|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Snort-users] $HOME_NET
From: Keg (snrtlst
netscape.net)
Date: Mon Apr 07 2003 - 09:47:17 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
1. OK, let me get it straight. If my $HOME_NET is set to
192.168.199.0/24 and my nessus scanner is 192.168.199.20. When I scan
the segment from nessus box I don't scan for ports at all, I scan only
for vulnerabilities.Shouldn't the rules be triggered in this case?
2. When I scan 192.168.199.0 from the nessus box, and DO USE PORTSCAN,
whould it be correct to say that IN THIS CASE NO ALERTS WILL BE
GENERATED BY THE RULES, but some will be generated by pre-processors. Is
that correct?
Thanks a lot.
Erek Adams wrote:
>On Sun, 6 Apr 2003, Keg wrote:
>
>
>
>>I guess I miss something.......
>>I have 3 network segments #1, #2, and #3. $HOME_NET is set to #1.
>>When I scan #1 with Nessus I get a lot of alerts logged.
>>When I scan #2 with Nessus I get just a little bit of alerts
>>When I add #2 to $HOME_NET (so it looks like $HOME_NET [#1/24,#2/24) I
>>'m starting to get a lot of alerts.
>>
>>Hence 2 questions:
>>1. Is there any difference how snort treats netwqorks if they are not
>>included in $HOME_NET?
>>2. Should I include all network segments I have in $HOME_NET?
>>
>>
>
>When you're refering to portscans, are you refering to the one of the
>portscan preprocessors, stream4 or some of the rules? $HOME_NET has
>nothing to do with any of those except for the rules.
>
>Where are you scanning _from_? If you're scanning from inside of #1, then
>you won't see any alerts from the rules, but you may see them from one of
>the preprocessors.
>
>-----
>Erek Adams
>
> "When things get weird, the weird turn pro." H.S. Thompson
>
>
--
Your favorite stores, helpful shopping tools and great gift ideas.
Experience the convenience of buying online with ShopNetscape!
http://shopnow.netscape.com/
-------------------------------------------------------
This SF.net email is sponsored by: ValueWeb:
Dedicated Hosting for just $79/mo with 500 GB of bandwidth!
No other company gives more support or power for your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]