Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Signature to detect sniffing of clear text data

Hi Cisco Expert,


Is there a signature that can detect sniffing of clear text data like password.

E.g sniffing on HTTP and FTP applications.





As per knowledge , password

As per knowledge , password would not be shared with the server, but hash value of user ID and password, since MD5 would be implemented !!

VIP Purple

You are right that these

You are right that these passwords are cleartext by default (not always with HTTP, but also hashed passwords should be protected).

What can you do on the IPS:

To sniff traffic the attacker has to insert itself as a man-in-the-middle. There are many possible ways to do that, but most of them are not possible to defeat with standard signatures. 

The better way:

Implement a baseline switch-security. That are right port-settings (access, port-security) for user-ports, DHCP-snooping, ARP-inspection and eventually Source-Guard. If you want to go even further you can think about implementing DOT1X, but that's much harder and most likely more expensive to implement then the things above.

With these security-measures in place you can protect your users against other users trying to become man-in-the-middle. But still a network-admin could sniff directly on the switches. For that you should move from cleartext-protocols like HTTP and FTP to encrypted versions HTTPS, SFTP and so on.

Community Member

thanks for the response

thanks for the response Karsten.

You mentioned "but most of them are not possible to defeat with standard signatures".

Are you saying that with CISCO IPS standard signature, sniffing can be detected?

I looked at the signature list. Nothing seems related to sniffing of clear text.



VIP Purple

It's not the sniffing itself

It's not the sniffing itself that can be detected. But with signatures you can match on the activities of the atacker to make himself man-in-the-middle. For example the arp-traffic used in ARP-spoofing or DHCP-replies coming from addresses that are not the DHCP-server. But for that to work you need to have sensor-interfaces in all user-segments what is ... well ... impossible?

CreatePlease to create content