[Snort-users] Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box!

Teo En Ming teo.en.ming at ...11827...
Mon Apr 7 17:04:18 EDT 2014

Dear James,

I have already added the following rule to icmp.rules some time ago:

alert icmp any any -> any any (msg:"ICMP Packet", sid:477; rev:3;)

The rule DID fire when I visited grc.com to port scan my public IP address.

Use Gibson Research Corporation's ShieldsUP! to port scan your public IP



Teo En Ming

On Tue, Apr 8, 2014 at 4:52 AM, James Lay <jlay at ...13475...> wrote:

> On 2014-04-07 13:19, Teo En Ming wrote:
> >
> > Question 3: The Nessus vulnerability scanner reported numerous
> > vulnerabilities. Why are there no alerts in my Snort IDS box at all?
> Most folks install snort, then start scanning from their own network.
> If you have:
> ipvar HOME_NET
> and your scanning machine is and the machine you're
> scanning is, don't expect to see anything.  As a quick test
> for IDS functionality do the below:
> Verify you see local.rules in your snort.conf
> add:
> alert icmp any any -> any any (msg:"Ping test"; sid:10000054;)
> to your local.rules
> Stop snort, start snort.  Now ping something.  I use this rule a lot
> after upgrading to verify functionality (that is if my users haven't
> already inadvertently "helped" me).
> James
> ------------------------------------------------------------------------------
> Put Bad Developers to Shame
> Dominate Development with Jenkins Continuous Integration
> Continuously Automate Build, Test & Deployment
> Start a new project now. Try Jenkins in the cloud.
> http://p.sf.net/sfu/13600_Cloudbees
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140408/65ddef68/attachment.html>

More information about the Snort-users mailing list