Snort mailing list archives
Re: My Snort IDS Sensor Detected Nessus Vulnerability Scan
From: Kevin Ross <kevross33 () googlemail com>
Date: Sat, 19 Apr 2014 19:04:55 +0100
Hi, As mentioned by others you need to check your configuration to ensure it meets your requirements - namely the HOME_NET configuration. Also make sure you have the SFPortscan configured correctly if you want to detect them in your snort configuration file http://manual.snort.org/node78.html and you can get more data in the snort manual. Also you have to remember that Nessus checks for vulnerabilities and may not act in an exploitative manner which will match a signature. You may find Metasploit will serve you better for testing. There are many places you can get PCAPs for testing purposes for different things. For testing have a look here http://www.threatglass.com/ and go into the report and get the PCAP. using snort -r /PCAP_PATH/PCAP_NAME.pcap -c /SNORT_CONF_PATH/snort.conf you can run it through your snort system once you have it running properly and see what kind of alerts it generates. This is a good test outside of getting your own Exploit Kit PCAPs and things (I have many but can't share as pulled from live networks) it should tell you if it is working against exploits, driveby attacks etc and you can see what is matching and what isn't (making sure you have executable download sigs, exploit kit sigs, PDF, Java, IE, Firefox etc rules enabled). i.e this should give you something http://www.threatglass.com/malicious_urls/0cc1aed078d1d624e4167032ff7779e0?process_date=2014-04-18 Also if this is purely experimental/academic endevour in order to learn more about Snort and you are having difficulty you might get more out of using a system such as security onion which is a liveCD which you can get up and running easily for a full blown sensor (I would recommend using this or the tools anyway because combining snort with other full packet capture options, BRO + ELSA for increased logging of surrounding data etc is extremely powerful. Such a system may be much simpler as it can get you going while still letting you gradually learn more about things as you go along. If you are purely just looking for a home IDS though I would highly recommend PFSEnse as a powerful network firewall and it has a Snort package you can install where you can configure everything for your network in a GUI to get up and running including outputting data to an external database to view in Snorby or whatever. However if you are learning I would discourage you from this as it will not provide you with the same learning capabilities or understanding. I also recommend you have a look at Applied Network Security Monitoring which has lots of great things on snort and lots of other practical information on using a network security monitoring approach. Basically with this you have the advantage of having a powerful IDS to alert you (Snort) and match known stuff or supicious traffic but you also have a record of other data which can help you find more unknown things + also greatly increase your investigative capabilities from alert information. Hope that is more informative in getting you going. Good luck. Kevin
------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/NeoTech
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- My Snort IDS Sensor Detected Nessus Vulnerability Scan Teo En Ming (Apr 18)
- Re: My Snort IDS Sensor Detected Nessus Vulnerability Scan Eric G (Apr 18)
- Re: My Snort IDS Sensor Detected Nessus Vulnerability Scan Teo En Ming (Apr 19)
- Re: My Snort IDS Sensor Detected Nessus Vulnerability Scan waldo kitty (Apr 19)
- Re: My Snort IDS Sensor Detected Nessus Vulnerability Scan Teo En Ming (Apr 19)
- Re: My Snort IDS Sensor Detected Nessus Vulnerability Scan Joel Esler (jesler) (Apr 18)
- Re: My Snort IDS Sensor Detected Nessus Vulnerability Scan Kevin Ross (Apr 19)
- Re: My Snort IDS Sensor Detected Nessus Vulnerability Scan Eric G (Apr 18)