First short explanation what is Snort from Snort official website:
Snort® is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Combining the benefits of signature, protocol and anomaly-based inspection, Snort is the most widely deployed IDS/IPS technology worldwide.
Installation of Snort on Windows is pretty simple.
First, you need to download and install few things. For Snort to be able to act as sniffer and IDS it needs Windows Packet Capture Library which is WinPcap. The stable latest version on the site is 4.1.1 and you can download it here.
Now when we have WinPcap installed the next step will be to download Snort. The latest version for Windows is 2.8.5.1 and you can download it here. Installation shouldn’t be a problem, if you need IPv6 support and logging to Microsoft SQL or Oracle database then you need to select proper radio and check boxes and if don’t then just go next and next to the end and that’s it. Default installation directory is C:\Snort so remember it because it will be our working dir all the time.
So we have installed WinPcap and Snort but we are not finished with installation yet. We have one more thing to download and install. The Snort rules. These rules are those small files that tells Snort what it should search for in captured packages and how to identify them, as a threat, information disclosure or something else. For us to be able to download Snort rules we have to be registered on Snort site. Registration is free and rules are one month old for free users, for those who need the latest threats detected at the same moment when they are published to the community I suggest to buy VRT subscription so you will have the latest rules directly as they are announced. So now we will download snortrules-snapshot-2.8.tar.gz rules archive file. When you open archive file you will get following structure:
Copy all four directories over those in C:\Snort replacing contents that already exists on the hard drive.
Now when we are done with easy part we need to configure Snort to run. Because these rules are written for unixoid systems we need to change some things in the main config file C:\Snort\etc\snort.conf so that Snort can start at all.
Here are the things that you need to edit to be able to run snort:
Find lines 269 and 270. These lines will not allow Snort to start, at least not on Windows because Snort detects the second one as double config detection line so we need to change this.
Change from this:
config detection: search-method ac-bnfa
config detection: max_queue_events 5
To this:
config detection: search-method ac-bnfa max_queue_events 5
Now, the next thing that we need to change is lines where we say to Snort where to find dynamic preprocessor files. On lines from 298 to 303 change this:
dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so
dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so
dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so
dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so
dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so
dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so
To this:
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_dce2.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_dcerpc.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_dns.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_ftptelnet.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_smtp.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_ssh.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_ssl.dll
Next thing to change is line 324 on which we have dynamic engine path, so change it from this:
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
To this:
dynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll
I don’t know why, maybe some mistake, but lines bellow should be commented out by default, but they were not so we have to comment them out. Because we are not VRT subscriber and don’t have any dynamic detection files we need to coment lines from 339 to 354, so change this:
dynamicdetection file /usr/local/lib/snort_dynamicrules/bad-traffic.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/chat.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/dos.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/exploit.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/imap.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/misc.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/multimedia.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/netbios.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/nntp.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/p2p.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/smtp.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/sql.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/web-client.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/web-misc.so
To this:
#dynamicdetection file /usr/local/lib/snort_dynamicrules/bad-traffic.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/chat.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/dos.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/exploit.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/imap.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/misc.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/multimedia.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/netbios.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/nntp.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/p2p.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/smtp.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/sql.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/web-client.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/web-misc.so
Now we need to trim a bit SSH preprocessor to work on Windows as it is different from Linux one, so find line 753 and change this:
preprocessor ssh: server_ports { 22 } \
max_client_bytes 19600 \
max_encrypted_packets 20 \
disable_srvoverflow \
disable_protomismatch \
disable_badmsgdir
To this:
preprocessor ssh: server_ports { 22 } \
max_client_bytes 19600 \
max_encrypted_packets 20
Now we are good to go. We can test snort easily from the command line. So now go on Start->Run and type cmd following by enter key. Now in command prompt type following commands:
c: and then enter key
cd c:\snort\bin and then enter key
snort -v -c C:\snort\etc\snort.conf -l C:\snort\log -K ascii and then enter key
So now we have entered Snort directory and started Snort on command line. You will first see Snort starting and parsing config file snort.conf and then you will see lot of output when Snort start sniffing and controlling packages on the network. If it finds any package that is not regular network traffic it will save info about it in c:\Snort\Log\alert.ids file. Simple output of one captured packet looks like this:
[**] [1:254:7] DNS SPOOF query response with TTL of 1 min. and no authority [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
12/22-12:19:12.577553 192.168.137.206:53 -> 192.168.137.10:55153
UDP TTL:128 TOS:0×0 ID:5399 IpLen:20 DgmLen:79
Len: 51
Now to explain what we have here. The first line says what type of attack is it, the second line says what classification is it and what priority does it have, and the last three lines are data about the attack, attacker IP, your IP, destination and source ports and so on.
