First short explanation what is Snort from Snort official website:
Snort® is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Combining the benefits of signature, protocol and anomaly-based inspection, Snort is the most widely deployed IDS/IPS technology worldwide.
Installation of Snort on Windows is pretty simple.
First, you need to download and install few things. For Snort to be able to act as sniffer and IDS it needs Windows Packet Capture Library which is WinPcap. The stable latest version on the site is 4.1.1 and you can download it here.
Now when we have WinPcap installed the next step will be to download Snort. The latest version for Windows is 2.8.5.1 and you can download it here. Installation shouldn’t be a problem, if you need IPv6 support and logging to Microsoft SQL or Oracle database then you need to select proper radio and check boxes and if don’t then just go next and next to the end and that’s it. Default installation directory is C:\Snort so remember it because it will be our working dir all the time.
So we have installed WinPcap and Snort but we are not finished with installation yet. We have one more thing to download and install. The Snort rules. These rules are those small files that tells Snort what it should search for in captured packages and how to identify them, as a threat, information disclosure or something else. For us to be able to download Snort rules we have to be registered on Snort site. Registration is free and rules are one month old for free users, for those who need the latest threats detected at the same moment when they are published to the community I suggest to buy VRT subscription so you will have the latest rules directly as they are announced. So now we will download snortrules-snapshot-2.8.tar.gz rules archive file. When you open archive file you will get following structure:
Copy all four directories over those in C:\Snort replacing contents that already exists on the hard drive.
Now when we are done with easy part we need to configure Snort to run. Because these rules are written for unixoid systems we need to change some things in the main config file C:\Snort\etc\snort.conf so that Snort can start at all.
Here are the things that you need to edit to be able to run snort:
Find lines 269 and 270. These lines will not allow Snort to start, at least not on Windows because Snort detects the second one as double config detection line so we need to change this.
Change from this:
config detection: search-method ac-bnfa
config detection: max_queue_events 5
To this:
config detection: search-method ac-bnfa max_queue_events 5
Now, the next thing that we need to change is lines where we say to Snort where to find dynamic preprocessor files. On lines from 298 to 303 change this:
dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so
dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so
dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so
dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so
dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so
dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so
To this:
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_dce2.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_dcerpc.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_dns.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_ftptelnet.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_smtp.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_ssh.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_ssl.dll
Next thing to change is line 324 on which we have dynamic engine path, so change it from this:
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
To this:
dynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll
I don’t know why, maybe some mistake, but lines bellow should be commented out by default, but they were not so we have to comment them out. Because we are not VRT subscriber and don’t have any dynamic detection files we need to coment lines from 339 to 354, so change this:
dynamicdetection file /usr/local/lib/snort_dynamicrules/bad-traffic.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/chat.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/dos.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/exploit.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/imap.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/misc.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/multimedia.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/netbios.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/nntp.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/p2p.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/smtp.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/sql.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/web-client.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/web-misc.so
To this:
#dynamicdetection file /usr/local/lib/snort_dynamicrules/bad-traffic.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/chat.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/dos.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/exploit.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/imap.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/misc.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/multimedia.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/netbios.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/nntp.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/p2p.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/smtp.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/sql.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/web-client.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/web-misc.so
Now we need to trim a bit SSH preprocessor to work on Windows as it is different from Linux one, so find line 753 and change this:
preprocessor ssh: server_ports { 22 } \
max_client_bytes 19600 \
max_encrypted_packets 20 \
disable_srvoverflow \
disable_protomismatch \
disable_badmsgdir
To this:
preprocessor ssh: server_ports { 22 } \
max_client_bytes 19600 \
max_encrypted_packets 20
Now we are good to go. We can test snort easily from the command line. So now go on Start->Run and type cmd following by enter key. Now in command prompt type following commands:
c: and then enter key
cd c:\snort\bin and then enter key
snort -v -c C:\snort\etc\snort.conf -l C:\snort\log -K ascii and then enter key
So now we have entered Snort directory and started Snort on command line. You will first see Snort starting and parsing config file snort.conf and then you will see lot of output when Snort start sniffing and controlling packages on the network. If it finds any package that is not regular network traffic it will save info about it in c:\Snort\Log\alert.ids file. Simple output of one captured packet looks like this:
[**] [1:254:7] DNS SPOOF query response with TTL of 1 min. and no authority [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
12/22-12:19:12.577553 192.168.137.206:53 -> 192.168.137.10:55153
UDP TTL:128 TOS:0×0 ID:5399 IpLen:20 DgmLen:79
Len: 51
Now to explain what we have here. The first line says what type of attack is it, the second line says what classification is it and what priority does it have, and the last three lines are data about the attack, attacker IP, your IP, destination and source ports and so on.
snort /service /install -c C:\Snort\etc\snort.conf -l C:\Snort\log -K ascii
Related posts:
Tags: capture, free, freeware, ids, packet, pcap, server, sniff, sniffer, snort, win, windows, winpcap
[...] This post was mentioned on Twitter by Branko Rihtman, Amar Kulo. Amar Kulo said: From my blog: How to install Snort Intrusion Detection System on Windows http://is.gd/5xoE8 [...]
