The first scanner (on my Son's Ubuntu 7.10 Optiplex) scans the non-Linksys devices connected to the AP, both wired and wireless. (I exclude the traffic because even traffic through the APs hangs the WRT54G and sometimes the WET54G (bridge). The second scans its local subnet and the other Cisco-protected subnet. I will add a third Nessus scanner behind this subnet that scans back so that on the non-Linksys segments I have a perspective of scans both inside and outside the Firewall (meaning router ACLs)
But this obviously causes even the default Debian Snort ruleset to alert. So tweaking this knowledge base entry to the pecularities of a Debian (4.0) Snort install, I did the following:
1) Create an /etc/snort/excludes.conf that has BPF (not host scanner-ip) to ignore scans to/from that host
2) Modify the PARAMETERS variable in /etc/defaults/snort
# Parameters for the daemon
# Add any additional parameteres here.
PARAMS="-F /etc/snort/excludes.conf -m 027 -D -d "
3) Restart snort as usual
Simple, almost too simple to even blog about...
2 comments:
Ehh... I just add a pcap filter to the snort cmd line. How is Nessus security center in your opinion?
Yeah, that's basically what this does except it uses the Debian startup scripts and config files so you don't have to touch /etc/init.d/snort (which I was initially tempted to do, bad!)
Post a Comment