snort /service /install -c C:\Snort\etc\snort.conf -l C:\Snort\log -K ascii
Related posts:
Tags: capture, free, freeware, ids, packet, pcap, server, sniff, sniffer, snort, win, windows, winpcap
[...] This post was mentioned on Twitter by Branko Rihtman, Amar Kulo. Amar Kulo said: From my blog: How to install Snort Intrusion Detection System on Windows http://is.gd/5xoE8 [...]
Hi,
Thank you! I would now go on this blog every day!
Have a nice day
Socco
You are welcome.
Amar
You make a mistake.
===
preprocessor ssh: server_ports { 22 } \
max_client_bytes 19600 \
max_encrypted_packets 20 \
disable_srvoverflow \
disable_protomismatch \
disable_badmsgdir
===
Becomes
===
preprocessor ssh: server_ports { 22 } \
max_client_bytes 19600 \
max_encrypted_packets 20
===
You need to erase last ‘ \’
Thanks for you ‘how-to’!
Hmm, I don’t think so but I will check.
Reason why / is there is because / says that next line also is part of preprocessor configuration but I will check anyway.
Tnx for your comment.
When i keep the ‘ \’ at the end of this configuration, i have this error :
ERROR: Invalid argument: preprocessor
Fatal Error, Quitting..
It could be, I will test it on Monday and fix it in post if it is correct.
Tnx for the tip anyway.
I follow your step, ignore the last “/”. Snort run smoothly, but there still an error:
ERROR: c:\snort\etc\snort.conf(273) Unknown rule type: max_queue_events.
I wonder what this problem is.
Snort really is a big mess. When I can run snort in command line, I failed to start Snort in IDSCenter. IDSCenter refrase the snort.conf in somekind of structure and it cause Snort failed to start. Can you post an entry show us how to configure IDSCenter? I’m going crazy with this.
Exactly, I have problems with the preprocessor bo.
preprocessor bo
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy windows timeout 180
preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp yes
preprocessor stream5_tcp: policy windows, use_static_footprint_sizes,
preprocessor stream5_udp: ignore_any_rules
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: default_server
preprocessor ftp_telnet: \
preprocessor ftp_telnet_protocol: \
preprocessor ftp_telnet_protocol: \
preprocessor ftp_telnet_protocol: \
preprocessor SMTP: \
preprocessor ssh: server_ports { 22 } \
preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 7801 7702 7900 7901
7902 7903 7904 7905 7906 6907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917
7918 7919 7920 }, trustservers, noinspect_encrypted
preprocessor dcerpc2: memcap 102400, events [co ]
preprocessor dcerpc2_server: default, policy WinXP, \
preprocessor dns: ports { 53 } enable_rdata_overflow
This mess, from stream5 to the end of this. I always have trouble like “unknown preprocessor stream5″ or “must configure http inspect global configuration first” and so far, ftp_telnet, bla bla bla….
Thanks!!!!
Hmm I have tested my conf and still don’t have problem with trailing \. I have updated post with my snort.conf file just for the records.
Regarding stream5 preprocessor, I don’t know why is it complaining because stream5 should be in dynamic engine, there is no separate preprocessor .dll file for it.
Test with my config file and see what happens.
I don’t use IDSCenter, but I will give it a go to see what kind of problems are you having.
Yes, I’m waiting for you. Actually, I decided to ignore IDSCenter. Instead of IDSCenter, I run snort through command line.
BUT still I have trouble with snort. I try apacheDoS and guess what, Snort doesn’t write any log into alert.ids. But when I using nmap, Snort writes log. What wrong with that? Can you suggest me some more tools to test Snort?
Thank you so much.
Amar Kulo, why can’t my snort write log file into folders? I try many ways, but that still doesn’t work.
