Using Nagios to Detect Network Sniffers
Server - Nagios


Normally, you wouldn't want to have your servers' network interfaces running in promiscuous mode.  If a
 network interface does go into promiscuous mode without a known reason, it could indicate that someone 
has planted some sort of sniffer or back door on your system.

One way to detect this condition is to run a "netstat -i" command on the server in question.  If a "P" shows
 up in the status column, then the card is running promiscuously.  But, the problem with this is that we're 
depending upon a program that might have been replaced with a trojaned version.  (A trojaned version of 
netstat might not let you see the true status of the network interface.)   It would be better if we could monitor
 for this condition from an external source.


Installing nmap

We've written this plug-in to take advantage of the scripting capabilities that are built in with the newest versions of 
nmap.  We can use the included "sniffer-detect.nse" script to build our plug-in.  You'll need to compile nmap yourself, 
because the old version of nmap that's in the rpmforge repository doesn't have scripting capabilities.

On the Nagios server, download the latest version of nmap from here:

	http://nmap.org/download.html

At the time of this writing, the current version is 6.01, and the file that you want to download is "nmap-6.01.tar.bz2".
 (Be sure to check for the latest version.)

Untar this file, and cd into the resultant directory.  Then, compile and install with the standard commands:

	./configure
	make
	sudo make install

Note that during the "./configure" step, you may get a warning about a missing "libsvn1" library.  Don't let that concern
 you, because you won't need it.  (Besides, there doesn't seem to be one available for CentOS.)


Configure "sudo"

To detect promiscuous mode, you'll need to run the nmap script with root privileges.  Open "visudo", and give the nagios
 user root privileges for the nmap executable.  Your configuration can look something like this:

User_Alias NAGIOS = nagios,nagiocmd
Cmnd_Alias NAGIOSCOM = /sbin/service,/etc/rc.d/init.d/httpd,/usr/local/nagios/libexec/check_log,/usr/local/bin/nmap
Defaults:NAGIOS !requiretty
NAGIOS ALL=(ALL)        NOPASSWD: NAGIOSCOM

Note that we've also given the nagios user root privileges for other things, as well.  You can leave those other things
 out if you don't need them.


Creating the Plug-in Script

In the Nagios plug-ins directory, create the "check_promiscuous.sh" script.


#!/bin/bash
hostaddress=$1
promisc=$(sudo /usr/local/bin/nmap --script=sniffer-detect.nse $hostaddress | grep 'promiscuous' | wc -l)
if [ $promisc -gt 0 ]
then
        echo "WARNING:  This interface may be in promiscuous mode."
else
        echo "This interface does not seem to be in promiscuous mode."
fi
exit $promisc


Ensure that the "nagios" user owns the file, and set the executable permission for the user.



Configuring the Nagios Server

Create the host definition in the standard manner:

define host {
        host_name                       Debian-5
        alias                           Debian-vm-nrpe
        address                         192.168.0.60
        parents                         cisco_business_switch
        use                             linux-server
        register                        1
} 


The command definition would look something like this:

define command {
        command_name                    check_promiscuous
        command_line                    $USER1$/check_promiscuous.sh $HOSTADDRESS$
        register                        1
}


(Note that there's no "-H" option switch for the host address.)


Finally, the service definition:

define service {
        host_name                       Debian-5
        service_description             Check Promiscuous Mode
        use                             generic-service
        check_command                   check_promiscuous
        register                        1
}



Testing

After reloading the Nagios daemon, you should see the status of the target host.



To test it, do something that would cause the interface on the target host to enter promiscuous mode. 
 (This could include starting up a virtual machine, starting Wireshark, etc.)  This should cause an alarm to be generated.



Note that this plug-in has been successfully tested against both Linux and Windows hosts.


A Caveat

It's important to note that this plug-in will give you false alarms under certain circumstances.  If you run this against 
a host that either has virtual IP addresses on an interface, or that's hosting a virtualized environment, this plug-in will 
show it as being in promiscuous mode.