How to Install Snort Intrusion Detection System on Windows

First short explanation what is Snort from Snort’s official website:

Snort® is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Combining the benefits of signature, protocol and anomaly-based inspection, Snort is the most widely deployed IDS/IPS technology worldwide.

Installation of Snort on Windows is pretty simple.

First, you need to download and install few things. For Snort to be able to act as sniffer and IDS it needs Windows Packet Capture Library which is WinPcap. Find and download the latest stable version on this link.

When we have WinPcap installed the next step will be to download Snort. The latest stable version for Windows you can download here. Installation shouldn’t be a problem, if you need IPv6 support and logging to Microsoft SQL or Oracle database then you need to select proper radio and check boxes and if don’t then just go with next to the end of the installation. Default installation directory is C:\Snort so memorize it, because it will be our working dir all the time.

So we have installed WinPcap and Snort but we are not finished with installation yet. We have one more thing to download and install. The Snort rules. These rules are those small files that tells Snort what it should search for in captured packages and how to identify them, as a threat, information disclosure or something else. For us to be able to download Snort rules we have to be registered on Snort’s site. Registration is free and rules are one month old for free users, for those who need the latest threats detected at the same moment when they are published to the community I suggest to buy VRT subscription so you will have the latest rules directly as they are announced. So we will download snortrules-snapshot rules archive file.

When you open archive file you will get following structure:

Copy all four directories over those in C:\Snort replacing contents that already exists on the hard drive.

When we are done with the easy part we need to configure Snort to run. Because these rules are written for unixoid systems we need to change some things in the main config file C:\Snort\etc\snort.conf so that Snort can start at all.

Here are the things that you need to edit to be able to run snort:

Find lines 269 and 270. These lines will not allow Snort to start, at least not on Windows because Snort detects the second one as double config detection line so we need to change that.

Change from this:

1
2
config detection: search-method ac-bnfa
config detection: max_queue_events 5

To this:

1
config detection: search-method ac-bnfa max_queue_events 5

Next thing that we need to change are lines where we say to Snort where to find dynamic preprocessor files. On lines from 298 to 303 change from this:

1
2
3
4
5
6
dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so
dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so
dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so
dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so
dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so
dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so

To this:

1
2
3
4
5
6
7
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_dce2.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_dcerpc.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_dns.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_ftptelnet.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_smtp.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_ssh.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_ssl.dll

Next change is on line 324 where we have dynamic engine path, so change it from this:

1
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so

To this:

1
dynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll

I don’t know why, maybe some mistake, but lines bellow should be commented out by default, but they were not so we have to comment them out. Because we are not VRT subscriber and don’t have any dynamic detection files we need to coment lines from 339 to 354, so change them from this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
dynamicdetection file /usr/local/lib/snort_dynamicrules/bad-traffic.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/chat.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/dos.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/exploit.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/imap.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/misc.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/multimedia.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/netbios.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/nntp.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/p2p.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/smtp.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/sql.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/web-client.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/web-misc.so

To this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#dynamicdetection file /usr/local/lib/snort_dynamicrules/bad-traffic.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/chat.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/dos.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/exploit.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/imap.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/misc.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/multimedia.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/netbios.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/nntp.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/p2p.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/smtp.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/sql.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/web-client.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/web-misc.so

We need also to trim a bit SSH preprocessor to work on Windows as it is different from Linux one, so find line 753 and change from this:

1
2
3
4
5
6
preprocessor ssh: server_ports { 22 } \
max_client_bytes 19600 \
max_encrypted_packets 20 \
disable_srvoverflow \
disable_protomismatch \
disable_badmsgdir

To this:

1
2
3
preprocessor ssh: server_ports { 22 } \
max_client_bytes 19600 \
max_encrypted_packets 20

So, we are good to go. We can test Snort easily from the command line. Go on Start->Run and type cmd following by enter key. In command prompt type following commands:

  • c: and then enter key
  • cd c:\snort\bin and then enter key
  • snort -v -c C:\snort\etc\snort.conf -l C:\snort\log -K ascii and then enter key

We have entered Snort directory and started Snort on command line. You will first see Snort starting and parsing config file Snort.conf and then you will see lot of output when Snort start sniffing and controlling packets on the network. If it finds any packet that is not regular network traffic it will save info about it in c:\Snort\Log\alert.ids file. Simple output of one captured packet looks like this:

1
2
3
4
5
[**] [1:254:7] DNS SPOOF query response with TTL of 1 min. and no authority [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
12/22-12:19:12.577553 192.168.137.206:53 -> 192.168.137.10:55153
UDP TTL:128 TOS:0x0 ID:5399 IpLen:20 DgmLen:79
Len: 51

Now to explain what do we have here. The first line says what type of attack is it, the second line says what classification is it and what priority does it have, and the last three lines are data about the attack, attacker IP, your IP, destination and source ports and so on.

Important part of this log is [Priority: 2] because that’s how you can identify the real threat from false one. The threats are divided in three groups, group 3 or [Priority: 3] is the lowest one and it usually means that someone is scanning your network. The second one is a bit more serious. It’s information disclosure and it has [Priority: 2]. This means that someone has got some info about services that you are running which is usually the first part of any attack, colleting information about your network and services. The most critical one is the one with [Priority: 1] which usually means that right now someone is trying to exploit some of services that you are running. This could mean that you have older version of some service on your server, like IIS that is not updated or Exchange server or something else and that Snort has detected some patterns in packages sent to server that could be exploits which can do harm.

When we can stop Snort with Ctrl+C, Snort will display some statistics. The only thing that left is to install Snort as a Windows service. To do so we will write following command on the command prompt:

1
snort /service /install -c C:\Snort\etc\snort.conf -l C:\Snort\log -K ascii

After this command is being completed, service is installed and you can start it from the service manager or simply type sc start snortsvc on the command prompt.

So with this latest command Snort is installed on your machine and is logging everything. Now you just need some program to parse alerts and do actions based on the alert priority. There are lot of those available on the Internet.

Note 1: If you have more than one network interface on your machine you need to tell Snort on which one should it listen. First type Snort -W command to list all interfaces on your machine (works only on Windows) and then when you find which interface is the one that you will listen on then you need to add -i n where n is number of interface from the list that you got. You need to add that to all Snort commands that you are executing from command prompt and when creating Windows service.

Note 2: If you want Snort to log alerts to Eventlog as well as to log files than add -E (only on Windows) to the command line parameters.

Update 1: Here is my snort.conf file which is working on my machine without any problems. It could be something with updated rules that can cause problems with starting of Snort.

Update 2: One trailing / on ssh preprocesor line was left by mistake, now it’s removed.

Update 3: Removed version numbers so that document points always on the latest versions of Snort and WinPcap.