Default configuration on Win32 .. Not detecting SubSeven?

["Mark G. Spencer" <mspencer () evidentdata com>]

Hi all, 

Newbie question .. I'm slowly making my way through the Syngress book but
got jumpy and went ahead and installed Snort on an old laptop running Win2K
Professional.  One thing I noticed is that Snort is missing many
questionable packets (e.g. SubSeven) that another device on my network
(SonicWALL PRO) is catching.  The bulk of over 70 megabytes of alert file is
SQL Slammer notification.

I was wondering if there is something obvious about the default
configuration I am missing?  I noticed some ports are explicitly mentioned
in the configuration file, e.g. HTTP, but I was assuming (probably
incorrectly) that Snort by default would also screen suspicious packets sent
to any port?

Is there a quick way to verify that Snort is inspecting all packets sent to
ports 1-65535?  Then again, my problem may be more related to the rules for
SubSeven not being run in a default Snort install?

Thanks for the advice,

Mark



-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users