Re: $HOME_NET

[Keg <snrtlst () netscape net>]

Erek,
As to what traffic I expect to see...I'm sure nessus does some IIS vuln 
testing and I'm sure snort has rules for it. I think nessus is not smart 
enough to first figure out what OS of the host is and after that launch 
only OS-related tests, I think it just takes 1000 vuln scrupts and 
launch it against whatever host. Having said that, I expect to see at 
least some IIS alerts reprted, which are misteriously not reported as I 
mentioned earlier.
As to the going into details...thanks, I think I'll try to dig what's 
wrong with the setup myself. Thank you very much.

Erek Adams wrote:

> On Tue, 8 Apr 2003, Keg wrote:
>
>  
>
> > Sorry, but it looks like I'm going in circles....if $EXTERNAL_NET is set
> > to any, then even if my nessus box is on the same segment as specified
> > in $HOME_NET it should generate tons of alerts and rules should be
> > triggered. (Hope I'm not being too dummy here and I got it right, if not
> > I' ready for another 20 wet noodles lashes...) Please confir/deny that
> > this is a correct statement.
> >    
>
> Yes, that's right.
>
>  
>
> > But what happens is the following:
> > If segment that hosts nessus is removed from $HOME_NET and nessus scan
> > is initiated on that segment (only vulns, no port scans), then snort
> > shows only a few alerts (and only the unix-related)
> > If segment  that hosts nessus is moved back $HOME_NET and nessus scan is
> > initiated on that segment (only vulns, no port scans), then snort shows
> > a lot of alerts (and only the unix-related)
> > I'm puzzled a bit cause when snort reports attacks from the internet it
> > reports it as it should be....unix-related, windows-related
> >    
>
> What alerts do you EXPECT to see?  If there aren't rules for them, or the
> Win32 server isn't vulnerable to that attack, then you won't see any
> alerts.  When running Snort I see any alert that I have a rule for.
> Running on my laptop off of a cable modem, I see tons of ping scans and
> SQL Slammer worms flying by.  Snort isn't biased about Win32 or *NIX.  :)
> I really think there's something odd about your setup.
>
> If you run snort in sniffer mode (snort -vd) can you see traffic directed
> at the Win32 box?  To really test, use a external traceroute server and
> ping your Win32 box (route-server.{cerf,exodus}.net).  If you can see the
> ping then there's something else wrong.
>
>  
>
> > P.S. I do realize that it is hard to give a defenite answer without
> > knowing exactly how it is set up here, even if I did my best to provide
> > the info there could always be something else that bugs the system...
> >    
>
> :)  Yep, quite often helping is sorta like juggling chainsaws.
>
> If you'd like to go into more detail, feel free to drop me private email.
>
> Cheers!
>
> -----
> Erek Adams
>
>   "When things get weird, the weird turn pro."   H.S. Thompson
>  

--
Your favorite stores, helpful shopping tools and great gift ideas. 
Experience the convenience of buying online with Shop@Netscape! 
http://shopnow.netscape.com/




-------------------------------------------------------
This SF.net email is sponsored by: ValueWeb: 
Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
No other company gives more support or power for your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users