[Snort-users] Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box!

Teo En Ming teo.en.ming at ...11827...
Mon Apr 7 17:04:18 EDT 2014


Dear James,

I have already added the following rule to icmp.rules some time ago:

alert icmp any any -> any any (msg:"ICMP Packet", sid:477; rev:3;)

The rule DID fire when I visited grc.com to port scan my public IP address.

Use Gibson Research Corporation's ShieldsUP! to port scan your public IP
address.

https://www.grc.com/x/ne.dll?bh0bkyd2

Regards,

Teo En Ming




On Tue, Apr 8, 2014 at 4:52 AM, James Lay <jlay at ...13475...> wrote:

> On 2014-04-07 13:19, Teo En Ming wrote:
> >
> > Question 3: The Nessus vulnerability scanner reported numerous
> > vulnerabilities. Why are there no alerts in my Snort IDS box at all?
>
> Most folks install snort, then start scanning from their own network.
> If you have:
>
> ipvar HOME_NET 192.168.0.0/24
>
> and your scanning machine is 192.168.0.1 and the machine you're
> scanning is 192.168.0.2, don't expect to see anything.  As a quick test
> for IDS functionality do the below:
>
> Verify you see local.rules in your snort.conf
> add:
>
> alert icmp any any -> any any (msg:"Ping test"; sid:10000054;)
>
> to your local.rules
>
> Stop snort, start snort.  Now ping something.  I use this rule a lot
> after upgrading to verify functionality (that is if my users haven't
> already inadvertently "helped" me).
>
> James
>
>
> ------------------------------------------------------------------------------
> Put Bad Developers to Shame
> Dominate Development with Jenkins Continuous Integration
> Continuously Automate Build, Test & Deployment
> Start a new project now. Try Jenkins in the cloud.
> http://p.sf.net/sfu/13600_Cloudbees
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140408/65ddef68/attachment.html>


More information about the Snort-users mailing list