Hi all, (I posted this on the Snort mailing list but I may not have been clear enough, didn't get any replies, so I'm updating the question .. )
Newbie question .. I'm slowly making my way through the Syngress book but got jumpy and went ahead and installed Snort on an old laptop running Win2K Professional. One thing I noticed is that Snort is missing many questionable packets (e.g. SubSeven) that another device on my network (SonicWALL PRO) is catching. The bulk of over 70 megabytes of alert file is just SQL Slammer notification. I was wondering if there is something obvious about the default configuration I am missing? I noticed some ports are explicitly mentioned in the configuration file, e.g. HTTP, but I was assuming (probably incorrectly) that Snort by default would also screen suspicious packets sent to any port? Is there a quick way to verify that Snort is inspecting all packets sent to ports 1-65535 with all rules applied? I want Snort to be as inclusive as possible at first so I can decide what I do or do not need over time .. Thanks! Mark --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------