Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Only *nix alerts?

From: Erek Adams <erek () snort org>
Date: Sun, 6 Apr 2003 15:33:44 -0500 (EST)
On Sun, 6 Apr 2003, Keg wrote:


Snort 1.9.1 on RH8
I scan network segment protected with Snort using Nessus. I actually
have scanned only 2 boxes on that network - one Linux box and one NT box.
The alerts I see in Snort are almost all unix-related-namely: squid
proxy attempt, scan proxy attempt 8080, tftp get password, snmp get
alerts, ASF access, amanda version request, DDOS mstream, xdmp query,
samba client access, etc
I don't see any windows-related alerts, which should be produced in tons
by nessus scanning., cause it runs a lot of windows-related test vuln
scripts.
Question:
1. Why I don't see windows-related alerts, any ideas?


Lots of reasons, but none related to the OS.

        *  You're on a switched network, and Snort is running on the
Linux box.  Unless the port is configed as a monitoring port, you'll never
see anything destined for the other box.
        *  You're using a 'auto sensing hub'.  If you're using a 10/100
autosensing hub, then you've got one box at 10mb and the other at 100mb.
Those autosensing hubs have two 'sides'--One for 10mbs and one for 100mbs.
It keeps 100mb traffic on it's side, and keeps 10mbs traffic on it's side.


2. Generally speaking, nessus runs more than 1000 different scripts for
vuln tests, should I see the similar number of UNIQUE alerts in snort?
In my understanding, snort should be aware of the most atack attemts or
queries nessus produces...


Not necessarily.  Due to the way that rules work, if a three way handshake
isn't established it won't alert.  Check the rules and find what rules you
are expecting to fire.  Check them for 'flow: established, to_server'.  I
bet you'll find that on quite a few of them.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by: ValueWeb: 
Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
No other company gives more support or power for your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: