Snort mailing list archives
Re: Cant detect Nessus and MS Baseline scanner in Snort v2.8.6
From: Nick Moore <nmoore () sourcefire com>
Date: Tue, 20 Jul 2010 23:00:50 -0500
Wilson, Can you attach your snort.conf file? I'd like to see your preprocessor config, specifically the sfportscan preprocessor. Nick On Tue, Jul 20, 2010 at 2:10 PM, Chan, Wilson <wchan () honolulu gov> wrote:
I did some testing and our snort sensor are not alerting on Nessus scans (All plugins except DDOS) and MS Baseline scanner. I have most of the Snort and Emerging Threats rules. Am I missing a rule set? Thanks! include $RULE_PATH/exploit.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules ##include $RULE_PATH/web-cgi.rules ##include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules ##include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules ##include $RULE_PATH/web-client.rules ##include $RULE_PATH/web-php.rules ##include $RULE_PATH/sql.rules ##include $RULE_PATH/x11.rules include $RULE_PATH/netbios.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules ##include $RULE_PATH/oracle.rules ##include $RULE_PATH/mysql.rules include $RULE_PATH/smtp.rules ##include $RULE_PATH/imap.rules ##include $RULE_PATH/pop2.rules ##include $RULE_PATH/pop3.rules include $RULE_PATH/nntp.rules include $RULE_PATH/backdoor.rules include $RULE_PATH/snmp.rules include $RULE_PATH/icmp.rules include $RULE_PATH/tftp.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules # include $RULE_PATH/web-attacks.rules # include $RULE_PATH/shellcode.rules # include $RULE_PATH/policy.rules # include $RULE_PATH/info.rules # include $RULE_PATH/icmp-info.rules # include $RULE_PATH/virus.rules # include $RULE_PATH/chat.rules # include $RULE_PATH/multimedia.rules # include $RULE_PATH/p2p.rules # include $RULE_PATH/spyware-put.rules include $RULE_PATH/specific-threats.rules # include $RULE_PATH/voip.rules include $RULE_PATH/other-ids.rules include $RULE_PATH/bad-traffic.rules #include $RULE_PATH/emerging-attack_response.rules #include $RULE_PATH/emerging-botcc-BLOCK.rules #include $RULE_PATH/emerging-botcc.rules #include $RULE_PATH/emerging-compromised-BLOCK.rules #include $RULE_PATH/emerging-compromised.rules #include $RULE_PATH/emerging.conf include $RULE_PATH/emerging-current_events.rules #include $RULE_PATH/emerging-dos.rules #include $RULE_PATH/emerging-drop-BLOCK.rules #include $RULE_PATH/emerging-drop.rules #include $RULE_PATH/emerging-dshield-BLOCK.rules #include $RULE_PATH/emerging-dshield.rules include $RULE_PATH/emerging-exploit.rules #include $RULE_PATH/emerging-game.rules #include $RULE_PATH/emerging-inappropriate.rules include $RULE_PATH/emerging-malware.rules #include $RULE_PATH/emerging-p2p.rules #include $RULE_PATH/emerging-policy.rules #include $RULE_PATH/emerging-rbn-BLOCK.rules #include $RULE_PATH/emerging-rbn.rules #include $RULE_PATH/emerging-readme.txt #include $RULE_PATH/emerging.rules include $RULE_PATH/emerging-scan.rules #include $RULE_PATH/emerging-sid-msg.map #include $RULE_PATH/emerging-sid-msg.map.txt #include $RULE_PATH/emerging-tor-BLOCK.rules #include $RULE_PATH/emerging-tor.rules include $RULE_PATH/emerging-user_agents.rules include $RULE_PATH/emerging-virus.rules #include $RULE_PATH/emerging-voip.rules #include $RULE_PATH/emerging-web_client.rules #include $RULE_PATH/emerging-web.rules #include $RULE_PATH/emerging-web_server.rules #include $RULE_PATH/emerging-web_specific_apps.rules #include $RULE_PATH/emerging-web_sql_injection.rules # decoder and preprocessor event rules # include $PREPROC_RULE_PATH/preprocessor.rules # include $PREPROC_RULE_PATH/decoder.rules # dynamic library rules # include $SO_RULE_PATH/bad-traffic.rules # include $SO_RULE_PATH/chat.rules # include $SO_RULE_PATH/dos.rules # include $SO_RULE_PATH/exploit.rules # include $SO_RULE_PATH/imap.rules # include $SO_RULE_PATH/misc.rules # include $SO_RULE_PATH/multimedia.rules # include $SO_RULE_PATH/netbios.rules # include $SO_RULE_PATH/nntp.rules # include $SO_RULE_PATH/p2p.rules # include $SO_RULE_PATH/smtp.rules # include $SO_RULE_PATH/sql.rules # include $SO_RULE_PATH/web-activex.rules # include $SO_RULE_PATH/web-client.rules # include $SO_RULE_PATH/web-misc.rules *Wilson Chan*** ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
--
Nick Moore, SFCE, CISSP, CISA
Sr. Systems Engineer
Voice 708-336-9041
Email nick.moore () sourcefire com
IM nickgmoore (Yahoo)
nickgmoore38 (AIM)
,,_
o" )~ Sourcefire - The Creators of Snort
''''
www.sourcefire.com www.snort.org
------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Cant detect Nessus and MS Baseline scanner in Snort v2.8.6 Chan, Wilson (Jul 20)
- Re: Cant detect Nessus and MS Baseline scanner in Snort v2.8.6 Nick Moore (Jul 20)
- Re: Cant detect Nessus and MS Baseline scanner in Snort v2.8.6 Chan, Wilson (Jul 21)
- Re: Cant detect Nessus and MS Baseline scanner in Snort v2.8.6 Nick Moore (Jul 20)