Snort mailing list archives
Default configuration on Win32 .. Not detecting SubSeven?
From: "Mark G. Spencer" <mspencer () evidentdata com>
Date: Tue, 17 Jun 2003 09:02:36 -0700
Hi all, Newbie question .. I'm slowly making my way through the Syngress book but got jumpy and went ahead and installed Snort on an old laptop running Win2K Professional. One thing I noticed is that Snort is missing many questionable packets (e.g. SubSeven) that another device on my network (SonicWALL PRO) is catching. The bulk of over 70 megabytes of alert file is SQL Slammer notification. I was wondering if there is something obvious about the default configuration I am missing? I noticed some ports are explicitly mentioned in the configuration file, e.g. HTTP, but I was assuming (probably incorrectly) that Snort by default would also screen suspicious packets sent to any port? Is there a quick way to verify that Snort is inspecting all packets sent to ports 1-65535? Then again, my problem may be more related to the rules for SubSeven not being run in a default Snort install? Thanks for the advice, Mark ------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Default configuration on Win32 .. Not detecting SubSeven? Mark G. Spencer (Jun 17)