Snort mailing list archives
Re: Only *nix alerts?
From: Erek Adams <erek () snort org>
Date: Mon, 7 Apr 2003 10:48:35 -0500 (EST)
On Mon, 7 Apr 2003, Keg wrote:
I should have mentioned that, sorry:
:) Ok, twenty lashes with a wet noodle for you!
1. Snort is configured as monitoring port on the switch, and the hosts that I scan mirror traffic to monitoring port. So this is not the case. No auto-sense hub is used.
Ok.
2. If do a vulnerability scan from the nessus box that has no restrictions regarding the traffic - it is unrestricted on the firewall level, so 3-way handshake should be established each time nessus tries some vuln script. 3. You say 'if a three way handshake isn't established it won't alert' - does that actually mean that scans and vulnerability testing prformed from spoofed address will not produce alerts?
It's been a while since I've fired up Nessus and my testlab isn't useable right now, so I'm not sure about this: Does Nessus actually establish the three way handshake? If it doesn't, then some alerts that depend on flow won't fire. Do you have any sort of sniffer on the Win32 box? If you do, fire it up and see if you can see the packets from the Nessus scans. Also, if this is on the same network that you described in the previous email, you're scanning from inside your HOME_NET. That will stop the alerts from being generated. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.net email is sponsored by: ValueWeb: Dedicated Hosting for just $79/mo with 500 GB of bandwidth! No other company gives more support or power for your dedicated server http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Only *nix alerts? Keg (Apr 06)
- Re: Only *nix alerts? Erek Adams (Apr 06)
- Re: Only *nix alerts? Keg (Apr 07)
- Re: Only *nix alerts? Erek Adams (Apr 07)
- Re: Only *nix alerts? Keg (Apr 07)
- Re: Only *nix alerts? Keg (Apr 07)
- Re: Only *nix alerts? Erek Adams (Apr 06)