[Snort-devel] Promiscious detection

Eugene Tsyrklevich eugene at ...223...
Tue Feb 13 21:43:30 EST 2001


On Tue, Feb 13, 2001 at 07:23:10PM +0100, Johan Samuelson wrote:
> Hello all, and thanks for all the interesting postings.
> 
> A question concerning the -e commandline switch. Is it
> possible to have this affect ARP parsing too, so that
> one could detect attempts to discover if a interface
> is operating in promiscious mode (a la Sentinel,
> http://www.packetfactory.net/Projects/Sentinel/)?
> 
> A quote from it's homepage describing the technique:
> 
> "This method involves sending out an ARP request to
> our target with all valid information except a bogus destination
> hardware address.  A machine that is not in promiscuous mode
> would never see the packet, since it wasn't destined to them, therefore
> it wouldn't reply. If a machine is in promiscuous mode,  the ARP request
> would be seen and the kernel  would process it and  reply.  By the machine
> replying, we know it is in promiscuous mode."


As far as i remember, this was only supposed to work on old linux kernels which
had a bug related to promisc. mode
but when bind did more testing he found that newer linux kernels and some
other operating systems were still misbehaving in regards to promisc mode.
So you might wanna test that arp test on your machine before drawing any
conclusions

cheers,
eugene




More information about the Snort-devel mailing list