snrtlst at ...2792...
Mon Apr 7 12:52:09 EDT 2003
1. I get it., but on the other hand my EXTERNAL_NET is set to ANY.
Should that treat nessus box as external_net?
2. Should I always use EXTERNAL_NET as !$HOME_NET?
Erek Adams wrote:
>On Mon, 7 Apr 2003, Keg wrote:
>>1. OK, let me get it straight. If my $HOME_NET is set to
>>192.168.199.0/24 and my nessus scanner is 192.168.199.20. When I scan
>>the segment from nessus box I don't scan for ports at all, I scan only
>>for vulnerabilities.Shouldn't the rules be triggered in this case?
>Nope. Go look at the rules, it'll make more sense as why it doesn't.
>The following rule would fire if you were scanned by Nessus:
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
> Nessus 404 probe"; flow:to_server,established; uricontent:
> "/nessus_is_probing_you_"; depth: 32;reference:arachnids,301;
> classtype:web-application-activity; sid:1102; rev:5;)
>See first line? That translates into "If an IP from the EXTERNAL_NET
>connects to HTTP_SERVERS on HTTP_PORTS then...". Unless your scanner is
>on the outside of HOME_NET this rule won't fire.
>>2. When I scan 192.168.199.0 from the nessus box, and DO USE PORTSCAN,
>>whould it be correct to say that IN THIS CASE NO ALERTS WILL BE
>>GENERATED BY THE RULES, but some will be generated by pre-processors. Is
>Yes and no. The alerts will be generated by the preprocessors, yes.
>Depending on how you have your EXTERNAL_NET set and where you are scanning
>from, you may or may not get alerts from the rules. If you have:
> var HOME_NET 220.127.116.11/24
> var EXTERNAL_NET !$HOME_NET
>And you scan from 18.104.22.168, then you don't get any alerts from
>rules, unless they don't look for EXTERNAL_NET -> HOME_NET. If you scan
>from outside of HOME_NET then you would get alerts from any of the rules.
>Hope that helps!
> "When things get weird, the weird turn pro." H.S. Thompson
Your favorite stores, helpful shopping tools and great gift ideas.
Experience the convenience of buying online with Shop at ...2793...!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users