>I am trying to locate software or some means to detect when an interface
is
>in promiscuous mode. We want to use it as a warning system to try and
catch
>people that happen to get in and try to "snoop/sniff" the local network.
I've received alot of requests for information I gathered on this and
decided to post what I've gotten so far. Although the current information
has not solved my problem it might solve other admins problems.
Two programs called CPM and IFSTATUS
Get CPM from ftp://ftp.cert.org/pub/tools/cpm
Get IFSTATUS from ftp://ftp.cert.org/pub/tools/ifstatus/
These two programs might work on systems older than Solaris 2.5 but I do
not have the means to test it. On a Solaris 2.5.1 system with the ISS 1.0
patches neither program will work on HME (100baseT) devices. I'd also go so
far as to say FDDI interfaces. CPM was completely disfuctional on my system
(even on standard le interaces, 10baseT). IFSTATUS worked on my system only
on the 10BaseT/le interfaces.
The solution for my setup would be to write in the hme support to the
IFSTATUS code. I've begun doing this but do not have that much low level
interface experince. I've heard that on the older SunOS machines that both
programs work great.
Another suggestion was to use the ifconfig -a command and grep for PROMISC
which should be in the interface flags. On my system (and probably all 2.X
systems) this option is NOT listed.
I tested these suggestions by running "snoop tcp /dev/le" and "snoop tcp
/dev/hme".
I am lastly attaching a long message that explains some of the issues that
the Solaris 2.X admins will have with these programs (which I am trying to
correct at my site).
>this was posted by Mark Graff (Mark.Graff@Eng.Sun.COM), who
>was at sun security coordinator at the time:
|This has been discussed several times here, but it's been a while.
|Here is my current understanding of the situation.
|
|First, this problem is completely solved for SunOS 4.1.x. I am aware
|of two main approaches. Let me know privately if you want details.
|
|The situation is much more complicated for Solaris 2.x.
|
|1. The PROMISC feature in the Solaris 2.x ifconfig is broken. The
ifconfig
|program will not report the controller to be in promiscuous mode, even if
|it is. (This feature works fine in 4.1.x.)
|
|2. No generally available public domain software does the job either. I
|have seen some promising starts toward a promiscuous-mode detection
|scheme for Solaris 2.x, and I believe it is possible, and even feasible.
|But nothing is available today so far as I know.
|
|3. Since the problem was pointed out last year Sun has taken a careful
|look at the problem. The technical difficulty--and now we approach the
|edge of my expertise--is that the DLPI interface between the kernel and
|the device drivers does not provide for transport of the needed data.
|That is, the protocol does not provide for a general
|(device-independent) way for the kernel to find out from the ethernet
|controller the state of the "promiscuous mode" flag.
|
|4. I have seen some code--not from Sun--which comes very close to
|solving the problem by checking the status flags on each interface
|card. Unfortunately the only way to do this seems to be to read
|directly through the kvm interface. This means (as I understand it)
|that a program that ran on all configurations would require specific
|code for each supported ethernet interface card. That might seem like a
|small set; but when you consider that Solaris 2.4 now runs on x86 as
|a coequal platform, this is a real complication.
|
|5. The code I refer to above will not run successfully on at least
|of our major hardware platforms. I am not sure why but know that
|that is being looked at now, today. It may be a bug on our side;
|and I can't think of any reason we wouldn't fix it, if it is.
|My understanding is that Sun has no current plans to either (1) develop
|our own general solution or (2) release and/or support a public domain
|program to do the job. If, however, I personally become aware of a
|solution to the problem which is reliable and generally useful, I will
|make that information known here.
|
|This is the situation as I understand it today. Please contact me
|personally for any followup. I am not trying to give an official
|position statement here--just fill some folks in on what I know of
|the issues.
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:11:55 CDT