Snort mailing list archives
Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box!
From: Y M <snort () outlook com>
Date: Wed, 9 Apr 2014 19:16:14 +0000
To address the questions in your original post in addition to what have been mentioned already I would suggest reading the below posts; they will help tune your included rules: http://blog.snort.org/2012/03/rule-category-reorganization.html http://blog.snort.org/2012/08/rule-category-reorganization-phase-2.html http://blog.snort.org/2012/10/rule-category-reorganization-phase-3.html http://blog.snort.org/2013/10/snort-vrt-default-ruleset-rebalancing.html The conf file also provides hints, for example the comment right above the normalization preprocessor. Other things come straight from the manual such as preprocessors' memcap and the Shared Object (SO) rules, as well as other configurations tunings such as min. and max. values. All of these eventually will be determined based on your network and the systems you are trying to protect. Date: Wed, 9 Apr 2014 22:49:23 +0800 From: teo.en.ming () gmail com To: jthoel () gmail com CC: jlay () slave-tothe-box net; snort-users () lists sourceforge net Subject: Re: [Snort-users] Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box! Dear Jeremy, Configuration issue? I have attached my snort.conf. Please see whether there is any misconfiguration in my snort.conf. Thank you. Teo En Ming On Tue, Apr 8, 2014 at 6:56 AM, Jeremy Hoel <jthoel () gmail com> wrote: Then the public IP is not in home and the rules will ignore it. Looks at the rules, the variables explain when the rule will fire. If your outside/public address never changes and you want to add it to your home varaible, then do so and try again. There's a lot of great documentation and explanations on how the tools work, and they do work well, but you need to take the time to try things out and play a bit. If the rule fires for one case and not another, then it's not the software itself maybe maybe a configuration issue. On Mon, Apr 7, 2014 at 10:09 PM, Teo En Ming <teo.en.ming () gmail com> wrote: Yes, it does make sense. I have the same Snort configuration as you. But if I scan my PUBLIC IP address? Teo En Ming On Tue, Apr 8, 2014 at 5:53 AM, James Lay <jlay () slave-tothe-box net> wrote: On 2014-04-07 15:40, Teo En Ming wrote:
But alerts are not showing up when I ran nessus against my home
network. Sigh.
Teo En Ming
Teo, I think most first time users of snort fall into this as well. Look at your HOME_NET and EXTERNAL_NET. Mine are: ipvar HOME_NET 192.168.1.0/24 ipvar EXTERNAL_NET !$HOME_NET This says "home_net is my ip addresses, external_net is everything that's NOT my addresses". Now look at almost any snort rule: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"...... This says "alert if an external_net on any http_ports comes into my home_net on any port". So if you're scanning anything IN HOME_NET TO HOME_NET, nothing will fire. Does that make sense? James ------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box!, (continued)
- Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box! Bjoern Meier (Apr 07)
- Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box! James Lay (Apr 07)
- Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box! Teo En Ming (Apr 07)
- Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box! James Lay (Apr 07)
- Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box! Teo En Ming (Apr 07)
- Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box! James Lay (Apr 07)
- Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box! Teo En Ming (Apr 07)
- Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box! Jeremy Hoel (Apr 07)
- Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box! Teo En Ming (Apr 09)
- Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box! Y M (Apr 09)
- Re: Help! I ran Nessus Vulnerability Scanner against my Public IP and No Alerts showed up on my Snort IDS box! Teo En Ming (Apr 07)