[Snort-users] $HOME_NET

Keg snrtlst at ...2792...
Mon Apr 7 12:52:09 EDT 2003


1. I get it., but on the other hand my EXTERNAL_NET is set to ANY. 
Should that  treat nessus box as external_net?
2. Should I always use EXTERNAL_NET as !$HOME_NET?

Erek Adams wrote:

>On Mon, 7 Apr 2003, Keg wrote:
>
>  
>
>>1. OK, let me get it straight. If my $HOME_NET is set to
>>192.168.199.0/24 and my nessus scanner is 192.168.199.20. When I scan
>>the segment from nessus box I don't scan for ports at all, I scan only
>>for vulnerabilities.Shouldn't the rules be triggered in this case?
>>    
>>
>
>Nope.  Go look at the rules, it'll make more sense as why it doesn't.
>The following rule would fire if you were scanned by Nessus:
>
>  alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
>  Nessus 404 probe"; flow:to_server,established; uricontent:
>  "/nessus_is_probing_you_"; depth: 32;reference:arachnids,301;
>  classtype:web-application-activity; sid:1102;  rev:5;)
>
>See first line?  That translates into "If an IP from the EXTERNAL_NET
>connects to HTTP_SERVERS on HTTP_PORTS then...".  Unless your scanner is
>on the outside of HOME_NET this rule won't fire.
>
>  
>
>>2. When I scan 192.168.199.0 from the nessus box, and DO USE PORTSCAN,
>>whould it be correct to say that IN THIS CASE NO ALERTS WILL BE
>>GENERATED BY THE RULES, but some will be generated by pre-processors. Is
>>that correct?
>>    
>>
>
>Yes and no.  The alerts will be generated by the preprocessors, yes.
>Depending on how you have your EXTERNAL_NET set and where you are scanning
>from, you may or may not get alerts from the rules.  If you have:
>
>    var HOME_NET 198.168.199.0/24
>    var EXTERNAL_NET !$HOME_NET
>
>And you scan from 198.168.199.20, then you don't get any alerts from
>rules, unless they don't look for EXTERNAL_NET -> HOME_NET.  If you scan
>from outside of HOME_NET then you would get alerts from any of the rules.
>
>Hope that helps!
>
>-----
>Erek Adams
>
>   "When things get weird, the weird turn pro."   H.S. Thompson
>  
>

-- 
Your favorite stores, helpful shopping tools and great gift ideas. 
Experience the convenience of buying online with Shop at ...2793...! 
http://shopnow.netscape.com/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030407/2f242be1/attachment.html>


More information about the Snort-users mailing list