Thursday, April 03, 2008

Not Alerting on Scheduled Nessus Scans with Snort (Debian-style)

So my (Debian based) firewall routes traffic for the three subnets I have behind it, each which is front-ended by either a Cisco 851 or a Linksys AP. On one of the subnets I have a VM running Tenable Security Center which runs daily Nessus scans from two Nessus scanners.

The first scanner (on my Son's Ubuntu 7.10 Optiplex) scans the non-Linksys devices connected to the AP, both wired and wireless. (I exclude the traffic because even traffic through the APs hangs the WRT54G and sometimes the WET54G (bridge). The second scans its local subnet and the other Cisco-protected subnet. I will add a third Nessus scanner behind this subnet that scans back so that on the non-Linksys segments I have a perspective of scans both inside and outside the Firewall (meaning router ACLs)

But this obviously causes even the default Debian Snort ruleset to alert. So tweaking this knowledge base entry to the pecularities of a Debian (4.0) Snort install, I did the following:

1) Create an /etc/snort/excludes.conf that has BPF (not host scanner-ip) to ignore scans to/from that host

2) Modify the PARAMETERS variable in /etc/defaults/snort

# Parameters for the daemon
# Add any additional parameteres here.
PARAMS="-F /etc/snort/excludes.conf -m 027 -D -d "

3) Restart snort as usual
Simple, almost too simple to even blog about...


Anonymous said...

Ehh... I just add a pcap filter to the snort cmd line. How is Nessus security center in your opinion?

Matt Franz said...

Yeah, that's basically what this does except it uses the Debian startup scripts and config files so you don't have to touch /etc/init.d/snort (which I was initially tempted to do, bad!)