Snort mailing list archives

Re: $HOME_NET

From: Keg <snrtlst () netscape net>
Date: Mon, 07 Apr 2003 15:50:42 -0400

1. I get it., but on the other hand my EXTERNAL_NET is set to ANY.Should that treat nessus box as external_net?

2. Should I always use EXTERNAL_NET as !$HOME_NET?

Erek Adams wrote:

On Mon, 7 Apr 2003, Keg wrote:

1. OK, let me get it straight. If my $HOME_NET is set to
192.168.199.0/24 and my nessus scanner is 192.168.199.20. When I scan
the segment from nessus box I don't scan for ports at all, I scan only
for vulnerabilities.Shouldn't the rules be triggered in this case?


Nope.  Go look at the rules, it'll make more sense as why it doesn't.
The following rule would fire if you were scanned by Nessus:

 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
 Nessus 404 probe"; flow:to_server,established; uricontent:
 "/nessus_is_probing_you_"; depth: 32;reference:arachnids,301;
 classtype:web-application-activity; sid:1102;  rev:5;)

See first line?  That translates into "If an IP from the EXTERNAL_NET
connects to HTTP_SERVERS on HTTP_PORTS then...".  Unless your scanner is
on the outside of HOME_NET this rule won't fire.

2. When I scan 192.168.199.0 from the nessus box, and DO USE PORTSCAN,
whould it be correct to say that IN THIS CASE NO ALERTS WILL BE
GENERATED BY THE RULES, but some will be generated by pre-processors. Is
that correct?


Yes and no.  The alerts will be generated by the preprocessors, yes.
Depending on how you have your EXTERNAL_NET set and where you are scanning
from, you may or may not get alerts from the rules.  If you have:

   var HOME_NET 198.168.199.0/24
   var EXTERNAL_NET !$HOME_NET

And you scan from 198.168.199.20, then you don't get any alerts from
rules, unless they don't look for EXTERNAL_NET -> HOME_NET.  If you scan
from outside of HOME_NET then you would get alerts from any of the rules.

Hope that helps!

-----
Erek Adams

  "When things get weird, the weird turn pro."   H.S. Thompson

--

Your favorite stores, helpful shopping tools and great gift ideas.Experience the convenience of buying online with Shop@Netscape!http://shopnow.netscape.com/

Current thread:

$HOME_NET Keg (Apr 06)
- Re: $HOME_NET Erek Adams (Apr 06)
  - Re: $HOME_NET Keg (Apr 07)
    - Re: $HOME_NET Erek Adams (Apr 07)
    - Re: $HOME_NET Keg (Apr 07)
    - Re: $HOME_NET Erek Adams (Apr 08)
    - Re: $HOME_NET Keg (Apr 08)
    - Re: $HOME_NET Erek Adams (Apr 08)
    - Re: $HOME_NET Keg (Apr 08)
- <Possible follow-ups>
- RE: $HOME_NET Snow Jacob C KPWA (Apr 09)