Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box!

[Y M <snort () outlook com>]

To address the questions in your original post in addition to what have been mentioned already I would suggest reading 
the below posts; they will help tune your included rules:
 
http://blog.snort.org/2012/03/rule-category-reorganization.html
http://blog.snort.org/2012/08/rule-category-reorganization-phase-2.html
http://blog.snort.org/2012/10/rule-category-reorganization-phase-3.html
http://blog.snort.org/2013/10/snort-vrt-default-ruleset-rebalancing.html
 
The conf file also provides hints, for example the comment right above the normalization preprocessor. Other things 
come straight from the manual such as preprocessors' memcap and the Shared Object (SO) rules, as well as other 
configurations tunings such as min. and max. values. All of these eventually will be determined based on your network 
and the systems you are trying to protect. 
 
Date: Wed, 9 Apr 2014 22:49:23 +0800
From: teo.en.ming () gmail com
To: jthoel () gmail com
CC: jlay () slave-tothe-box net; snort-users () lists sourceforge net
Subject: Re: [Snort-users] Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my 
Snort IDS box!

Dear Jeremy,

Configuration issue? I have attached my snort.conf. Please see whether there is any misconfiguration in my snort.conf.

Thank you.

Teo En Ming



On Tue, Apr 8, 2014 at 6:56 AM, Jeremy Hoel <jthoel () gmail com> wrote:

Then the public IP is not in home and the rules will ignore it.
Looks at the rules, the variables explain when the rule will fire.  If your outside/public address never changes and 
you want to add it to your home varaible, then do so and try again.



There's a lot of great documentation and explanations on how the tools work, and they do work well, but you need to 
take the time to try things out and play a bit.  If the rule fires for one case and not another, then it's not the 
software itself maybe maybe a configuration issue.






On Mon, Apr 7, 2014 at 10:09 PM, Teo En Ming <teo.en.ming () gmail com> wrote:



Yes, it does make sense. I have the same Snort configuration as you.

But if I scan my PUBLIC IP address?




Teo En Ming



On Tue, Apr 8, 2014 at 5:53 AM, James Lay <jlay () slave-tothe-box net> wrote:




On 2014-04-07 15:40, Teo En Ming wrote:

> But alerts are not showing up when I ran nessus against my home

> network. Sigh.

>

> Teo En Ming



Teo,



I think most first time users of snort fall into this as well.  Look at

your HOME_NET and EXTERNAL_NET.  Mine are:



ipvar HOME_NET 192.168.1.0/24

ipvar EXTERNAL_NET !$HOME_NET



This says "home_net is my ip addresses, external_net is everything

that's NOT my addresses".



Now look at almost any snort rule:



alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"......





This says "alert if an external_net on any http_ports comes into my

home_net on any port".



So if you're scanning anything IN HOME_NET TO HOME_NET, nothing will

fire.  Does that make sense?



James



------------------------------------------------------------------------------

Put Bad Developers to Shame

Dominate Development with Jenkins Continuous Integration

Continuously Automate Build, Test & Deployment

Start a new project now. Try Jenkins in the cloud.

http://p.sf.net/sfu/13600_Cloudbees

_______________________________________________

Snort-users mailing list

Snort-users () lists sourceforge net

Go to this URL to change user options or unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users



Please visit http://blog.snort.org to stay current on all the latest Snort news!




------------------------------------------------------------------------------

Put Bad Developers to Shame

Dominate Development with Jenkins Continuous Integration

Continuously Automate Build, Test & Deployment

Start a new project now. Try Jenkins in the cloud.

http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________

Snort-users mailing list

Snort-users () lists sourceforge net

Go to this URL to change user options or unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users



Please visit http://blog.snort.org to stay current on all the latest Snort news!





------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment 
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!                                        

------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment 
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!