Using Nagios to Detect Network Sniffers
Server - Nagios


Normally, you wouldn't want to have your servers' network interfaces running in promiscuous mode.  If a

 network interface does go into promiscuous mode without a known reason, it could indicate that someone 

has planted some sort of sniffer or back door on your system.


One way to detect this condition is to run a "netstat -i" command on the server in question.  If a "P" shows

 up in the status column, then the card is running promiscuously.  But, the problem with this is that we're 

depending upon a program that might have been replaced with a trojaned version.  (A trojaned version of 

netstat might not let you see the true status of the network interface.)   It would be better if we could monitor

 for this condition from an external source.




Installing nmap



We've written this plug-in to take advantage of the scripting capabilities that are built in with the newest versions of 

nmap.  We can use the included "sniffer-detect.nse" script to build our plug-in.  You'll need to compile nmap yourself, 

because the old version of nmap that's in the rpmforge repository doesn't have scripting capabilities.



On the Nagios server, download the latest version of nmap from here:



	http://nmap.org/download.html



At the time of this writing, the current version is 6.01, and the file that you want to download is "nmap-6.01.tar.bz2".

 (Be sure to check for the latest version.)



Untar this file, and cd into the resultant directory.  Then, compile and install with the standard commands:



	./configure

	make

	sudo make install



Note that during the "./configure" step, you may get a warning about a missing "libsvn1" library.  Don't let that concern

 you, because you won't need it.  (Besides, there doesn't seem to be one available for CentOS.)





Configure "sudo"



To detect promiscuous mode, you'll need to run the nmap script with root privileges.  Open "visudo", and give the nagios

 user root privileges for the nmap executable.  Your configuration can look something like this:



User_Alias NAGIOS = nagios,nagiocmd

Cmnd_Alias NAGIOSCOM = /sbin/service,/etc/rc.d/init.d/httpd,/usr/local/nagios/libexec/check_log,/usr/local/bin/nmap

Defaults:NAGIOS !requiretty

NAGIOS ALL=(ALL)        NOPASSWD: NAGIOSCOM



Note that we've also given the nagios user root privileges for other things, as well.  You can leave those other things

 out if you don't need them.





Creating the Plug-in Script



In the Nagios plug-ins directory, create the "check_promiscuous.sh" script.





#!/bin/bash

hostaddress=$1

promisc=$(sudo /usr/local/bin/nmap --script=sniffer-detect.nse $hostaddress | grep 'promiscuous' | wc -l)

if [ $promisc -gt 0 ]

then

        echo "WARNING:  This interface may be in promiscuous mode."

else

        echo "This interface does not seem to be in promiscuous mode."

fi

exit $promisc





Ensure that the "nagios" user owns the file, and set the executable permission for the user.







Configuring the Nagios Server



Create the host definition in the standard manner:



define host {

        host_name                       Debian-5

        alias                           Debian-vm-nrpe

        address                         192.168.0.60

        parents                         cisco_business_switch

        use                             linux-server

        register                        1

} 





The command definition would look something like this:



define command {

        command_name                    check_promiscuous

        command_line                    $USER1$/check_promiscuous.sh $HOSTADDRESS$

        register                        1

}





(Note that there's no "-H" option switch for the host address.)





Finally, the service definition:



define service {

        host_name                       Debian-5

        service_description             Check Promiscuous Mode

        use                             generic-service

        check_command                   check_promiscuous

        register                        1

}







Testing



After reloading the Nagios daemon, you should see the status of the target host.







To test it, do something that would cause the interface on the target host to enter promiscuous mode. 

 (This could include starting up a virtual machine, starting Wireshark, etc.)  This should cause an alarm to be generated.







Note that this plug-in has been successfully tested against both Linux and Windows hosts.





A Caveat



It's important to note that this plug-in will give you false alarms under certain circumstances.  If you run this against 

a host that either has virtual IP addresses on an interface, or that's hosting a virtualized environment, this plug-in will 

show it as being in promiscuous mode.