Snort mailing list archives
Re: $HOME_NET
From: Keg <snrtlst () netscape net>
Date: Tue, 08 Apr 2003 12:49:08 -0400
Sorry, but it looks like I'm going in circles....if $EXTERNAL_NET is set to any, then even if my nessus box is on the same segment as specified in $HOME_NET it should generate tons of alerts and rules should be triggered. (Hope I'm not being too dummy here and I got it right, if not I' ready for another 20 wet noodles lashes...) Please confir/deny that this is a correct statement.
But what happens is the following:If segment that hosts nessus is removed from $HOME_NET and nessus scan is initiated on that segment (only vulns, no port scans), then snort shows only a few alerts (and only the unix-related) If segment that hosts nessus is moved back $HOME_NET and nessus scan is initiated on that segment (only vulns, no port scans), then snort shows a lot of alerts (and only the unix-related) I'm puzzled a bit cause when snort reports attacks from the internet it reports it as it should be....unix-related, windows-related
P.S. I do realize that it is hard to give a defenite answer without knowing exactly how it is set up here, even if I did my best to provide the info there could always be something else that bugs the system...
Erek Adams wrote:
On Mon, 7 Apr 2003, Keg wrote:1. I get it., but on the other hand my EXTERNAL_NET is set to ANY. Should that treat nessus box as external_net?It should. If you run Snort in sniffer mode, can you see traffic destined for the Win32 box? snort -vd2. Should I always use EXTERNAL_NET as !$HOME_NET?That's up to you. I do it to cut down on false positives. Try it both ways and see what works better for you. ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson -------------------------------------------------------This SF.net email is sponsored by: ValueWeb: Dedicated Hosting for just $79/mo with 500 GB of bandwidth! No other company gives more support or power for your dedicated serverhttp://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
--Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/
Current thread:
- $HOME_NET Keg (Apr 06)
- Re: $HOME_NET Erek Adams (Apr 06)
- Re: $HOME_NET Keg (Apr 07)
- Re: $HOME_NET Erek Adams (Apr 07)
- Re: $HOME_NET Keg (Apr 07)
- Re: $HOME_NET Erek Adams (Apr 08)
- Re: $HOME_NET Keg (Apr 08)
- Re: $HOME_NET Erek Adams (Apr 08)
- Re: $HOME_NET Keg (Apr 08)
- Re: $HOME_NET Keg (Apr 07)
- Re: $HOME_NET Erek Adams (Apr 06)
- <Possible follow-ups>
- RE: $HOME_NET Snow Jacob C KPWA (Apr 09)