[Snort-users] Only *nix alerts?

Erek Adams erek at ...950...
Mon Apr 7 08:49:18 EDT 2003


On Mon, 7 Apr 2003, Keg wrote:

> I should have mentioned that, sorry:

:)  Ok, twenty lashes with a wet noodle for you!

> 1. Snort is configured as monitoring port on the switch, and the hosts
> that I scan mirror traffic to monitoring port. So this is not the case.
> No auto-sense hub is used.

Ok.

> 2. If do a vulnerability scan from the nessus box that has no
> restrictions regarding the traffic - it is unrestricted on the firewall
> level, so 3-way handshake should be established each time nessus tries
> some vuln script.
> 3. You say 'if a three way handshake isn't established it won't alert' -
> does that actually mean that scans and vulnerability testing  prformed
> from spoofed address will not produce alerts?

It's been a while since I've fired up Nessus and my testlab isn't useable
right now, so I'm not sure about this:  Does Nessus actually establish the
three way handshake?  If it doesn't, then some alerts that depend on flow
won't fire.

Do you have any sort of sniffer on the Win32 box?  If you do, fire it up
and see if you can see the packets from the Nessus scans.

Also, if this is on the same network that you described in the previous
email, you're scanning from inside your HOME_NET.  That will stop the
alerts from being generated.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list