[Snort-users] $HOME_NET

Erek Adams erek at ...950...
Mon Apr 7 08:43:07 EDT 2003

On Mon, 7 Apr 2003, Keg wrote:

> 1. OK, let me get it straight. If my $HOME_NET is set to
> and my nessus scanner is When I scan
> the segment from nessus box I don't scan for ports at all, I scan only
> for vulnerabilities.Shouldn't the rules be triggered in this case?

Nope.  Go look at the rules, it'll make more sense as why it doesn't.
The following rule would fire if you were scanned by Nessus:

  Nessus 404 probe"; flow:to_server,established; uricontent:
  "/nessus_is_probing_you_"; depth: 32;reference:arachnids,301;
  classtype:web-application-activity; sid:1102;  rev:5;)

See first line?  That translates into "If an IP from the EXTERNAL_NET
connects to HTTP_SERVERS on HTTP_PORTS then...".  Unless your scanner is
on the outside of HOME_NET this rule won't fire.

> 2. When I scan from the nessus box, and DO USE PORTSCAN,
> whould it be correct to say that IN THIS CASE NO ALERTS WILL BE
> GENERATED BY THE RULES, but some will be generated by pre-processors. Is
> that correct?

Yes and no.  The alerts will be generated by the preprocessors, yes.
Depending on how you have your EXTERNAL_NET set and where you are scanning
from, you may or may not get alerts from the rules.  If you have:


And you scan from, then you don't get any alerts from
rules, unless they don't look for EXTERNAL_NET -> HOME_NET.  If you scan
from outside of HOME_NET then you would get alerts from any of the rules.

Hope that helps!

Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

More information about the Snort-users mailing list