Snort mailing list archives
RE: What machine is that... Anyway?
From: "Chris Eidem" <jceidem () dexma com>
Date: Fri, 31 Aug 2001 11:23:58 -0500
Well, it would seem to me that if it has an unknown address on your network, you've already spotted it. You would really need something like nmap to make a stab at what type of OS is running on it. If you are looking for machines in promiscuous mode there are many tools out there to detect them. http://www.securitysoftwaretech.com/antisniff/download.html http://www.packetfactory.net/Projects/sentinel/ http://www.securityfriday.com/ToolDownload/PromiScan/promiscan_doc.html You could run something like arpwatch to see if someone's trying to poison your arp cache and pretend they're the gateway to attract all the traffic. Snort will just look at messages on the wire and notify you if there is some suspicious traffic. chris
-----Original Message----- From: JC Rodz [mailto:nyjcr () hotmail com] Sent: Friday, August 31, 2001 8:42 AM To: snort-users () lists sourceforge net Subject: [Snort-users] What machine is that... Anyway? Hello all, Sorry if this is a dumb question... I'm new to snort... Can I using snort detect unauthorized machines on my network...Like Linux machines. Is there a rule that I can use to "scan the network" to identify where a packet came from, i.e. Winnt, Solaris or Linux? Or is there a non-intrusive tool that I can use.... Thank you, JC _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- What machine is that... Anyway? JC Rodz (Aug 31)
- Re: What machine is that... Anyway? Jim Zajkowski (Aug 31)
- <Possible follow-ups>
- RE: What machine is that... Anyway? Chris Eidem (Aug 31)
- Promiscuouls Mode Question Jim Kipp (Sep 02)
- Re: Promiscuouls Mode Question Erek Adams (Sep 02)
- Re: Promiscuouls Mode Question Jim Kipp (Sep 02)
- Re: Promiscuouls Mode Question J. Craig Woods (Sep 02)
- Re: Promiscuouls Mode Question "s10" (Sep 02)
- Re: Promiscuouls Mode Question Jim Kipp (Sep 02)
- Alert_unixsock Anupam Bansal (Sep 02)
- Re: Alert_unixsock Fyodor (Sep 03)
- Message not available
- Re: Alert_unixsock Fyodor (Sep 04)
- Re: Alert_unixsock Fyodor (Sep 04)
- Promiscuouls Mode Question Jim Kipp (Sep 02)