[Snort-users] Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box!

Teo En Ming teo.en.ming at ...11827...
Mon Apr 7 18:09:36 EDT 2014


Yes, it does make sense. I have the same Snort configuration as you.

But if I scan my PUBLIC IP address?

Teo En Ming


On Tue, Apr 8, 2014 at 5:53 AM, James Lay <jlay at ...13475...> wrote:

> On 2014-04-07 15:40, Teo En Ming wrote:
> > But alerts are not showing up when I ran nessus against my home
> > network. Sigh.
> >
> > Teo En Ming
>
> Teo,
>
> I think most first time users of snort fall into this as well.  Look at
> your HOME_NET and EXTERNAL_NET.  Mine are:
>
> ipvar HOME_NET 192.168.1.0/24
> ipvar EXTERNAL_NET !$HOME_NET
>
> This says "home_net is my ip addresses, external_net is everything
> that's NOT my addresses".
>
> Now look at almost any snort rule:
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"......
>
>
> This says "alert if an external_net on any http_ports comes into my
> home_net on any port".
>
> So if you're scanning anything IN HOME_NET TO HOME_NET, nothing will
> fire.  Does that make sense?
>
> James
>
>
> ------------------------------------------------------------------------------
> Put Bad Developers to Shame
> Dominate Development with Jenkins Continuous Integration
> Continuously Automate Build, Test & Deployment
> Start a new project now. Try Jenkins in the cloud.
> http://p.sf.net/sfu/13600_Cloudbees
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140408/85ac744b/attachment.html>


More information about the Snort-users mailing list