[Snort-users] Default configuration on Win32 .. Not detecting SubSeven?

Mark G. Spencer mspencer at ...9488...
Tue Jun 17 09:03:10 EDT 2003

Hi all, 

Newbie question .. I'm slowly making my way through the Syngress book but
got jumpy and went ahead and installed Snort on an old laptop running Win2K
Professional.  One thing I noticed is that Snort is missing many
questionable packets (e.g. SubSeven) that another device on my network
(SonicWALL PRO) is catching.  The bulk of over 70 megabytes of alert file is
SQL Slammer notification.

I was wondering if there is something obvious about the default
configuration I am missing?  I noticed some ports are explicitly mentioned
in the configuration file, e.g. HTTP, but I was assuming (probably
incorrectly) that Snort by default would also screen suspicious packets sent
to any port?

Is there a quick way to verify that Snort is inspecting all packets sent to
ports 1-65535?  Then again, my problem may be more related to the rules for
SubSeven not being run in a default Snort install?

Thanks for the advice,


More information about the Snort-users mailing list