[Snort-users] Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box!

James Lay jlay at ...13475...
Mon Apr 7 17:53:27 EDT 2014


On 2014-04-07 15:40, Teo En Ming wrote:
> But alerts are not showing up when I ran nessus against my home
> network. Sigh.
>
> Teo En Ming

Teo,

I think most first time users of snort fall into this as well.  Look at 
your HOME_NET and EXTERNAL_NET.  Mine are:

ipvar HOME_NET 192.168.1.0/24
ipvar EXTERNAL_NET !$HOME_NET

This says "home_net is my ip addresses, external_net is everything 
that's NOT my addresses".

Now look at almost any snort rule:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"......


This says "alert if an external_net on any http_ports comes into my 
home_net on any port".

So if you're scanning anything IN HOME_NET TO HOME_NET, nothing will 
fire.  Does that make sense?

James




More information about the Snort-users mailing list