Re: [Snort-users] $HOME_NET

Sorry, but it looks like I'm going in circles....if $EXTERNAL_NET is set to any, then even if my nessus box is on the same segment as specified in $HOME_NET it should generate tons of alerts and rules should be triggered. (Hope I'm not being too dummy here and I got it right, if not I' ready for another 20 wet noodles lashes...) Please confir/deny that this is a correct statement.
But what happens is the following:
If segment that hosts nessus is removed from $HOME_NET and nessus scan is initiated on that segment (only vulns, no port scans), then snort shows only a few alerts (and only the unix-related) If segment that hosts nessus is moved back $HOME_NET and nessus scan is initiated on that segment (only vulns, no port scans), then snort shows a lot of alerts (and only the unix-related) I'm puzzled a bit cause when snort reports attacks from the internet it reports it as it should be....unix-related, windows-related

P.S. I do realize that it is hard to give a defenite answer without knowing exactly how it is set up here, even if I did my best to provide the info there could always be something else that bugs the system...

Erek Adams wrote:

>On Mon, 7 Apr 2003, Keg wrote:

-- 
Your favorite stores, helpful shopping tools and great gift ideas. 
Experience the convenience of buying online with Shop@Netscape! 
http://shopnow.netscape.com/




-------------------------------------------------------
This SF.net email is sponsored by: ValueWeb: 
Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
No other company gives more support or power for your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users