<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1">
Sorry, but it looks like I'm going in circles....if $EXTERNAL_NET is set
to any, then even if my nessus box is on the same segment as specified in
$HOME_NET it should generate tons of alerts and rules should be triggered.
(Hope I'm not being too dummy here and I got it right, if not I' ready for
another 20 wet noodles lashes...) Please confir/deny that this is a correct
But what happens is the following:<br>
If segment that hosts nessus is removed from $HOME_NET and nessus scan is
initiated on that segment (only vulns, no port scans), then snort shows only
a few alerts (and only the unix-related)<br>
If segment that hosts nessus is moved back $HOME_NET and nessus scan is
initiated on that segment (only vulns, no port scans), then snort shows a
lot of alerts (and only the unix-related)<br>
I'm puzzled a bit cause when snort reports attacks from the internet it reports
it as it should be....unix-related, windows-related<br>
P.S. I do realize that it is hard to give a defenite answer without knowing
exactly how it is set up here, even if I did my best to provide the info
there could always be something else that bugs the system...<br>
Erek Adams wrote:<br>
<blockquote type="cite" cite="midPine.BSO.4.53.0304080917560.6107@...7329...">
<pre wrap="">On Mon, 7 Apr 2003, Keg wrote:
<pre wrap="">1. I get it., but on the other hand my EXTERNAL_NET is set to ANY.
Should that treat nessus box as external_net?
If you run Snort in sniffer mode, can you see traffic destined for the
<pre wrap="">2. Should I always use EXTERNAL_NET as !$HOME_NET?
That's up to you. I do it to cut down on false positives. Try it both
ways and see what works better for you.
"When things get weird, the weird turn pro." H.S. Thompson
This SF.net email is sponsored by: ValueWeb:
Dedicated Hosting for just $79/mo with 500 GB of bandwidth!
No other company gives more support or power for your dedicated server
<a class="moz-txt-link-freetext" href="http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/">http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/</a>
Snort-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Snortemail@example.com">Snortfirstname.lastname@example.org</a>
Go to this URL to change user options or unsubscribe:
<a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/snort-users">https://lists.sourceforge.net/lists/listinfo/snort-users</a>
Snort-users list archive:
<a class="moz-txt-link-freetext" href="http://www.geocrawler.com/redir-sf.php3?list=snort-users">http://www.geocrawler.com/redir-sf.php3?list=snort-users</a>
<div class="moz-signature">-- <br>
Your favorite stores, helpful shopping tools and great gift ideas. Experience
the convenience of buying online with Shop@...2793...! <a class="moz-txt-link-freetext" href="http://shopnow.netscape.com/">http://shopnow.netscape.com/</a>