[Snort-users] My Snort IDS Sensor Detected Nessus Vulnerability Scan

Joel Esler (jesler) jesler at ...589...
Fri Apr 18 16:47:01 EDT 2014


Probably because

A) you're behind a firewall
B) you're running Nessus. A scanner. Not an exploitation tool. It's not testing to see if something is vulnerable, it's scanning for the potential of the vulnerability
C) you've already asked this question and multiple people have answered it.

Please read documentation and test Snort.  Obviously it's working fine according to the other emails you've sent.

I'm receiving complaints about your emails, the frequently and the content.  Please check into the documentation.

--
Joel Esler
Sent from my iPhone

On Apr 18, 2014, at 15:29, "Teo En Ming" <teo.en.ming at ...11827...<mailto:teo.en.ming at ...11827...>> wrote:

Hi,

My Snort IDS sensor detected nessus vulnerability scan. The nessus vulnerability scan was launched from WAN outside of HOME_NET. However, the alerts generated were few. It seems that Snort rules are not comprehensive enough.

Here are the alerts:

04/19-02:54:23.361505  [**] [1:25975:2] POLICY-OTHER Adobe ColdFusion admin interface access attempt [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 171.207.15.38:50619<http://171.207.15.38:50619> -> 192.168.1.146:80<http://192.168.1.146:80>
04/19-02:54:24.940222  [**] [1:25975:2] POLICY-OTHER Adobe ColdFusion admin interface access attempt [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 171.207.15.38:50631<http://171.207.15.38:50631> -> 192.168.1.147:80<http://192.168.1.147:80>
04/19-02:56:13.080227  [**] [1:25975:2] POLICY-OTHER Adobe ColdFusion admin interface access attempt [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 171.207.15.38:53504<http://171.207.15.38:53504> -> 192.168.1.146:80<http://192.168.1.146:80>
04/19-02:56:19.700298  [**] [1:25975:2] POLICY-OTHER Adobe ColdFusion admin interface access attempt [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 171.207.15.38:53644<http://171.207.15.38:53644> -> 192.168.1.147:80<http://192.168.1.147:80>
04/19-02:56:50.601653  [**] [1:25975:2] POLICY-OTHER Adobe ColdFusion admin interface access attempt [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 171.207.15.38:54289<http://171.207.15.38:54289> -> 192.168.1.146:80<http://192.168.1.146:80>
04/19-02:56:52.220320  [**] [1:25975:2] POLICY-OTHER Adobe ColdFusion admin interface access attempt [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 171.207.15.38:54304<http://171.207.15.38:54304> -> 192.168.1.147:80<http://192.168.1.147:80>
04/19-02:57:02.961654  [**] [1:25975:2] POLICY-OTHER Adobe ColdFusion admin interface access attempt [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 171.207.15.38:54605<http://171.207.15.38:54605> -> 192.168.1.146:80<http://192.168.1.146:80>
04/19-02:57:04.180442  [**] [1:25975:2] POLICY-OTHER Adobe ColdFusion admin interface access attempt [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 171.207.15.38:54615<http://171.207.15.38:54615> -> 192.168.1.147:80<http://192.168.1.147:80>
04/19-02:57:21.921667  [**] [1:22063:9] SERVER-WEBAPP PHP-CGI remote file include attempt [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 171.207.15.38:55062<http://171.207.15.38:55062> -> 192.168.1.146:80<http://192.168.1.146:80>
04/19-02:57:23.962694  [**] [1:22063:9] SERVER-WEBAPP PHP-CGI remote file include attempt [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 171.207.15.38:55145<http://171.207.15.38:55145> -> 192.168.1.147:80<http://192.168.1.147:80>

Please note that Snort cannot detect nmap scan.

Thank you.

Regards,

Teo En Ming
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140418/63f22457/attachment.html>


More information about the Snort-users mailing list