First short explanation what is Snort from Snort official website:
Snort® is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Combining the benefits of signature, protocol and anomaly-based inspection, Snort is the most widely deployed IDS/IPS technology worldwide.
Installation of Snort on Windows is pretty simple.
First, you need to download and install few things. For Snort to be able to act as sniffer and IDS it needs Windows Packet Capture Library which is WinPcap. The stable latest version on the site is 4.1.1 and you can download it here.
Now when we have WinPcap installed the next step will be to download Snort. The latest version for Windows is 2.8.5.1 and you can download it here. Installation shouldn’t be a problem, if you need IPv6 support and logging to Microsoft SQL or Oracle database then you need to select proper radio and check boxes and if don’t then just go next and next to the end and that’s it. Default installation directory is C:\Snort so remember it because it will be our working dir all the time.
So we have installed WinPcap and Snort but we are not finished with installation yet. We have one more thing to download and install. The Snort rules. These rules are those small files that tells Snort what it should search for in captured packages and how to identify them, as a threat, information disclosure or something else. For us to be able to download Snort rules we have to be registered on Snort site. Registration is free and rules are one month old for free users, for those who need the latest threats detected at the same moment when they are published to the community I suggest to buy VRT subscription so you will have the latest rules directly as they are announced. So now we will download snortrules-snapshot-2.8.tar.gz rules archive file. When you open archive file you will get following structure:
Snort rules
Copy all four directories over those in C:\Snort replacing contents that already exists on the hard drive.
Now when we are done with easy part we need to configure Snort to run. Because these rules are written for unixoid systems we need to change some things in the main config file C:\Snort\etc\snort.conf so that Snort can start at all.
Here are the things that you need to edit to be able to run snort:
Find lines 269 and 270. These lines will not allow Snort to start, at least not on Windows because Snort detects the second one as double config detection line so we need to change this.
Change from this:
config detection: search-method ac-bnfa
config detection: max_queue_events 5
To this:
config detection: search-method ac-bnfa max_queue_events 5
Now, the next thing that we need to change is lines where we say to Snort where to find dynamic preprocessor files. On lines from 298 to 303 change this:
dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so
dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so
dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so
dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so
dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so
dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so
To this:
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_dce2.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_dcerpc.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_dns.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_ftptelnet.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_smtp.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_ssh.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_ssl.dll
Next thing to change is line 324 on which we have dynamic engine path, so change it from this:
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
To this:
dynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll
I don’t know why, maybe some mistake, but lines bellow should be commented out by default, but they were not so we have to comment them out. Because we are not VRT subscriber and don’t have any dynamic detection files we need to coment lines from 339 to 354, so change this:
dynamicdetection file /usr/local/lib/snort_dynamicrules/bad-traffic.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/chat.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/dos.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/exploit.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/imap.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/misc.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/multimedia.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/netbios.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/nntp.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/p2p.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/smtp.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/sql.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/web-client.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/web-misc.so
To this:
#dynamicdetection file /usr/local/lib/snort_dynamicrules/bad-traffic.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/chat.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/dos.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/exploit.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/imap.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/misc.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/multimedia.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/netbios.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/nntp.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/p2p.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/smtp.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/sql.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/web-client.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/web-misc.so
Now we need to trim a bit SSH preprocessor to work on Windows as it is different from Linux one, so find line 753 and change this:
preprocessor ssh: server_ports { 22 } \
max_client_bytes 19600 \
max_encrypted_packets 20 \
disable_srvoverflow \
disable_protomismatch \
disable_badmsgdir
To this:
preprocessor ssh: server_ports { 22 } \
max_client_bytes 19600 \
max_encrypted_packets 20
Now we are good to go. We can test snort easily from the command line. So now go on Start->Run and type cmd following by enter key. Now in command prompt type following commands:
c: and then enter key
cd c:\snort\bin and then enter key
snort -v -c C:\snort\etc\snort.conf -l C:\snort\log -K ascii and then enter key
So now we have entered Snort directory and started Snort on command line. You will first see Snort starting and parsing config file snort.conf and then you will see lot of output when Snort start sniffing and controlling packages on the network. If it finds any package that is not regular network traffic it will save info about it in c:\Snort\Log\alert.ids file. Simple output of one captured packet looks like this:
[**] [1:254:7] DNS SPOOF query response with TTL of 1 min. and no authority [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
12/22-12:19:12.577553 192.168.137.206:53 -> 192.168.137.10:55153
UDP TTL:128 TOS:0×0 ID:5399 IpLen:20 DgmLen:79
Len: 51
Now to explain what we have here. The first line says what type of attack is it, the second line says what classification is it and what priority does it have, and the last three lines are data about the attack, attacker IP, your IP, destination and source ports and so on.
