Snort mailing list archives
Re: Only *nix alerts?
From: Keg <snrtlst () netscape net>
Date: Mon, 07 Apr 2003 10:55:31 -0400
I should have mentioned that, sorry:1. Snort is configured as monitoring port on the switch, and the hosts that I scan mirror traffic to monitoring port. So this is not the case. No auto-sense hub is used. 2. If do a vulnerability scan from the nessus box that has no restrictions regarding the traffic - it is unrestricted on the firewall level, so 3-way handshake should be established each time nessus tries some vuln script. 3. You say 'if a three way handshake isn't established it won't alert' - does that actually mean that scans and vulnerability testing prformed from spoofed address will not produce alerts?
Thank you. Erek Adams wrote:
On Sun, 6 Apr 2003, Keg wrote:Snort 1.9.1 on RH8 I scan network segment protected with Snort using Nessus. I actually have scanned only 2 boxes on that network - one Linux box and one NT box. The alerts I see in Snort are almost all unix-related-namely: squid proxy attempt, scan proxy attempt 8080, tftp get password, snmp get alerts, ASF access, amanda version request, DDOS mstream, xdmp query, samba client access, etc I don't see any windows-related alerts, which should be produced in tons by nessus scanning., cause it runs a lot of windows-related test vuln scripts. Question: 1. Why I don't see windows-related alerts, any ideas?Lots of reasons, but none related to the OS. * You're on a switched network, and Snort is running on the Linux box. Unless the port is configed as a monitoring port, you'll never see anything destined for the other box. * You're using a 'auto sensing hub'. If you're using a 10/100 autosensing hub, then you've got one box at 10mb and the other at 100mb. Those autosensing hubs have two 'sides'--One for 10mbs and one for 100mbs. It keeps 100mb traffic on it's side, and keeps 10mbs traffic on it's side.2. Generally speaking, nessus runs more than 1000 different scripts for vuln tests, should I see the similar number of UNIQUE alerts in snort? In my understanding, snort should be aware of the most atack attemts or queries nessus produces...Not necessarily. Due to the way that rules work, if a three way handshake isn't established it won't alert. Check the rules and find what rules you are expecting to fire. Check them for 'flow: established, to_server'. I bet you'll find that on quite a few of them. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson
--Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/
Current thread:
- Only *nix alerts? Keg (Apr 06)
- Re: Only *nix alerts? Erek Adams (Apr 06)
- Re: Only *nix alerts? Keg (Apr 07)
- Re: Only *nix alerts? Erek Adams (Apr 07)
- Re: Only *nix alerts? Keg (Apr 07)
- Re: Only *nix alerts? Keg (Apr 07)
- Re: Only *nix alerts? Erek Adams (Apr 06)