Re: [Snort-users] $HOME_NET

From: Erek Adams <erek(at)snort.org>
Date: Mon Apr 07 2003 - 11:42:42 EDT

On Mon, 7 Apr 2003, Keg wrote:

> 1. OK, let me get it straight. If my $HOME_NET is set to

Nope. Go look at the rules, it'll make more sense as why it doesn't. The following rule would fire if you were scanned by Nessus:

  alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC   Nessus 404 probe"; flow:to_server,established; uricontent:   "/nessus_is_probing_you_"; depth: 32;reference:arachnids,301;   classtype:web-application-activity; sid:1102; rev:5;)

See first line? That translates into "If an IP from the EXTERNAL_NET connects to HTTP_SERVERS on HTTP_PORTS then...". Unless your scanner is on the outside of HOME_NET this rule won't fire.

> 2. When I scan 192.168.199.0 from the nessus box, and DO USE PORTSCAN,

Yes and no. The alerts will be generated by the preprocessors, yes. Depending on how you have your EXTERNAL_NET set and where you are scanning from, you may or may not get alerts from the rules. If you have:

	var HOME_NET 198.168.199.0/24
	var EXTERNAL_NET !$HOME_NET

And you scan from 198.168.199.20, then you don't get any alerts from rules, unless they don't look for EXTERNAL_NET -> HOME_NET. If you scan from outside of HOME_NET then you would get alerts from any of the rules.

Hope that helps!

---

Erek Adams

   "When things get weird, the weird turn pro." H.S. Thompson

---

This SF.net email is sponsored by: ValueWeb: Dedicated Hosting for just $79/mo with 500 GB of bandwidth! No other company gives more support or power for your dedicated server http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/

---

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users Received on Mon Apr 7 11:51:02 2003