If there is no agent on that machine, ossec cannot detect that it is running a sniffer. There have been some techniques for finding sniffers posted on the net, I don't know if any of them are still valid or if there are any tools for using them though. If there are, you might be able to get some kind of useful log out of them and feed that to ossec.
On Thu, Apr 15, 2010 at 11:29 AM, Saeid Ansaripour <[email protected]> wrote: > what if the computer that does the sniffing is not part of my ossec agents, > other words what happens if sombody trys to snif my network. > > On Wed, Apr 14, 2010 at 8:29 PM, dan (ddp) <[email protected]> wrote: >> >> It can tell when an agent's interface goes into promisc mode. But if >> the machine isn't an agent, it won't be able to tell. >> >> On Wed, Apr 14, 2010 at 4:06 PM, Saeid Ansaripour <[email protected]> >> wrote: >> > Deos any body know if ossec can detect sniffers? >> > >> > >> > -- >> > To unsubscribe, reply using "remove me" as the subject. >> > > >
