[Snort-users] detecting a sniff application

Ian Macdonald secsnort at ...5528...
Wed Jul 10 07:16:01 EDT 2002


One way you might be able to do it is to watch DNS traffic. The assumption is that the snuffer has dns name resolution switched on. You look at the counts for all machines and the one with most dns traffic other than a dns server is probably sniffing. This would mean that you have a sensor between the sniffer and the dns server.

Ian
  ----- Original Message ----- 
  From: Wissam Halawani 
  To: snort-users at lists.sourceforge.net 
  Sent: Tuesday, July 09, 2002 3:47 PM
  Subject: [Snort-users] detecting a sniff application


  Hello,

  is Snort capable of detecting a sniff application on a network, or an Internet segment. 
  Is it capable of detecting whether someone is intruding or sniffing a DSL line for an internet user?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020710/7471c91b/attachment.html>


More information about the Snort-users mailing list