[Snort-users] Couple of questions.

Jeremy Hoel jthoel at ...11827...
Mon Jun 9 18:26:58 EDT 2014


A nessus scan may or may not trigger alerts depending on the plugins you
used to scan, the services you have listening and any firewalls or iptables
rules that might be in place.  Which interface you have snort listening on
is a matter of preference and what you are hoping to see/alert on.  If it's
your gateway doing NAT and you monitor the wan interface, you won't get the
client IP's that might be sending out bad things, or the client ip's that
bad things talk too.  If you watch just the inside and it's secure then it
might be boring.

In either case, you will have to do rule filtering, adjusting and white
listing/thresholds of things you don't want to see, alerts you don't care
about or machines that are false positives.  Snort is not just a turn it on
and go thing.  The fact that you see alerts means it's working, now it's up
to you to figure out what type of alerts you want to see and from where.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140609/58832c14/attachment.html>


More information about the Snort-users mailing list