Re: Only *nix alerts?

[Erek Adams <erek () snort org>]

On Mon, 7 Apr 2003, Keg wrote:

> I should have mentioned that, sorry:

:)  Ok, twenty lashes with a wet noodle for you!

> 1. Snort is configured as monitoring port on the switch, and the hosts
> that I scan mirror traffic to monitoring port. So this is not the case.
> No auto-sense hub is used.

Ok.

> 2. If do a vulnerability scan from the nessus box that has no
> restrictions regarding the traffic - it is unrestricted on the firewall
> level, so 3-way handshake should be established each time nessus tries
> some vuln script.
> 3. You say 'if a three way handshake isn't established it won't alert' -
> does that actually mean that scans and vulnerability testing  prformed
> from spoofed address will not produce alerts?

It's been a while since I've fired up Nessus and my testlab isn't useable
right now, so I'm not sure about this:  Does Nessus actually establish the
three way handshake?  If it doesn't, then some alerts that depend on flow
won't fire.

Do you have any sort of sniffer on the Win32 box?  If you do, fire it up
and see if you can see the packets from the Nessus scans.

Also, if this is on the same network that you described in the previous
email, you're scanning from inside your HOME_NET.  That will stop the
alerts from being generated.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by: ValueWeb: 
Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
No other company gives more support or power for your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users