[Snort-users] Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box!

James Lay jlay at ...13475...
Mon Apr 7 16:52:47 EDT 2014


On 2014-04-07 13:19, Teo En Ming wrote:
>
> Question 3: The Nessus vulnerability scanner reported numerous
> vulnerabilities. Why are there no alerts in my Snort IDS box at all?

Most folks install snort, then start scanning from their own network.  
If you have:

ipvar HOME_NET 192.168.0.0/24

and your scanning machine is 192.168.0.1 and the machine you're 
scanning is 192.168.0.2, don't expect to see anything.  As a quick test 
for IDS functionality do the below:

Verify you see local.rules in your snort.conf
add:

alert icmp any any -> any any (msg:"Ping test"; sid:10000054;)

to your local.rules

Stop snort, start snort.  Now ping something.  I use this rule a lot 
after upgrading to verify functionality (that is if my users haven't 
already inadvertently "helped" me).

James




More information about the Snort-users mailing list