|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Snort-users] $HOME_NET
From: Keg (snrtlst
netscape.net)
Date: Mon Apr 07 2003 - 14:50:42 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
1. I get it., but on the other hand my EXTERNAL_NET is set to ANY.
Should that treat nessus box as external_net?
2. Should I always use EXTERNAL_NET as !$HOME_NET?
Erek Adams wrote:
>On Mon, 7 Apr 2003, Keg wrote:
>
>
>
>>1. OK, let me get it straight. If my $HOME_NET is set to
>>192.168.199.0/24 and my nessus scanner is 192.168.199.20. When I scan
>>the segment from nessus box I don't scan for ports at all, I scan only
>>for vulnerabilities.Shouldn't the rules be triggered in this case?
>>
>>
>
>Nope. Go look at the rules, it'll make more sense as why it doesn't.
>The following rule would fire if you were scanned by Nessus:
>
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
> Nessus 404 probe"; flow:to_server,established; uricontent:
> "/nessus_is_probing_you_"; depth: 32;reference:arachnids,301;
> classtype:web-application-activity; sid:1102; rev:5;)
>
>See first line? That translates into "If an IP from the EXTERNAL_NET
>connects to HTTP_SERVERS on HTTP_PORTS then...". Unless your scanner is
>on the outside of HOME_NET this rule won't fire.
>
>
>
>>2. When I scan 192.168.199.0 from the nessus box, and DO USE PORTSCAN,
>>whould it be correct to say that IN THIS CASE NO ALERTS WILL BE
>>GENERATED BY THE RULES, but some will be generated by pre-processors. Is
>>that correct?
>>
>>
>
>Yes and no. The alerts will be generated by the preprocessors, yes.
>Depending on how you have your EXTERNAL_NET set and where you are scanning
>from, you may or may not get alerts from the rules. If you have:
>
> var HOME_NET 198.168.199.0/24
> var EXTERNAL_NET !$HOME_NET
>
>And you scan from 198.168.199.20, then you don't get any alerts from
>rules, unless they don't look for EXTERNAL_NET -> HOME_NET. If you scan
>from outside of HOME_NET then you would get alerts from any of the rules.
>
>Hope that helps!
>
>-----
>Erek Adams
>
> "When things get weird, the weird turn pro." H.S. Thompson
>
>
--
Your favorite stores, helpful shopping tools and great gift ideas.
Experience the convenience of buying online with ShopNetscape!
http://shopnow.netscape.com/
-------------------------------------------------------
This SF.net email is sponsored by: ValueWeb:
Dedicated Hosting for just $79/mo with 500 GB of bandwidth!
No other company gives more support or power for your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]