You will need some additional software on the box doing the sniffing. At the very least, an application that detects the presence of sniffing binaries. Microsoft configuration manager for instance.
If you are worried about a rogue workstation being connected (or laptop), then you will need NAC/NAP to prevent that system functioning on your network. 2008 server can handle this, as well as Cisco and others. On Fri, Apr 16, 2010 at 3:02 AM, dan (ddp) <[email protected]> wrote: > If there is no agent on that machine, ossec cannot detect that it is > running a sniffer. > There have been some techniques for finding sniffers posted on the > net, I don't know if any of them are still valid or if there are any > tools for using them though. If there are, you might be able to get > some kind of useful log out of them and feed that to ossec. > > On Thu, Apr 15, 2010 at 11:29 AM, Saeid Ansaripour <[email protected]> > wrote: > > what if the computer that does the sniffing is not part of my ossec > agents, > > other words what happens if sombody trys to snif my network. > > > > On Wed, Apr 14, 2010 at 8:29 PM, dan (ddp) <[email protected]> wrote: > >> > >> It can tell when an agent's interface goes into promisc mode. But if > >> the machine isn't an agent, it won't be able to tell. > >> > >> On Wed, Apr 14, 2010 at 4:06 PM, Saeid Ansaripour <[email protected]> > >> wrote: > >> > Deos any body know if ossec can detect sniffers? > >> > > >> > > >> > -- > >> > To unsubscribe, reply using "remove me" as the subject. > >> > > > > > >
