Snort mailing list archives
Re: Only *nix alerts?
From: Erek Adams <erek () snort org>
Date: Sun, 6 Apr 2003 15:33:44 -0500 (EST)
On Sun, 6 Apr 2003, Keg wrote:
Snort 1.9.1 on RH8 I scan network segment protected with Snort using Nessus. I actually have scanned only 2 boxes on that network - one Linux box and one NT box. The alerts I see in Snort are almost all unix-related-namely: squid proxy attempt, scan proxy attempt 8080, tftp get password, snmp get alerts, ASF access, amanda version request, DDOS mstream, xdmp query, samba client access, etc I don't see any windows-related alerts, which should be produced in tons by nessus scanning., cause it runs a lot of windows-related test vuln scripts. Question: 1. Why I don't see windows-related alerts, any ideas?
Lots of reasons, but none related to the OS. * You're on a switched network, and Snort is running on the Linux box. Unless the port is configed as a monitoring port, you'll never see anything destined for the other box. * You're using a 'auto sensing hub'. If you're using a 10/100 autosensing hub, then you've got one box at 10mb and the other at 100mb. Those autosensing hubs have two 'sides'--One for 10mbs and one for 100mbs. It keeps 100mb traffic on it's side, and keeps 10mbs traffic on it's side.
2. Generally speaking, nessus runs more than 1000 different scripts for vuln tests, should I see the similar number of UNIQUE alerts in snort? In my understanding, snort should be aware of the most atack attemts or queries nessus produces...
Not necessarily. Due to the way that rules work, if a three way handshake isn't established it won't alert. Check the rules and find what rules you are expecting to fire. Check them for 'flow: established, to_server'. I bet you'll find that on quite a few of them. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.net email is sponsored by: ValueWeb: Dedicated Hosting for just $79/mo with 500 GB of bandwidth! No other company gives more support or power for your dedicated server http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Only *nix alerts? Keg (Apr 06)
- Re: Only *nix alerts? Erek Adams (Apr 06)
- Re: Only *nix alerts? Keg (Apr 07)
- Re: Only *nix alerts? Erek Adams (Apr 07)
- Re: Only *nix alerts? Keg (Apr 07)
- Re: Only *nix alerts? Keg (Apr 07)
- Re: Only *nix alerts? Erek Adams (Apr 06)