snort /service /install -c C:\Snort\etc\snort.conf -l C:\Snort\log -K ascii
Pingback: Tweets that mention How to install Snort Intrusion Detection System on Windows | Amar Kulo -- Topsy.com
Hi,
Thank you! I would now go on this blog every day!
Have a nice day
Socco
You are welcome.
Amar
You make a mistake.
===
preprocessor ssh: server_ports { 22 } \
max_client_bytes 19600 \
max_encrypted_packets 20 \
disable_srvoverflow \
disable_protomismatch \
disable_badmsgdir
===
Becomes
===
preprocessor ssh: server_ports { 22 } \
max_client_bytes 19600 \
max_encrypted_packets 20
===
You need to erase last ‘ \’
Thanks for you ‘how-to’!
Hmm, I don’t think so but I will check.
Reason why / is there is because / says that next line also is part of preprocessor configuration but I will check anyway.
Tnx for your comment.
When i keep the ‘ \’ at the end of this configuration, i have this error :
ERROR: Invalid argument: preprocessor
Fatal Error, Quitting..
It could be, I will test it on Monday and fix it in post if it is correct.
Tnx for the tip anyway.
I follow your step, ignore the last “/”. Snort run smoothly, but there still an error:
ERROR: c:\snort\etc\snort.conf(273) Unknown rule type: max_queue_events.
I wonder what this problem is.
Snort really is a big mess. When I can run snort in command line, I failed to start Snort in IDSCenter. IDSCenter refrase the snort.conf in somekind of structure and it cause Snort failed to start. Can you post an entry show us how to configure IDSCenter? I’m going crazy with this.
Exactly, I have problems with the preprocessor bo.
preprocessor bo
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy windows timeout 180
preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp yes
preprocessor stream5_tcp: policy windows, use_static_footprint_sizes,
preprocessor stream5_udp: ignore_any_rules
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: default_server
preprocessor ftp_telnet: \
preprocessor ftp_telnet_protocol: \
preprocessor ftp_telnet_protocol: \
preprocessor ftp_telnet_protocol: \
preprocessor SMTP: \
preprocessor ssh: server_ports { 22 } \
preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 7801 7702 7900 7901
7902 7903 7904 7905 7906 6907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917
7918 7919 7920 }, trustservers, noinspect_encrypted
preprocessor dcerpc2: memcap 102400, events [co ]
preprocessor dcerpc2_server: default, policy WinXP, \
preprocessor dns: ports { 53 } enable_rdata_overflow
This mess, from stream5 to the end of this. I always have trouble like “unknown preprocessor stream5″ or “must configure http inspect global configuration first” and so far, ftp_telnet, bla bla bla….
Thanks!!!!
Hmm I have tested my conf and still don’t have problem with trailing \. I have updated post with my snort.conf file just for the records.
Regarding stream5 preprocessor, I don’t know why is it complaining because stream5 should be in dynamic engine, there is no separate preprocessor .dll file for it.
Test with my config file and see what happens.
I don’t use IDSCenter, but I will give it a go to see what kind of problems are you having.
Yes, I’m waiting for you. Actually, I decided to ignore IDSCenter. Instead of IDSCenter, I run snort through command line.
BUT still I have trouble with snort. I try apacheDoS and guess what, Snort doesn’t write any log into alert.ids. But when I using nmap, Snort writes log. What wrong with that? Can you suggest me some more tools to test Snort?
Thank you so much.
Amar Kulo, why can’t my snort write log file into folders? I try many ways, but that still doesn’t work.
