[Snort-users] $HOME_NET

Keg snrtlst at ...2792...
Tue Apr 8 11:03:07 EDT 2003


Erek,
As to what traffic I expect to see...I'm sure nessus does some IIS vuln 
testing and I'm sure snort has rules for it. I think nessus is not smart 
enough to first figure out what OS of the host is and after that launch 
only OS-related tests, I think it just takes 1000 vuln scrupts and 
launch it against whatever host. Having said that, I expect to see at 
least some IIS alerts reprted, which are misteriously not reported as I 
mentioned earlier.
As to the going into details...thanks, I think I'll try to dig what's 
wrong with the setup myself. Thank you very much.

Erek Adams wrote:

>On Tue, 8 Apr 2003, Keg wrote:
>
>  
>
>>Sorry, but it looks like I'm going in circles....if $EXTERNAL_NET is set
>>to any, then even if my nessus box is on the same segment as specified
>>in $HOME_NET it should generate tons of alerts and rules should be
>>triggered. (Hope I'm not being too dummy here and I got it right, if not
>>I' ready for another 20 wet noodles lashes...) Please confir/deny that
>>this is a correct statement.
>>    
>>
>
>Yes, that's right.
>
>  
>
>>But what happens is the following:
>>If segment that hosts nessus is removed from $HOME_NET and nessus scan
>>is initiated on that segment (only vulns, no port scans), then snort
>>shows only a few alerts (and only the unix-related)
>>If segment  that hosts nessus is moved back $HOME_NET and nessus scan is
>>initiated on that segment (only vulns, no port scans), then snort shows
>>a lot of alerts (and only the unix-related)
>>I'm puzzled a bit cause when snort reports attacks from the internet it
>>reports it as it should be....unix-related, windows-related
>>    
>>
>
>What alerts do you EXPECT to see?  If there aren't rules for them, or the
>Win32 server isn't vulnerable to that attack, then you won't see any
>alerts.  When running Snort I see any alert that I have a rule for.
>Running on my laptop off of a cable modem, I see tons of ping scans and
>SQL Slammer worms flying by.  Snort isn't biased about Win32 or *NIX.  :)
>I really think there's something odd about your setup.
>
>If you run snort in sniffer mode (snort -vd) can you see traffic directed
>at the Win32 box?  To really test, use a external traceroute server and
>ping your Win32 box (route-server.{cerf,exodus}.net).  If you can see the
>ping then there's something else wrong.
>
>  
>
>>P.S. I do realize that it is hard to give a defenite answer without
>>knowing exactly how it is set up here, even if I did my best to provide
>>the info there could always be something else that bugs the system...
>>    
>>
>
>:)  Yep, quite often helping is sorta like juggling chainsaws.
>
>If you'd like to go into more detail, feel free to drop me private email.
>
>Cheers!
>
>-----
>Erek Adams
>
>   "When things get weird, the weird turn pro."   H.S. Thompson
>  
>

-- 
Your favorite stores, helpful shopping tools and great gift ideas. 
Experience the convenience of buying online with Shop at ...2793...! 
http://shopnow.netscape.com/






More information about the Snort-users mailing list