Re: Default Snort configuration on Win32 .. Not detecting SubSeven and other stuff?

["Michael Sconzo" <msconzo () tamu edu>]

It's be a while since I have installed Snort on Win2k, but you might check
the snort.conf file.  There are a few rule sets that are probably commented
out, one of those being the backdoor.rules file

# include $RULE_PATH/backdoor.rules

Just remove the # and restart snort.

Hope this helps,
-Mike


----- Original Message ----- 
From: "Mark G. Spencer" <mspencer () evidentdata com>
To: <security-basics () securityfocus com>
Sent: Friday, June 27, 2003 10:48 AM
Subject: Default Snort configuration on Win32 .. Not detecting SubSeven and
other stuff?


> Hi all,
>
> (I posted this on the Snort mailing list but I may not have been clear
> enough, didn't get any replies, so I'm updating the question .. )
>
> Newbie question .. I'm slowly making my way through the Syngress book but
> got jumpy and went ahead and installed Snort on an old laptop running
Win2K
> Professional.  One thing I noticed is that Snort is missing many
> questionable packets (e.g. SubSeven) that another device on my network
> (SonicWALL PRO) is catching.  The bulk of over 70 megabytes of alert file
is
> just SQL Slammer notification.
>
> I was wondering if there is something obvious about the default
> configuration I am missing?  I noticed some ports are explicitly mentioned
> in the configuration file, e.g. HTTP, but I was assuming (probably
> incorrectly) that Snort by default would also screen suspicious packets
sent
> to any port?
>
> Is there a quick way to verify that Snort is inspecting all packets sent
to
> ports 1-65535 with all rules applied?  I want Snort to be as inclusive as
> possible at first so I can decide what I do or do not need over time ..
>
> Thanks!
>
> Mark
>
>
> --------------------------------------------------------------------------
-
> Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
> The Gartner Group just put Neoteris in the top of its Magic Quadrant,
> while InStat has confirmed Neoteris as the leader in marketshare.
>
> Find out why, and see how you can get plug-n-play secure remote access in
> about an hour, with no client, server changes, or ongoing maintenance.
>
> Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
> --------------------------------------------------------------------------
--
>



---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------