Snort mailing list archives

Re: detecting a sniff application

From: "Ian Macdonald" <secsnort () dirk demon co uk>
Date: Wed, 10 Jul 2002 10:14:53 -0400

One way you might be able to do it is to watch DNS traffic. The assumption is that the snuffer has dns name resolution 
switched on. You look at the counts for all machines and the one with most dns traffic other than a dns server is 
probably sniffing. This would mean that you have a sensor between the sniffer and the dns server.

Ian
  ----- Original Message ----- 
  From: Wissam Halawani 
  To: snort-users () lists sourceforge net 
  Sent: Tuesday, July 09, 2002 3:47 PM
  Subject: [Snort-users] detecting a sniff application

  Hello,

  is Snort capable of detecting a sniff application on a network, or an Internet segment. 
  Is it capable of detecting whether someone is intruding or sniffing a DSL line for an internet user?

Current thread:

RE: detecting a sniff application Kevin Brown (Jul 09)
- <Possible follow-ups>
- detecting a sniff application Wissam Halawani (Jul 09)
  - RE: detecting a sniff application emil (needguide.com) (Jul 09)
  - Re: detecting a sniff application Ian Macdonald (Jul 10)
- RE: detecting a sniff application Hicks, John (Jul 09)
- RE: detecting a sniff application McCammon, Keith (Jul 09)
  - RE: detecting a sniff application Rob Hughes (Jul 10)