Hi,
Thank you! I would now go on this blog every day!
Have a nice day
Socco
You are welcome.
Amar
You make a mistake.
===
preprocessor ssh: server_ports { 22 } \
max_client_bytes 19600 \
max_encrypted_packets 20 \
disable_srvoverflow \
disable_protomismatch \
disable_badmsgdir
===
Becomes
===
preprocessor ssh: server_ports { 22 } \
max_client_bytes 19600 \
max_encrypted_packets 20
===
You need to erase last ‘ \’
Thanks for you ‘how-to’!
Hmm, I don’t think so but I will check.
Reason why / is there is because / says that next line also is part of preprocessor configuration but I will check anyway.
Tnx for your comment.
When i keep the ‘ \’ at the end of this configuration, i have this error :
ERROR: Invalid argument: preprocessor
Fatal Error, Quitting..
It could be, I will test it on Monday and fix it in post if it is correct.
Tnx for the tip anyway.
I follow your step, ignore the last “/”. Snort run smoothly, but there still an error:
ERROR: c:\snort\etc\snort.conf(273) Unknown rule type: max_queue_events.
I wonder what this problem is.
Snort really is a big mess. When I can run snort in command line, I failed to start Snort in IDSCenter. IDSCenter refrase the snort.conf in somekind of structure and it cause Snort failed to start. Can you post an entry show us how to configure IDSCenter? I’m going crazy with this.
Exactly, I have problems with the preprocessor bo.
preprocessor bo
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy windows timeout 180
preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp yes
preprocessor stream5_tcp: policy windows, use_static_footprint_sizes,
preprocessor stream5_udp: ignore_any_rules
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: default_server
preprocessor ftp_telnet: \
preprocessor ftp_telnet_protocol: \
preprocessor ftp_telnet_protocol: \
preprocessor ftp_telnet_protocol: \
preprocessor SMTP: \
preprocessor ssh: server_ports { 22 } \
preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 7801 7702 7900 7901
7902 7903 7904 7905 7906 6907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917
7918 7919 7920 }, trustservers, noinspect_encrypted
preprocessor dcerpc2: memcap 102400, events [co ]
preprocessor dcerpc2_server: default, policy WinXP, \
preprocessor dns: ports { 53 } enable_rdata_overflow
This mess, from stream5 to the end of this. I always have trouble like “unknown preprocessor stream5″ or “must configure http inspect global configuration first” and so far, ftp_telnet, bla bla bla….
Thanks!!!!
Hmm I have tested my conf and still don’t have problem with trailing \. I have updated post with my snort.conf file just for the records.
Regarding stream5 preprocessor, I don’t know why is it complaining because stream5 should be in dynamic engine, there is no separate preprocessor .dll file for it.
Test with my config file and see what happens.
I don’t use IDSCenter, but I will give it a go to see what kind of problems are you having.
Yes, I’m waiting for you. Actually, I decided to ignore IDSCenter. Instead of IDSCenter, I run snort through command line.
BUT still I have trouble with snort. I try apacheDoS and guess what, Snort doesn’t write any log into alert.ids. But when I using nmap, Snort writes log. What wrong with that? Can you suggest me some more tools to test Snort?
Thank you so much.
Amar Kulo, why can’t my snort write log file into folders? I try many ways, but that still doesn’t work.
Regarding ennguyennguyen’s problem with max_queue_events:
The instructions say to use this:
config detection: search-method ac-bnfa
max_queue_events 5
But this is missing a “\” after “ac-bnfa” to ensure this is interpreted as one long command without an end-of-line. Alternatively, you can simply write it as
config detection: search-method ac-bnfa max_queue_events 5
As for problems incurred by an extra trailing “\”, make sure there is nothing on the line that follows, so that the command interpreter will pick up the end-of-line. “\” is just for readability. If your code is all mashed up so that one command follows another without a blank line, and you are using trailing “\”, then the interpreter won’t know where parameters end and the next command begins. For example, the code segment:
preprocessor ftp_telnet_protocol: \
preprocessor ftp_telnet_protocol: \
will try to be read as
preprocessor ftp_telnet_protocol: preprocessor ftp_telnet_protocol:
which is nonsense.
Make sure you have newlines where newlines are needed, and “\” where the command is NOT supposed to end.
Sorry, it was my mistake that one extra “\” was left behind on preprocesor line. Now it’s removed.
Regardin logs, if you are using -l path then check if snort can write to log directory.
Instruction says that config detection: search-method ac-bnfa max_queue_events 5 should be written on one line, not on two, and if you are writing them on 2 then you need “\” on the end of the first line.