Snort mailing list archives

Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box!

From: James Lay <jlay () slave-tothe-box net>
Date: Mon, 07 Apr 2014 15:53:27 -0600

On 2014-04-07 15:40, Teo En Ming wrote:

But alerts are not showing up when I ran nessus against my home
network. Sigh.

Teo En Ming


Teo,

I think most first time users of snort fall into this as well.  Look at 
your HOME_NET and EXTERNAL_NET.  Mine are:

ipvar HOME_NET 192.168.1.0/24
ipvar EXTERNAL_NET !$HOME_NET

This says "home_net is my ip addresses, external_net is everything 
that's NOT my addresses".

Now look at almost any snort rule:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"......


This says "alert if an external_net on any http_ports comes into my 
home_net on any port".

So if you're scanning anything IN HOME_NET TO HOME_NET, nothing will 
fire.  Does that make sense?

James

------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment 
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box! Teo En Ming (Apr 07)
- Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box! Jeremy Hoel (Apr 07)
  - Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box! Teo En Ming (Apr 07)
    - Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box! Joel Esler (Apr 07)
  - Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box! Teo En Ming (Apr 07)
- Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box! Bjoern Meier (Apr 07)
- Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box! James Lay (Apr 07)
  - Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box! Teo En Ming (Apr 07)
    - Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box! James Lay (Apr 07)
    - Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box! Teo En Ming (Apr 07)
    - Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box! James Lay (Apr 07)
    - Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box! Teo En Ming (Apr 07)
    - Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box! Jeremy Hoel (Apr 07)
    - Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box! Teo En Ming (Apr 09)
    - Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box! Y M (Apr 09)