Regarding ennguyennguyen’s problem with max_queue_events:
The instructions say to use this:
config detection: search-method ac-bnfa
max_queue_events 5
But this is missing a “\” after “ac-bnfa” to ensure this is interpreted as one long command without an end-of-line. Alternatively, you can simply write it as
config detection: search-method ac-bnfa max_queue_events 5
As for problems incurred by an extra trailing “\”, make sure there is nothing on the line that follows, so that the command interpreter will pick up the end-of-line. “\” is just for readability. If your code is all mashed up so that one command follows another without a blank line, and you are using trailing “\”, then the interpreter won’t know where parameters end and the next command begins. For example, the code segment:
preprocessor ftp_telnet_protocol: \
preprocessor ftp_telnet_protocol: \
will try to be read as
preprocessor ftp_telnet_protocol: preprocessor ftp_telnet_protocol:
which is nonsense.
Make sure you have newlines where newlines are needed, and “\” where the command is NOT supposed to end.
Sorry, it was my mistake that one extra “\” was left behind on preprocesor line. Now it’s removed.
Regardin logs, if you are using -l path then check if snort can write to log directory.
Instruction says that config detection: search-method ac-bnfa max_queue_events 5 should be written on one line, not on two, and if you are writing them on 2 then you need “\” on the end of the first line.
Been trying to install snort on a virtual machine. The virtual is through VMware and its Windows 2003 server. And the actuall physical computer is Windows 7 I cannot get this to work i have Winpcap and have installed it and i have the rules and have installed them. All the files within my Snort folder are not able to be read by my Virtual machine 2003 server. Is there something i didnt download i have all the files snort.com says you need and none of those can be read either. What did i miss?
Strange because I have done this on vmware with 2003 as guest and xp as host and it worked without any problems. How do you start snort? Which error messages are you receiving?
I get snort is not recognized command through that command prompt. So i went back and saw i need to configure this to be active but when i go to the C:\Snort\etc\snort.conf file it seems i dont have a program installed that will read it. When i right click it doesnt give me the Open With option so how would i configure it ? Other then winpcap is there something else i would need? Snort.com mentions Barnyard but this is also in a format the is unreadable in my Virtual.
Snort is not recognized as a command because you don’t have it in path but that’s ok, you just need to enter c:\snort\bin and run snort from there or type whole path c:\snort\bin\snort.exe
Regarding the second problem, .conf file is a text file, you can edit it notepad, wordpad or any other text editor, I prefer notepad++ which is free and works really good.
Ok seems when run that command now i get the list of commands and and the final line says you need to tell me to do something.Thank you so much im in the process of trying to find these commands in the .conf they seem to be in different places then you have it on here im using the Notepad++.
The easiest way to run snort for testing is to run command prompt and from there to write all commands. You can read blog post again and see how did I do it from command prompt for testing. When you edit snort.conf file you just need to pass it to snort.exe with -c path_to_config_file and some extra parameters for testing like verbose, interface number if needed and so on.
I have wrote about that in blog post.
Not sure i follow you is the blog post on twitter ? sorry new to this side of IT im just build kiosks for stores and just started school to get some more knowledge but Seems like i have a ways to go
Nope, I’m referring to the post above comments. There I have written snort -v -c C:\snort\etc\snort.conf -l C:\snort\log -K ascii as a line to test everything from command prompt
I’m glad that I could help.
I get a Unknown command line checksum option: ascii fatal error, quiting
when i do that
Hmm strange, try without -K ascii switch
Got a fatal error when i took out -k ascii but when i add just the -k it seems to runs fine shows me a lot of information including what looks like all the commands might it be working correctly now?
You need to pay attention to case of the switch, because -k and -K are not the same.
-k Checksum mode (all,noip,notcp,noudp,noicmp,none) Logging mode (pcap[default],ascii,none)
-K
with -K i get
error: C:\Documents and setting\snort\destop\snort-2.8.5.3\src\parser.c(5050)
Could not stat dynamic module path “/usr/local/lib/snort_dynamicpreprocessor/”:
no such file or directory
fatal error, quitting…
You are getting that because you didn’t read my blog post and you didn’t edited snort.conf like i have wrote. You need to point snort to look on right places because default conf is for linux and that’s why you need to edit it like I have described above.
Well I’ll try it again the lines you have are not the same using Notepad ++ 269 270 are not what you have listed nor ar the otheres i will try and see if i find them line by line thanks
Pingback: FooSpidy » Blog Archive » A fairly decent honeypot
Pingback: » snort
hi! i need to became a snort user,but i do not have enough skills to configure and use it, may i get help and guide for this? i use windows7 ,32bits. thanks!
