[Snort-users] Only *nix alerts?

Keg snrtlst at ...2792...
Mon Apr 7 07:57:04 EDT 2003


I should have mentioned that, sorry:
1. Snort is configured as monitoring port on the switch, and the hosts 
that I scan mirror traffic to monitoring port. So this is not the case. 
No auto-sense hub is used.
2. If do a vulnerability scan from the nessus box that has no 
restrictions regarding the traffic - it is unrestricted on the firewall 
level, so 3-way handshake should be established each time nessus tries 
some vuln script.
3. You say 'if a three way handshake isn't established it won't alert' - 
does that actually mean that scans and vulnerability testing  prformed 
from spoofed address will not produce alerts?

Thank you.

Erek Adams wrote:

>On Sun, 6 Apr 2003, Keg wrote:
>
>  
>
>>Snort 1.9.1 on RH8
>>I scan network segment protected with Snort using Nessus. I actually
>>have scanned only 2 boxes on that network - one Linux box and one NT box.
>>The alerts I see in Snort are almost all unix-related-namely: squid
>>proxy attempt, scan proxy attempt 8080, tftp get password, snmp get
>>alerts, ASF access, amanda version request, DDOS mstream, xdmp query,
>>samba client access, etc
>>I don't see any windows-related alerts, which should be produced in tons
>>by nessus scanning., cause it runs a lot of windows-related test vuln
>>scripts.
>>Question:
>>1. Why I don't see windows-related alerts, any ideas?
>>    
>>
>
>Lots of reasons, but none related to the OS.
>
>    *  You're on a switched network, and Snort is running on the
>Linux box.  Unless the port is configed as a monitoring port, you'll never
>see anything destined for the other box.
>    *  You're using a 'auto sensing hub'.  If you're using a 10/100
>autosensing hub, then you've got one box at 10mb and the other at 100mb.
>Those autosensing hubs have two 'sides'--One for 10mbs and one for 100mbs.
>It keeps 100mb traffic on it's side, and keeps 10mbs traffic on it's side.
>
>  
>
>>2. Generally speaking, nessus runs more than 1000 different scripts for
>>vuln tests, should I see the similar number of UNIQUE alerts in snort?
>>In my understanding, snort should be aware of the most atack attemts or
>>queries nessus produces...
>>    
>>
>
>Not necessarily.  Due to the way that rules work, if a three way handshake
>isn't established it won't alert.  Check the rules and find what rules you
>are expecting to fire.  Check them for 'flow: established, to_server'.  I
>bet you'll find that on quite a few of them.
>
>Cheers!
>
>-----
>Erek Adams
>
>   "When things get weird, the weird turn pro."   H.S. Thompson
>  
>

-- 
Your favorite stores, helpful shopping tools and great gift ideas. 
Experience the convenience of buying online with Shop at ...2793...! 
http://shopnow.netscape.com/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030407/a85ba804/attachment.html>


More information about the Snort-users mailing list