snrtlst at ...2792...
Tue Apr 8 09:52:06 EDT 2003
Sorry, but it looks like I'm going in circles....if $EXTERNAL_NET is set
to any, then even if my nessus box is on the same segment as specified
in $HOME_NET it should generate tons of alerts and rules should be
triggered. (Hope I'm not being too dummy here and I got it right, if not
I' ready for another 20 wet noodles lashes...) Please confir/deny that
this is a correct statement.
But what happens is the following:
If segment that hosts nessus is removed from $HOME_NET and nessus scan
is initiated on that segment (only vulns, no port scans), then snort
shows only a few alerts (and only the unix-related)
If segment that hosts nessus is moved back $HOME_NET and nessus scan is
initiated on that segment (only vulns, no port scans), then snort shows
a lot of alerts (and only the unix-related)
I'm puzzled a bit cause when snort reports attacks from the internet it
reports it as it should be....unix-related, windows-related
P.S. I do realize that it is hard to give a defenite answer without
knowing exactly how it is set up here, even if I did my best to provide
the info there could always be something else that bugs the system...
Erek Adams wrote:
>On Mon, 7 Apr 2003, Keg wrote:
>>1. I get it., but on the other hand my EXTERNAL_NET is set to ANY.
>>Should that treat nessus box as external_net?
>If you run Snort in sniffer mode, can you see traffic destined for the
> snort -vd
>>2. Should I always use EXTERNAL_NET as !$HOME_NET?
>That's up to you. I do it to cut down on false positives. Try it both
>ways and see what works better for you.
> "When things get weird, the weird turn pro." H.S. Thompson
>This SF.net email is sponsored by: ValueWeb:
>Dedicated Hosting for just $79/mo with 500 GB of bandwidth!
>No other company gives more support or power for your dedicated server
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
Your favorite stores, helpful shopping tools and great gift ideas.
Experience the convenience of buying online with Shop at ...2793...!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users