[Snort-users] $HOME_NET

Erek Adams erek at ...950...
Tue Apr 8 10:02:06 EDT 2003

On Tue, 8 Apr 2003, Keg wrote:

> Sorry, but it looks like I'm going in circles....if $EXTERNAL_NET is set
> to any, then even if my nessus box is on the same segment as specified
> in $HOME_NET it should generate tons of alerts and rules should be
> triggered. (Hope I'm not being too dummy here and I got it right, if not
> I' ready for another 20 wet noodles lashes...) Please confir/deny that
> this is a correct statement.

Yes, that's right.

> But what happens is the following:
> If segment that hosts nessus is removed from $HOME_NET and nessus scan
> is initiated on that segment (only vulns, no port scans), then snort
> shows only a few alerts (and only the unix-related)
> If segment  that hosts nessus is moved back $HOME_NET and nessus scan is
> initiated on that segment (only vulns, no port scans), then snort shows
> a lot of alerts (and only the unix-related)
> I'm puzzled a bit cause when snort reports attacks from the internet it
> reports it as it should be....unix-related, windows-related

What alerts do you EXPECT to see?  If there aren't rules for them, or the
Win32 server isn't vulnerable to that attack, then you won't see any
alerts.  When running Snort I see any alert that I have a rule for.
Running on my laptop off of a cable modem, I see tons of ping scans and
SQL Slammer worms flying by.  Snort isn't biased about Win32 or *NIX.  :)
I really think there's something odd about your setup.

If you run snort in sniffer mode (snort -vd) can you see traffic directed
at the Win32 box?  To really test, use a external traceroute server and
ping your Win32 box (route-server.{cerf,exodus}.net).  If you can see the
ping then there's something else wrong.

> P.S. I do realize that it is hard to give a defenite answer without
> knowing exactly how it is set up here, even if I did my best to provide
> the info there could always be something else that bugs the system...

:)  Yep, quite often helping is sorta like juggling chainsaws.

If you'd like to go into more detail, feel free to drop me private email.


Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

More information about the Snort-users mailing list