Well, all you said was correct, but maybe I explained badly. I was talking about remote detection. Normally, tools as antisniff use special crafted ethernet frames to detect promiscuous NICs. The problem appears when you are not on the same segment as your target or even you aren't on the same network. You could not detect snort with those tools of you aren't on the same network segment. I don't know if sniffer.pl is capable of detecting that library over IP? This method is an aproximation, but you still have some error margin cause you could have false alarms. Any ideas? >Well, rather than thinking about information or > >memory leaks, perhaps you could look at what > >really goes on when snort (or any sniffer) is running. > > > >Since you didn't mention any particular target > >platform, perhaps the way to start is to look at > >promiscuous mode detection. SecurityFriday has a > >tool at: > > > >http://www.securityfriday.com/ToolDownload/PromiScan/promiscan_doc.html > > > >Of course, there is also @Stake's AntiSniff. > > > >Now, if you're on an NT/2K network, there are > >other things you can do. As an admin, you can > >connect remotely and get a process listing using > >SysInternal's pslist.exe. Yes, the snort > >executable can be renamed. > > > >Another method of detecting sniffers on NT/2K can > >be found in a tool called 'sniffer.pl' at > >http://patriot.net/~carvdawg/perl.html. This > >tools works by detecting the winpcap packet device > >driver running on the system. This device driver > >is used by snort, Ethereal, and even L0phtcrack3. > > And yes, many folks have said, "but the name of > >the driver can be changed", and this is true...but > >unless the user completely recompiles not only the > >tool itself, but the DLL used by the device > >driver, as well, everything will break and no > >longer work. > > > >Hope this helps... mailto:[EMAIL PROTECTED] http://www.podergeek.com http://www.citfi.org ************************************************** "The further backward you look, the further forward you can see" Winston Churchill "Para ganar, hay gente que debe perder"
