Snort mailing list archives

Re: dsniff signatures

From: "patrick.n.fitzgerald.1" <pfitzge1 () purdue edu>
Date: Fri, 17 Aug 2001 18:38:51 -0500 (EST)


I'm not sure if it is part of dsniff, but there are at least two packages
available for detecting promiscuous interfaces.
AntiSniff:
http://www.securitysoftwaretech.com/antisniff/
-and-
Sentinel:
http://www.packetfactory.net/Projects/sentinel/

Both products use a variety of active techniques to detect promiscuous
interfaces.

On Fri, 17 Aug 2001, Jim Hankins wrote:

While some of the utilities do indeed only listen there are others
within the suite which are used prior to using the passive utilities
that indeed do actively participate.  dnsspoof, macof and the man in the
middle utilities.  There should be something that can be done in those
instances.   Also is there some way of detecting a promiscous interface
as well?


Tom Sevy wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If it (dsniff modules) just listen, there won't be a pattern to
detect, will there?

- -----Original Message-----
From: Jim Hankins [mailto:jhankins () hankinsbay com]
Sent: Friday, August 17, 2001 12:00 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] dsniff signatures

Does anyone have any signatures that would detect the presense of any
of
the dsniff suite?  Any help would be greatly appreciated.

- --
Jim Hankins
http://www.hankinsbay.com
jhankins () hankinsbay com
810-716-8480

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1

iQA/AwUBO31Va+7D48MxrkMGEQIyFwCg/BcdvzHRY0+IZRH9mYgd0q1w4HoAoPKq
X6EF3NT3pr47RZPLMCrRW5TY
=JUXh
-----END PGP SIGNATURE-----


--
Jim Hankins
http://www.hankinsbay.com
jhankins () hankinsbay com
810-716-8480




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


--
"BUGS
     Flood pinging the broadcast address is not recommended." -- ping(1)


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

dsniff signatures Jim Hankins (Aug 16)
- <Possible follow-ups>
- Re: dsniff signatures Jim Hankins (Aug 17)
  - Re: dsniff signatures patrick.n.fitzgerald.1 (Aug 17)