Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
996
Views
5
Helpful
4
Replies

Signature to detect sniffing of clear text data

Jhun Banzuela
Level 1
Level 1

‎03-16-2014 11:49 PM - edited ‎03-10-2019 06:10 AM

Hi Cisco Expert,

 

Is there a signature that can detect sniffing of clear text data like password.

E.g sniffing on HTTP and FTP applications.

 

Regards,

Jhun

Labels:
0 Helpful
4 Replies 4

Saurav Lodh
Level 7
Level 7

‎03-19-2014 03:05 AM

As per knowledge , password would not be shared with the server, but hash value of user ID and password, since MD5 would be implemented !!
 

Karsten Iwen
VIP
VIP

‎03-19-2014 03:18 AM

You are right that these passwords are cleartext by default (not always with HTTP, but also hashed passwords should be protected).

What can you do on the IPS:

To sniff traffic the attacker has to insert itself as a man-in-the-middle. There are many possible ways to do that, but most of them are not possible to defeat with standard signatures. 

The better way:

Implement a baseline switch-security. That are right port-settings (access, port-security) for user-ports, DHCP-snooping, ARP-inspection and eventually Source-Guard. If you want to go even further you can think about implementing DOT1X, but that's much harder and most likely more expensive to implement then the things above.

With these security-measures in place you can protect your users against other users trying to become man-in-the-middle. But still a network-admin could sniff directly on the switches. For that you should move from cleartext-protocols like HTTP and FTP to encrypted versions HTTPS, SFTP and so on.

0 Helpful

Jhun Banzuela
Level 1
Level 1
In response to Karsten Iwen

‎03-19-2014 08:56 PM

thanks for the response Karsten.

You mentioned "but most of them are not possible to defeat with standard signatures".

Are you saying that with CISCO IPS standard signature, sniffing can be detected?

I looked at the signature list. Nothing seems related to sniffing of clear text.

Regards,

Jhun

0 Helpful

Karsten Iwen
VIP
VIP
In response to Jhun Banzuela

‎03-20-2014 12:18 AM

It's not the sniffing itself that can be detected. But with signatures you can match on the activities of the atacker to make himself man-in-the-middle. For example the arp-traffic used in ARP-spoofing or DHCP-replies coming from addresses that are not the DHCP-server. But for that to work you need to have sensor-interfaces in all user-segments what is ... well ... impossible?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card