[Snort-users] $HOME_NET

Erek Adams erek at ...950...
Mon Apr 7 08:43:07 EDT 2003


On Mon, 7 Apr 2003, Keg wrote:

> 1. OK, let me get it straight. If my $HOME_NET is set to
> 192.168.199.0/24 and my nessus scanner is 192.168.199.20. When I scan
> the segment from nessus box I don't scan for ports at all, I scan only
> for vulnerabilities.Shouldn't the rules be triggered in this case?

Nope.  Go look at the rules, it'll make more sense as why it doesn't.
The following rule would fire if you were scanned by Nessus:

  alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
  Nessus 404 probe"; flow:to_server,established; uricontent:
  "/nessus_is_probing_you_"; depth: 32;reference:arachnids,301;
  classtype:web-application-activity; sid:1102;  rev:5;)

See first line?  That translates into "If an IP from the EXTERNAL_NET
connects to HTTP_SERVERS on HTTP_PORTS then...".  Unless your scanner is
on the outside of HOME_NET this rule won't fire.

> 2. When I scan 192.168.199.0 from the nessus box, and DO USE PORTSCAN,
> whould it be correct to say that IN THIS CASE NO ALERTS WILL BE
> GENERATED BY THE RULES, but some will be generated by pre-processors. Is
> that correct?

Yes and no.  The alerts will be generated by the preprocessors, yes.
Depending on how you have your EXTERNAL_NET set and where you are scanning
from, you may or may not get alerts from the rules.  If you have:

	var HOME_NET 198.168.199.0/24
	var EXTERNAL_NET !$HOME_NET

And you scan from 198.168.199.20, then you don't get any alerts from
rules, unless they don't look for EXTERNAL_NET -> HOME_NET.  If you scan
from outside of HOME_NET then you would get alerts from any of the rules.

Hope that helps!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list