Regarding ennguyennguyen’s problem with max_queue_events:
The instructions say to use this:
config detection: search-method ac-bnfa
max_queue_events 5
But this is missing a “\” after “ac-bnfa” to ensure this is interpreted as one long command without an end-of-line. Alternatively, you can simply write it as
config detection: search-method ac-bnfa max_queue_events 5
As for problems incurred by an extra trailing “\”, make sure there is nothing on the line that follows, so that the command interpreter will pick up the end-of-line. “\” is just for readability. If your code is all mashed up so that one command follows another without a blank line, and you are using trailing “\”, then the interpreter won’t know where parameters end and the next command begins. For example, the code segment:
preprocessor ftp_telnet_protocol: \
preprocessor ftp_telnet_protocol: \
will try to be read as
preprocessor ftp_telnet_protocol: preprocessor ftp_telnet_protocol:
which is nonsense.
Make sure you have newlines where newlines are needed, and “\” where the command is NOT supposed to end.
Sorry, it was my mistake that one extra “\” was left behind on preprocesor line. Now it’s removed.
Regardin logs, if you are using -l path then check if snort can write to log directory.
Instruction says that config detection: search-method ac-bnfa max_queue_events 5 should be written on one line, not on two, and if you are writing them on 2 then you need “\” on the end of the first line.
Been trying to install snort on a virtual machine. The virtual is through VMware and its Windows 2003 server. And the actuall physical computer is Windows 7 I cannot get this to work i have Winpcap and have installed it and i have the rules and have installed them. All the files within my Snort folder are not able to be read by my Virtual machine 2003 server. Is there something i didnt download i have all the files snort.com says you need and none of those can be read either. What did i miss?
Strange because I have done this on vmware with 2003 as guest and xp as host and it worked without any problems. How do you start snort? Which error messages are you receiving?
I get snort is not recognized command through that command prompt. So i went back and saw i need to configure this to be active but when i go to the C:\Snort\etc\snort.conf file it seems i dont have a program installed that will read it. When i right click it doesnt give me the Open With option so how would i configure it ? Other then winpcap is there something else i would need? Snort.com mentions Barnyard but this is also in a format the is unreadable in my Virtual.
Snort is not recognized as a command because you don’t have it in path but that’s ok, you just need to enter c:\snort\bin and run snort from there or type whole path c:\snort\bin\snort.exe
Regarding the second problem, .conf file is a text file, you can edit it notepad, wordpad or any other text editor, I prefer notepad++ which is free and works really good.
Ok seems when run that command now i get the list of commands and and the final line says you need to tell me to do something.Thank you so much im in the process of trying to find these commands in the .conf they seem to be in different places then you have it on here im using the Notepad++.
The easiest way to run snort for testing is to run command prompt and from there to write all commands. You can read blog post again and see how did I do it from command prompt for testing. When you edit snort.conf file you just need to pass it to snort.exe with -c path_to_config_file and some extra parameters for testing like verbose, interface number if needed and so on.
I have wrote about that in blog post.
Not sure i follow you is the blog post on twitter ? sorry new to this side of IT im just build kiosks for stores and just started school to get some more knowledge but Seems like i have a ways to go
Nope, I’m referring to the post above comments. There I have written snort -v -c C:\snort\etc\snort.conf -l C:\snort\log -K ascii as a line to test everything from command prompt
I’m glad that I could help.
I get a Unknown command line checksum option: ascii fatal error, quiting
when i do that
Hmm strange, try without -K ascii switch
Got a fatal error when i took out -k ascii but when i add just the -k it seems to runs fine shows me a lot of information including what looks like all the commands might it be working correctly now?
You need to pay attention to case of the switch, because -k and -K are not the same.
-k Checksum mode (all,noip,notcp,noudp,noicmp,none) Logging mode (pcap[default],ascii,none)
-K
with -K i get
error: C:\Documents and setting\snort\destop\snort-2.8.5.3\src\parser.c(5050)
Could not stat dynamic module path “/usr/local/lib/snort_dynamicpreprocessor/”:
no such file or directory
fatal error, quitting…
You are getting that because you didn’t read my blog post and you didn’t edited snort.conf like i have wrote. You need to point snort to look on right places because default conf is for linux and that’s why you need to edit it like I have described above.
Well I’ll try it again the lines you have are not the same using Notepad ++ 269 270 are not what you have listed nor ar the otheres i will try and see if i find them line by line thanks
[...] Snort release the needed tweaks may vary. A good guide for installing Snort on Windows can be found here. Below are instructions for tweaking the snort.conf file as of the 2.8.6 Snort [...]