Snort mailing list archives
Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box!
From: Teo En Ming <teo.en.ming () gmail com>
Date: Wed, 9 Apr 2014 22:49:23 +0800
Dear Jeremy, Configuration issue? I have attached my snort.conf. Please see whether there is any misconfiguration in my snort.conf. Thank you. Teo En Ming On Tue, Apr 8, 2014 at 6:56 AM, Jeremy Hoel <jthoel () gmail com> wrote:
Then the public IP is not in home and the rules will ignore it. Looks at the rules, the variables explain when the rule will fire. If your outside/public address never changes and you want to add it to your home varaible, then do so and try again. There's a lot of great documentation and explanations on how the tools work, and they do work well, but you need to take the time to try things out and play a bit. If the rule fires for one case and not another, then it's not the software itself maybe maybe a configuration issue. On Mon, Apr 7, 2014 at 10:09 PM, Teo En Ming <teo.en.ming () gmail com>wrote:Yes, it does make sense. I have the same Snort configuration as you. But if I scan my PUBLIC IP address? Teo En Ming On Tue, Apr 8, 2014 at 5:53 AM, James Lay <jlay () slave-tothe-box net>wrote:On 2014-04-07 15:40, Teo En Ming wrote:But alerts are not showing up when I ran nessus against my home network. Sigh. Teo En MingTeo, I think most first time users of snort fall into this as well. Look at your HOME_NET and EXTERNAL_NET. Mine are: ipvar HOME_NET 192.168.1.0/24 ipvar EXTERNAL_NET !$HOME_NET This says "home_net is my ip addresses, external_net is everything that's NOT my addresses". Now look at almost any snort rule: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"...... This says "alert if an external_net on any http_ports comes into my home_net on any port". So if you're scanning anything IN HOME_NET TO HOME_NET, nothing will fire. Does that make sense? James ------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Attachment:
snort.conf
Description:
------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box!, (continued)
- Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box! Bjoern Meier (Apr 07)
- Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box! James Lay (Apr 07)
- Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box! Teo En Ming (Apr 07)
- Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box! James Lay (Apr 07)
- Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box! Teo En Ming (Apr 07)
- Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box! James Lay (Apr 07)
- Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box! Teo En Ming (Apr 07)
- Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box! Jeremy Hoel (Apr 07)
- Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box! Teo En Ming (Apr 09)
- Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box! Y M (Apr 09)
- Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box! Teo En Ming (Apr 07)