samuelson adamant at ...272...
Tue Feb 13 13:23:10 EST 2001


Hello all, and thanks for all the interesting postings.

A question concerning the -e commandline switch. Is it
possible to have this affect ARP parsing too, so that
one could detect attempts to discover if a interface
is operating in promiscious mode (a la Sentinel,
http://www.packetfactory.net/Projects/Sentinel/)?

A quote from it's homepage describing the technique:

"This method involves sending out an ARP request to
our target with all valid information except a bogus destination
hardware address.  A machine that is not in promiscuous mode
would never see the packet, since it wasn't destined to them, therefore
it wouldn't reply. If a machine is in promiscuous mode,  the ARP request
would be seen and the kernel  would process it and  reply.  By the machine
replying, we know it is in promiscuous mode."

Because it's not possible to create a rule for detecting
this, I've changed the PrintArpHeader() function in log.c
to check if the -e switch is active and accordingly call
Print2ndHeader(). Perhaps this could be of interest to
others?

Regards,
 Johan Samuelson (adamant at ...272...)






More information about the Snort-devel mailing list