Snort mailing list archives
Re: detecting a sniff application
From: "Ian Macdonald" <secsnort () dirk demon co uk>
Date: Wed, 10 Jul 2002 10:14:53 -0400
One way you might be able to do it is to watch DNS traffic. The assumption is that the snuffer has dns name resolution switched on. You look at the counts for all machines and the one with most dns traffic other than a dns server is probably sniffing. This would mean that you have a sensor between the sniffer and the dns server. Ian ----- Original Message ----- From: Wissam Halawani To: snort-users () lists sourceforge net Sent: Tuesday, July 09, 2002 3:47 PM Subject: [Snort-users] detecting a sniff application Hello, is Snort capable of detecting a sniff application on a network, or an Internet segment. Is it capable of detecting whether someone is intruding or sniffing a DSL line for an internet user?
Current thread:
- RE: detecting a sniff application Kevin Brown (Jul 09)
- <Possible follow-ups>
- detecting a sniff application Wissam Halawani (Jul 09)
- RE: detecting a sniff application emil (needguide.com) (Jul 09)
- Re: detecting a sniff application Ian Macdonald (Jul 10)
- RE: detecting a sniff application Hicks, John (Jul 09)
- RE: detecting a sniff application McCammon, Keith (Jul 09)
- RE: detecting a sniff application Rob Hughes (Jul 10)