A proper Snort installation should nod have an IP address assigned to the sensor NIC.Originally Posted by JamesN
Autopwn against snort problems
1. I have a VM of Linux based Snort running in my lab.
2. On one workstation I am using the BT2 CD.
3. Then I have the host XP box running the VM of snort.
I can "db_nmap xxx.xxx.xxx.xx1" which is the XP host for the VM no problem.
I can not get "db_nmap xxx.xxx.xxx.xx2" which is the snort VM to work. It just sits there. And because of this when I run the "db_autopwn -p -t -e" it will not target the xxx.xxx.xxx.xx2 snort VM. NOTE - This works and retargets the XP host with no problems.
If I run a "nmap -v -A -T4 xxx.xxx.xxx.xx2" against snort, I get the OS, the ports, etc. AND snort registers the alerts.
What step am I missing here to make autopwn target a Snort VM machine?
My thoughts... since snort usually puts the nic in stealth mode, db_nmap is having issues targeting it, but that doesn't explain the nmap -A stuff from above.
A proper Snort installation should nod have an IP address assigned to the sensor NIC.
A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.
Thankyou for the quick reply. The snort install is another issue. Why can't I target autopwn to that IP address?
On a side note, is there a snort hardening white paper floating around here?
As streaker said, if you installed Snort properly it should not have an IP address. If it had an IP address it would be detected to outsiders. Your Snort box is not meant to be seen; i.e: no IP address...you do have it connected to your switch and passive tap/hub right?
Snort papers, try this Google search:
Google Search
EDIT: If you look in the General IT thread you should find a thread discussing Snort....search
again, snort lab setup aside...
why can I nmap the ip address nmap -v -A xxxx, but when I do a db_nmap xxxxxx I get nothing?
Seems like a problem with your database setup.
I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.
I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.
Thanks. I redid it all from scratch again for the Nth time and it worked. Not sure why it would not work before. Now to harden that test snort box.
Posting Permissions