Snort mailing list archives
Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box!
From: Jeremy Hoel <jthoel () gmail com>
Date: Mon, 7 Apr 2014 22:56:07 +0000
Then the public IP is not in home and the rules will ignore it. Looks at the rules, the variables explain when the rule will fire. If your outside/public address never changes and you want to add it to your home varaible, then do so and try again. There's a lot of great documentation and explanations on how the tools work, and they do work well, but you need to take the time to try things out and play a bit. If the rule fires for one case and not another, then it's not the software itself maybe maybe a configuration issue. On Mon, Apr 7, 2014 at 10:09 PM, Teo En Ming <teo.en.ming () gmail com> wrote:
Yes, it does make sense. I have the same Snort configuration as you. But if I scan my PUBLIC IP address? Teo En Ming On Tue, Apr 8, 2014 at 5:53 AM, James Lay <jlay () slave-tothe-box net>wrote:On 2014-04-07 15:40, Teo En Ming wrote:But alerts are not showing up when I ran nessus against my home network. Sigh. Teo En MingTeo, I think most first time users of snort fall into this as well. Look at your HOME_NET and EXTERNAL_NET. Mine are: ipvar HOME_NET 192.168.1.0/24 ipvar EXTERNAL_NET !$HOME_NET This says "home_net is my ip addresses, external_net is everything that's NOT my addresses". Now look at almost any snort rule: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"...... This says "alert if an external_net on any http_ports comes into my home_net on any port". So if you're scanning anything IN HOME_NET TO HOME_NET, nothing will fire. Does that make sense? James ------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box!, (continued)
- Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box! Bjoern Meier (Apr 07)
- Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box! James Lay (Apr 07)
- Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box! Teo En Ming (Apr 07)
- Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box! James Lay (Apr 07)
- Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box! Teo En Ming (Apr 07)
- Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box! James Lay (Apr 07)
- Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box! Teo En Ming (Apr 07)
- Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box! Jeremy Hoel (Apr 07)
- Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box! Teo En Ming (Apr 09)
- Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box! Y M (Apr 09)
- Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box! Teo En Ming (Apr 07)