Hello Everyone,
Thanks for your replies. Pretty educative, though they dont exactly solve the
problems.. Let me clarify a lil bit futher..
1. Tod, your suggestion though ideal, cannot be implemented. All developers need to be
given the root account.
2. Daniel and others who suggested I watch the MAC-->IP mappings... the problem is as
follows:
Machine A --> Spoofs MAC Address of Gateway --> Just poisons the cache of CEO's
Machine
If it were to poison the entire network, it is possible for me to detect it from my
machine. But if the spoofing were to poison just a specific machine, would it be
possible to detect that? I really dont want to run ARP watch on just about every
machine in my network, quite a few of which are Windows machines. (A short term
solution would be to fix the arp address of the gateway in /etc/ethers so that no one
can spoof the gateway? I havent tried it yet, but would like to know your views on
that idea.)
In such a specific scenario where just a single machine of a user might be targetted,
most of the options suggested (tcpdump, ettercap, snort) would probably not yield
results(?) Am I right there?? Though I did notice ettercap detects suspicious ARP
activities if the entire network is flooded with fake ARP replies by the sniffer.
Also few of the methods mentioned in the Robert Graham FAQ dont work
any longer. It is always possible to manually slog it out to detect if a
machine is in Promiscous mode. What I would like ideally to do is to
have some kind of a program which lets a Network Admin know that a
machine is going into Promiscous Mode..
I too will keep looking and will let you people know if I find anything.
With regards,
Dhar
