[Snort-users] Snort vulnerability scan detection
wkitty42 at ...14940...
Mon Apr 14 13:19:14 EDT 2014
On 4/14/2014 11:37 AM, Teo En Ming wrote:
> Dear Eric G,
> My snort sensor is behind a NAT router with Stateful Packet Inspection (SPI)
> firewall. My HOME_NET is 192.168.1.0/24 <http://192.168.1.0/24>. I usually run
> nmap and nessus scans from the internal network against my PUBLIC IP address.
that means that your scans are HOME_NET -> HOME_NET *IF* you have your external
public address listed in your HOME_NET...
if you do not have your public address in your HOME_NET then you are scanning
HOME_NET -> EXTERNAL_NET...
in both cases, if you are expecting EXTERNAL_NET -> HOME_NET rules to fire, you
are misunderstanding how the rules work... you have to scan from a machine that
is outside your HOME_NET...
NOTE: No off-list assistance is given without prior approval.
Please keep mailing list traffic on the list unless
private contact is specifically requested and granted.
More information about the Snort-users