Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box!

[Teo En Ming <teo.en.ming () gmail com>]

Dear James,

I have already added the following rule to icmp.rules some time ago:

alert icmp any any -> any any (msg:"ICMP Packet", sid:477; rev:3;)

The rule DID fire when I visited grc.com to port scan my public IP address.

Use Gibson Research Corporation's ShieldsUP! to port scan your public IP
address.

https://www.grc.com/x/ne.dll?bh0bkyd2

Regards,

Teo En Ming




On Tue, Apr 8, 2014 at 4:52 AM, James Lay <jlay () slave-tothe-box net> wrote:

> On 2014-04-07 13:19, Teo En Ming wrote:
> > Question 3: The Nessus vulnerability scanner reported numerous
> > vulnerabilities. Why are there no alerts in my Snort IDS box at all?
>
> Most folks install snort, then start scanning from their own network.
> If you have:
>
> ipvar HOME_NET 192.168.0.0/24
>
> and your scanning machine is 192.168.0.1 and the machine you're
> scanning is 192.168.0.2, don't expect to see anything.  As a quick test
> for IDS functionality do the below:
>
> Verify you see local.rules in your snort.conf
> add:
>
> alert icmp any any -> any any (msg:"Ping test"; sid:10000054;)
>
> to your local.rules
>
> Stop snort, start snort.  Now ping something.  I use this rule a lot
> after upgrading to verify functionality (that is if my users haven't
> already inadvertently "helped" me).
>
> James
>
>
> ------------------------------------------------------------------------------
> Put Bad Developers to Shame
> Dominate Development with Jenkins Continuous Integration
> Continuously Automate Build, Test & Deployment
> Start a new project now. Try Jenkins in the cloud.
> http://p.sf.net/sfu/13600_Cloudbees
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment 
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!