Thread: AirSnare v. 0.5.7 is out.
View Single Post
Old 09-08-2002   #13 (permalink)
Grey Wolf
Registered Member
 
Grey Wolf's Avatar
 
Join Date: Apr 2002
Location: Cincinnati, Ohio
Posts: 345
Re: Re: Differences in AirSnare and NSSpyglass
Quote:
Originally posted by DigitalMDX

Yes, this is true... This is an intrusion detection program, not a machine monitor program. We are concerned with where the unfriendly MAC address is going and what he is up to, not really with what his buddy is replying back to him with AOL instant messenger. This could change, however it would be more burden on the program to track this also.
Hmmm... I think knowing who or what is on the other end might be useful, in evaluating what is happening, the degree of threat it poses.

Quote:
hmmm... would you accept putting AirSnare into one of two modes? like, AirSnare mode... would work the way it does now, watches for ALL unfriendly MAC addresses and AirMonitor Mode, where it would watch the activity to and from a SINGLE MAC address? I might be able to do something like that...
I don't think I would want to give up the AirSnare mode. Is it really that hard to watch traffic in both directions?

Quote:
OK, I can do this but if your not around and this thing is running over the weekend it could fill up fast, do you want a limit on the log size also? Also, I will consider the ability to save the log to a different directory.
That could be done, but the problem is *what* do you trigger the event on? This isn't looking for a specific packet (like the NetStumbler detection), it's looking at everything within a TCP and UDP packet, the event would be firing constantly.
If you could limit the log size that would be good, would it be possible to set it up so that it is saving the most recent, and trashing the oldest?

As to what should trigger it, I was thinking, when the screen turns red, it triggers, and doesn't go off again until the screen is reset.

Quote:
It shows DHCP requests for all unfriendly MAC addresses... do you want 1) to show ALL DHCP requests from both friendly and unfriendly? or 2) option to sound a WAV file on a DHCP request and if so from who? Friendly or unfriendly?
I would like to see as an option for all DHCP request from both friendly and unfrindly MAC address. With the option to play a sound file on friendly DHCP request, and a different sound file on unfriendly request. So we could see unfriendly request only, and play a warning. Or unfriendly & friendly with two different sound files.

Quote:
Wow... could you explain why? Even if nobody is on that machine and it is just sitting there without ANY visible programs running there will still be network traffic to and from that machine, this is normal. This would also trigger an alert if it was 'untrusted'.
Perhaps this is do to the corperation where I worked and how I was brought up. But I'm of the old school where if your not using the PC, turn it off. So after hours it should not be on, and not be generating traffic. If it is something is wrong. In the home enviroment, perhaps the kids are allow to use the computer till 9 or 10 pm, after that it should be off.

As always thanks for the great program.
Grey
__________________
~the packets are out there~
waiting....
Grey Wolf is offline   Reply With Quote