Re: My Snort IDS Sensor Detected Nessus Vulnerability Scan

[Kevin Ross <kevross33 () googlemail com>]

Hi,

As mentioned by others you need to check your configuration to ensure it
meets your requirements - namely the HOME_NET configuration. Also make sure
you have the SFPortscan configured correctly if you want to detect them in
your snort configuration file http://manual.snort.org/node78.html and you
can get more data in the snort manual. Also you have to remember that
Nessus checks for vulnerabilities and may not act in an exploitative manner
which will match a signature. You may find Metasploit will serve you better
for testing.

There are many places you can get PCAPs for testing purposes for different
things. For testing have a look here http://www.threatglass.com/ and go
into the report and get the PCAP. using snort -r /PCAP_PATH/PCAP_NAME.pcap
-c /SNORT_CONF_PATH/snort.conf you can run it through your snort system
once you have it running properly and see what kind of alerts it generates.
This is a good test outside of getting your own Exploit Kit PCAPs and
things (I have many but can't share as pulled from live networks) it should
tell you if it is working against exploits, driveby attacks etc and you can
see what is matching and what isn't (making sure you have executable
download sigs, exploit kit sigs, PDF, Java, IE, Firefox etc rules enabled).
i.e this should give you something
http://www.threatglass.com/malicious_urls/0cc1aed078d1d624e4167032ff7779e0?process_date=2014-04-18

Also if this is purely experimental/academic endevour in order to learn
more about Snort and you are having difficulty you might get more out of
using a system such as security onion which is a liveCD which you can get
up and running easily for a full blown sensor (I would recommend using this
or the tools anyway because combining snort with other full packet capture
options, BRO + ELSA for increased logging of surrounding data etc is
extremely powerful. Such a system may be much simpler as it can get you
going while still letting you gradually learn more about things as you go
along. If you are purely just looking for a home IDS though I would highly
recommend PFSEnse as a powerful network firewall and it has a Snort package
you can install where you can configure everything for your network in a
GUI to get up and running including outputting data to an external database
to view in Snorby or whatever. However if you are learning I would
discourage you from this as it will not provide you with the same learning
capabilities or understanding.

I also recommend you have a look at Applied Network Security Monitoring
which has lots of great things on snort and lots of other practical
information on using a network security monitoring approach. Basically with
this you have the advantage of having a powerful IDS to alert you (Snort)
and match known stuff or supicious traffic but you also have a record of
other data which can help you find more unknown things + also greatly
increase your investigative capabilities from alert information.

Hope that is more informative in getting you going. Good luck.
Kevin

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!