[Snort-users] Only *nix alerts?

Keg snrtlst at ...2792...
Mon Apr 7 12:55:02 EDT 2003


Thanks. (not for lashes :-)  )


Erek Adams wrote:

>On Mon, 7 Apr 2003, Keg wrote:
>
>  
>
>>I should have mentioned that, sorry:
>>    
>>
>
>:)  Ok, twenty lashes with a wet noodle for you!
>
>  
>
>>1. Snort is configured as monitoring port on the switch, and the hosts
>>that I scan mirror traffic to monitoring port. So this is not the case.
>>No auto-sense hub is used.
>>    
>>
>
>Ok.
>
>  
>
>>2. If do a vulnerability scan from the nessus box that has no
>>restrictions regarding the traffic - it is unrestricted on the firewall
>>level, so 3-way handshake should be established each time nessus tries
>>some vuln script.
>>3. You say 'if a three way handshake isn't established it won't alert' -
>>does that actually mean that scans and vulnerability testing  prformed
>>from spoofed address will not produce alerts?
>>    
>>
>
>It's been a while since I've fired up Nessus and my testlab isn't useable
>right now, so I'm not sure about this:  Does Nessus actually establish the
>three way handshake?  If it doesn't, then some alerts that depend on flow
>won't fire.
>
>Do you have any sort of sniffer on the Win32 box?  If you do, fire it up
>and see if you can see the packets from the Nessus scans.
>
>Also, if this is on the same network that you described in the previous
>email, you're scanning from inside your HOME_NET.  That will stop the
>alerts from being generated.
>
>Cheers!
>
>-----
>Erek Adams
>
>   "When things get weird, the weird turn pro."   H.S. Thompson
>  
>

-- 
Your favorite stores, helpful shopping tools and great gift ideas. 
Experience the convenience of buying online with Shop at ...2793...! 
http://shopnow.netscape.com/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030407/8c8d54ee/attachment.html>


More information about the Snort-users mailing list