It's be a while since I have installed Snort on Win2k, but you might check the snort.conf file. There are a few rule sets that are probably commented out, one of those being the backdoor.rules file
# include $RULE_PATH/backdoor.rules Just remove the # and restart snort. Hope this helps, -Mike ----- Original Message ----- From: "Mark G. Spencer" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, June 27, 2003 10:48 AM Subject: Default Snort configuration on Win32 .. Not detecting SubSeven and other stuff? > Hi all, > > (I posted this on the Snort mailing list but I may not have been clear > enough, didn't get any replies, so I'm updating the question .. ) > > Newbie question .. I'm slowly making my way through the Syngress book but > got jumpy and went ahead and installed Snort on an old laptop running Win2K > Professional. One thing I noticed is that Snort is missing many > questionable packets (e.g. SubSeven) that another device on my network > (SonicWALL PRO) is catching. The bulk of over 70 megabytes of alert file is > just SQL Slammer notification. > > I was wondering if there is something obvious about the default > configuration I am missing? I noticed some ports are explicitly mentioned > in the configuration file, e.g. HTTP, but I was assuming (probably > incorrectly) that Snort by default would also screen suspicious packets sent > to any port? > > Is there a quick way to verify that Snort is inspecting all packets sent to > ports 1-65535 with all rules applied? I want Snort to be as inclusive as > possible at first so I can decide what I do or do not need over time .. > > Thanks! > > Mark > > > -------------------------------------------------------------------------- - > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! > The Gartner Group just put Neoteris in the top of its Magic Quadrant, > while InStat has confirmed Neoteris as the leader in marketshare. > > Find out why, and see how you can get plug-n-play secure remote access in > about an hour, with no client, server changes, or ongoing maintenance. > > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm > -------------------------------------------------------------------------- -- > > --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