Well on site you have how to install it, then you just need to parse logs with some log analyzer and do actions based on log entries.
after reading some books, i found that it requires to install winpcap and snort, but after installation of snort i didn’t find anything, so can you give the principal steps to be followed? thanks
Well first is to run snort as service and to log something, then you need to parse logs and do actions based on log entries.
For example you will have different kind of entries but with priority 1, 2 or 3, where that mean high, moderate or informational priority.
When you detect something with high priority then you can with that software do actions based on alert, I’m using Manage Engine Log Analyzer (which is free up to 5 servers) to manage actions based on log entries.
P.S. After installation you will need to download the latest ruleset for Snort and to apply them as well.
just i need to detect network intrusion
You can try to create it with some network scanning tool like Retina or Nessus which is free and see what’s happening.
There are also command switches to start snort from command prompt and to display everything on console so you can check if it is working in real time.
hello!i need to know how i can use snort to detect network intrusion,because i’ve read that it requires the following softwares: Snort, WinPCap, Mysql……, but i do not get how i can implement that system to detect intrusion. i use windows 7 , ultimate 32bits, and i would like to ask if it requires to know at least one of the programming languages?which one is the best?
can i get source code to be used?
thanks!
I have it installed with Manage Engine Log Analyzer which is free up to 5 hosts. On the same machine snort is installed with -E flag which tells him to log everything in eventlog, then EventLog Analyzer is parsing those logs and I have created special kind of alerts that alerts me in case that some suspicious snort log has been found. You don’t need to know any programming language to implement this. I will write a new blog post how to have everything configured and setup properly.
hi! after installation of winpcap i didn’t saw anything from network driver, then what can i do?
Hi!
You can try to start snort from command prompt just to see if it is capturing anything with command snort -v. In case of error with winpcap you will see directly which error you have. Also you can try running snort -W if you have more than one network interface and then if that is the case run snort with snort -v -i number_of_interface_that_you_got_with_command_before.
how ‘re you?
please help me,i try to run snort by this command:”snort -c c:\snort\etc\snort.conf -l c:\Snort\log -i3″ on windows 7 ultimate 32bits, then an errors: Unknown preprocessor:”normalize _ipv4″ could not create registry key. what can i do to fix this error?
thanks!
Hello.
Try to start command prompt as administrator, then you will have more privileges.
sir, how the snort are work..will you give information about it.please..
I’m writing article about it, will publish it soon.
Is there any difference, feature wise, installing Snort in Windows or Linux?
Thanks
There isn’t any difference in functionality, linux version has ssh modules as well, but principle is the same.
Hi amar,
I want to have SNORT send realtime alerts to my remote syslog server and also send alerts to my email address.
I am using IDS center and it seems like alerts are getting wrtitten on alerts.ids log file but it is neither sending to sysslog nor via email.
Below is config for syslog:
output alert_syslog: host=10.1.1.254:514, LOG_AUTH LOG_ALERT
output alert_fast : alerts.ids
I am using AlertMail and interneting thing is Test Messge works but it doesnt send realtime so something needs to be activated.
Below is the service paramerters I am running:
Snort is currently configured to run as a Windows service using the following
command-line parameters:
-c C:\Snort\etc\snort.conf -l C:\Snort\log -s -k all -i3
Please advice if I am missing anything.
Many thanks
Your link to download snort is dead.. Please update it so people can continue to use your directions and get the correct version of snort.. Thank you..
Tnx, will do.
Regarding your comments about moderation it’s not moderation that’s issue, it’s spam.
I want to apologize for being so hasty with my words. I do understand the spam and wanted to be a man and apologize for being rude. You don’t have to post this, I just wanted you to know i feel like a complete a-hole about it! Have a great day and great blog, best of luck!
No hard feelings here
Reason for moderation is that akismet spam filter is down sometimes and then I got loads of spam idiots with replicas of watches, viagra, you name it which I block manually, but all comments from real people are approved directly, good and bad ones.
Glad that you find blog helpful.
Regards
Amar
Another quick question for you Amar. The newest version of Snort is currently at 2.9 something, will these directions work with the newest version too?
I’m looking through the snort.conf now and things seem to be a bit different. Once again thanks for your time and patience..
I think they should without any problem, the only thing changed are new ruleset and eventually some new config options in snort.conf but as we are using default one with removed ssh preprocessor it should work.
Excellent, I will try to finish up my install today. Thanks again!
Glad that I could help.
Cheers