In-Reply-To: <[EMAIL PROTECTED]>
> I was just wondering if there is any tool that detects snort >running in a remote machine. Could it be possible? Does snort has >information leaks that could lead to its detection from an external >machine?. If such a tool exists, has anyone any info? Well, rather than thinking about information or memory leaks, perhaps you could look at what really goes on when snort (or any sniffer) is running. Since you didn't mention any particular target platform, perhaps the way to start is to look at promiscuous mode detection. SecurityFriday has a tool at: http://www.securityfriday.com/ToolDownload/PromiScan/promiscan_doc.html Of course, there is also @Stake's AntiSniff. Now, if you're on an NT/2K network, there are other things you can do. As an admin, you can connect remotely and get a process listing using SysInternal's pslist.exe. Yes, the snort executable can be renamed. Another method of detecting sniffers on NT/2K can be found in a tool called 'sniffer.pl' at http://patriot.net/~carvdawg/perl.html. This tools works by detecting the winpcap packet device driver running on the system. This device driver is used by snort, Ethereal, and even L0phtcrack3. And yes, many folks have said, "but the name of the driver can be changed", and this is true...but unless the user completely recompiles not only the tool itself, but the DLL used by the device driver, as well, everything will break and no longer work. Hope this helps...
