Re: Only *nix alerts?

[Keg <snrtlst () netscape net>]

I should have mentioned that, sorry:
1. Snort is configured as monitoring port on the switch, and the hosts 
that I scan mirror traffic to monitoring port. So this is not the case. 
No auto-sense hub is used.
2. If do a vulnerability scan from the nessus box that has no 
restrictions regarding the traffic - it is unrestricted on the firewall 
level, so 3-way handshake should be established each time nessus tries 
some vuln script.
3. You say 'if a three way handshake isn't established it won't alert' - 
does that actually mean that scans and vulnerability testing  prformed 
from spoofed address will not produce alerts?

Thank you.

Erek Adams wrote:

> On Sun, 6 Apr 2003, Keg wrote:
>
>  
>
> > Snort 1.9.1 on RH8
> > I scan network segment protected with Snort using Nessus. I actually
> > have scanned only 2 boxes on that network - one Linux box and one NT box.
> > The alerts I see in Snort are almost all unix-related-namely: squid
> > proxy attempt, scan proxy attempt 8080, tftp get password, snmp get
> > alerts, ASF access, amanda version request, DDOS mstream, xdmp query,
> > samba client access, etc
> > I don't see any windows-related alerts, which should be produced in tons
> > by nessus scanning., cause it runs a lot of windows-related test vuln
> > scripts.
> > Question:
> > 1. Why I don't see windows-related alerts, any ideas?
> >    
>
> Lots of reasons, but none related to the OS.
>
>    *  You're on a switched network, and Snort is running on the
> Linux box.  Unless the port is configed as a monitoring port, you'll never
> see anything destined for the other box.
>    *  You're using a 'auto sensing hub'.  If you're using a 10/100
> autosensing hub, then you've got one box at 10mb and the other at 100mb.
> Those autosensing hubs have two 'sides'--One for 10mbs and one for 100mbs.
> It keeps 100mb traffic on it's side, and keeps 10mbs traffic on it's side.
>
>  
>
> > 2. Generally speaking, nessus runs more than 1000 different scripts for
> > vuln tests, should I see the similar number of UNIQUE alerts in snort?
> > In my understanding, snort should be aware of the most atack attemts or
> > queries nessus produces...
> >    
>
> Not necessarily.  Due to the way that rules work, if a three way handshake
> isn't established it won't alert.  Check the rules and find what rules you
> are expecting to fire.  Check them for 'flow: established, to_server'.  I
> bet you'll find that on quite a few of them.
>
> Cheers!
>
> -----
> Erek Adams
>
>   "When things get weird, the weird turn pro."   H.S. Thompson
>  

--
Your favorite stores, helpful shopping tools and great gift ideas. 
Experience the convenience of buying online with Shop@Netscape! 
http://shopnow.netscape.com/