[Snort-users] Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box!

Jeremy Hoel jthoel at ...11827...
Mon Apr 7 18:56:07 EDT 2014


Then the public IP is not in home and the rules will ignore it.

Looks at the rules, the variables explain when the rule will fire.  If your
outside/public address never changes and you want to add it to your home
varaible, then do so and try again.

There's a lot of great documentation and explanations on how the tools
work, and they do work well, but you need to take the time to try things
out and play a bit.  If the rule fires for one case and not another, then
it's not the software itself maybe maybe a configuration issue.




On Mon, Apr 7, 2014 at 10:09 PM, Teo En Ming <teo.en.ming at ...11827...> wrote:

> Yes, it does make sense. I have the same Snort configuration as you.
>
> But if I scan my PUBLIC IP address?
>
> Teo En Ming
>
>
> On Tue, Apr 8, 2014 at 5:53 AM, James Lay <jlay at ...13475...>wrote:
>
>> On 2014-04-07 15:40, Teo En Ming wrote:
>> > But alerts are not showing up when I ran nessus against my home
>> > network. Sigh.
>> >
>> > Teo En Ming
>>
>> Teo,
>>
>> I think most first time users of snort fall into this as well.  Look at
>> your HOME_NET and EXTERNAL_NET.  Mine are:
>>
>> ipvar HOME_NET 192.168.1.0/24
>> ipvar EXTERNAL_NET !$HOME_NET
>>
>> This says "home_net is my ip addresses, external_net is everything
>> that's NOT my addresses".
>>
>> Now look at almost any snort rule:
>>
>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"......
>>
>>
>> This says "alert if an external_net on any http_ports comes into my
>> home_net on any port".
>>
>> So if you're scanning anything IN HOME_NET TO HOME_NET, nothing will
>> fire.  Does that make sense?
>>
>> James
>>
>>
>> ------------------------------------------------------------------------------
>> Put Bad Developers to Shame
>> Dominate Development with Jenkins Continuous Integration
>> Continuously Automate Build, Test & Deployment
>> Start a new project now. Try Jenkins in the cloud.
>> http://p.sf.net/sfu/13600_Cloudbees
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>
>
> ------------------------------------------------------------------------------
> Put Bad Developers to Shame
> Dominate Development with Jenkins Continuous Integration
> Continuously Automate Build, Test & Deployment
> Start a new project now. Try Jenkins in the cloud.
> http://p.sf.net/sfu/13600_Cloudbees
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140407/423b2303/attachment.html>


More information about the Snort-users mailing list