Snort mailing list archives
Re: $HOME_NET
From: Erek Adams <erek () snort org>
Date: Tue, 8 Apr 2003 12:01:13 -0500 (EST)
On Tue, 8 Apr 2003, Keg wrote:
Sorry, but it looks like I'm going in circles....if $EXTERNAL_NET is set to any, then even if my nessus box is on the same segment as specified in $HOME_NET it should generate tons of alerts and rules should be triggered. (Hope I'm not being too dummy here and I got it right, if not I' ready for another 20 wet noodles lashes...) Please confir/deny that this is a correct statement.
Yes, that's right.
But what happens is the following: If segment that hosts nessus is removed from $HOME_NET and nessus scan is initiated on that segment (only vulns, no port scans), then snort shows only a few alerts (and only the unix-related) If segment that hosts nessus is moved back $HOME_NET and nessus scan is initiated on that segment (only vulns, no port scans), then snort shows a lot of alerts (and only the unix-related) I'm puzzled a bit cause when snort reports attacks from the internet it reports it as it should be....unix-related, windows-related
What alerts do you EXPECT to see? If there aren't rules for them, or the Win32 server isn't vulnerable to that attack, then you won't see any alerts. When running Snort I see any alert that I have a rule for. Running on my laptop off of a cable modem, I see tons of ping scans and SQL Slammer worms flying by. Snort isn't biased about Win32 or *NIX. :) I really think there's something odd about your setup. If you run snort in sniffer mode (snort -vd) can you see traffic directed at the Win32 box? To really test, use a external traceroute server and ping your Win32 box (route-server.{cerf,exodus}.net). If you can see the ping then there's something else wrong.
P.S. I do realize that it is hard to give a defenite answer without knowing exactly how it is set up here, even if I did my best to provide the info there could always be something else that bugs the system...
:) Yep, quite often helping is sorta like juggling chainsaws. If you'd like to go into more detail, feel free to drop me private email. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.net email is sponsored by: ValueWeb: Dedicated Hosting for just $79/mo with 500 GB of bandwidth! No other company gives more support or power for your dedicated server http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- $HOME_NET Keg (Apr 06)
- Re: $HOME_NET Erek Adams (Apr 06)
- Re: $HOME_NET Keg (Apr 07)
- Re: $HOME_NET Erek Adams (Apr 07)
- Re: $HOME_NET Keg (Apr 07)
- Re: $HOME_NET Erek Adams (Apr 08)
- Re: $HOME_NET Keg (Apr 08)
- Re: $HOME_NET Erek Adams (Apr 08)
- Re: $HOME_NET Keg (Apr 08)
- Re: $HOME_NET Keg (Apr 07)
- Re: $HOME_NET Erek Adams (Apr 06)
- <Possible follow-ups>
- RE: $HOME_NET Snow Jacob C KPWA (Apr 09)