[Snort-users] $HOME_NET

Keg snrtlst at ...2792...
Tue Apr 8 09:52:06 EDT 2003


Sorry, but it looks like I'm going in circles....if $EXTERNAL_NET is set 
to any, then even if my nessus box is on the same segment as specified 
in $HOME_NET it should generate tons of alerts and rules should be 
triggered. (Hope I'm not being too dummy here and I got it right, if not 
I' ready for another 20 wet noodles lashes...) Please confir/deny that 
this is a correct statement.
But what happens is the following:
If segment that hosts nessus is removed from $HOME_NET and nessus scan 
is initiated on that segment (only vulns, no port scans), then snort 
shows only a few alerts (and only the unix-related)
If segment  that hosts nessus is moved back $HOME_NET and nessus scan is 
initiated on that segment (only vulns, no port scans), then snort shows 
a lot of alerts (and only the unix-related)
I'm puzzled a bit cause when snort reports attacks from the internet it 
reports it as it should be....unix-related, windows-related

P.S. I do realize that it is hard to give a defenite answer without 
knowing exactly how it is set up here, even if I did my best to provide 
the info there could always be something else that bugs the system...

Erek Adams wrote:

>On Mon, 7 Apr 2003, Keg wrote:
>
>  
>
>>1. I get it., but on the other hand my EXTERNAL_NET is set to ANY.
>>Should that  treat nessus box as external_net?
>>    
>>
>
>It should.
>
>If you run Snort in sniffer mode, can you see traffic destined for the
>Win32 box?
>
>    snort -vd
>
>  
>
>>2. Should I always use EXTERNAL_NET as !$HOME_NET?
>>    
>>
>
>That's up to you.  I do it to cut down on false positives.  Try it both
>ways and see what works better for you.
>
>-----
>Erek Adams
>
>   "When things get weird, the weird turn pro."   H.S. Thompson
>
>
>-------------------------------------------------------
>This SF.net email is sponsored by: ValueWeb: 
>Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
>No other company gives more support or power for your dedicated server
>http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>  
>

-- 
Your favorite stores, helpful shopping tools and great gift ideas. 
Experience the convenience of buying online with Shop at ...2793...! 
http://shopnow.netscape.com/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030408/8de776da/attachment.html>


More information about the Snort-users mailing list