[Snort-users] Snort vulnerability scan detection

waldo kitty wkitty42 at ...14940...
Mon Apr 14 13:19:14 EDT 2014


On 4/14/2014 11:37 AM, Teo En Ming wrote:
> Dear Eric G,
>
> My snort sensor is behind a NAT router with Stateful Packet Inspection (SPI)
> firewall. My HOME_NET is 192.168.1.0/24 <http://192.168.1.0/24>. I usually run
> nmap and nessus scans from the internal network against my PUBLIC IP address.

that means that your scans are HOME_NET -> HOME_NET *IF* you have your external 
public address listed in your HOME_NET...

if you do not have your public address in your HOME_NET then you are scanning 
HOME_NET -> EXTERNAL_NET...

in both cases, if you are expecting EXTERNAL_NET -> HOME_NET rules to fire, you 
are misunderstanding how the rules work... you have to scan from a machine that 
is outside your HOME_NET...

-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.




More information about the Snort-users mailing list