[Snort-users] Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box!
jlay at ...13475...
Mon Apr 7 17:53:27 EDT 2014
On 2014-04-07 15:40, Teo En Ming wrote:
> But alerts are not showing up when I ran nessus against my home
> network. Sigh.
> Teo En Ming
I think most first time users of snort fall into this as well. Look at
your HOME_NET and EXTERNAL_NET. Mine are:
ipvar HOME_NET 192.168.1.0/24
ipvar EXTERNAL_NET !$HOME_NET
This says "home_net is my ip addresses, external_net is everything
that's NOT my addresses".
Now look at almost any snort rule:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"......
This says "alert if an external_net on any http_ports comes into my
home_net on any port".
So if you're scanning anything IN HOME_NET TO HOME_NET, nothing will
fire. Does that make sense?
More information about the Snort-users