Comments on: How to install Snort Intrusion Detection System on Windows

By: amar

amar — Wed, 14 Dec 2011 14:34:10 +0000

Glad that I could help.

Cheers

By: Hans

Hans — Wed, 14 Dec 2011 14:33:30 +0000

Excellent, I will try to finish up my install today. Thanks again!

By: amar

amar — Wed, 14 Dec 2011 07:23:47 +0000

I think they should without any problem, the only thing changed are new ruleset and eventually some new config options in snort.conf but as we are using default one with removed ssh preprocessor it should work.

By: Hans

Hans — Tue, 13 Dec 2011 19:39:47 +0000

Another quick question for you Amar. The newest version of Snort is currently at 2.9 something, will these directions work with the newest version too?

I’m looking through the snort.conf now and things seem to be a bit different. Once again thanks for your time and patience..

By: amar

amar — Tue, 13 Dec 2011 18:05:28 +0000

No hard feelings here

Reason for moderation is that akismet spam filter is down sometimes and then I got loads of spam idiots with replicas of watches, viagra, you name it which I block manually, but all comments from real people are approved directly, good and bad ones.

Glad that you find blog helpful.

Regards
Amar

By: Hans

Hans — Tue, 13 Dec 2011 18:03:32 +0000

I want to apologize for being so hasty with my words. I do understand the spam and wanted to be a man and apologize for being rude. You don’t have to post this, I just wanted you to know i feel like a complete a-hole about it! Have a great day and great blog, best of luck!

By: amar

amar — Tue, 13 Dec 2011 16:55:02 +0000

Tnx, will do.

Regarding your comments about moderation it’s not moderation that’s issue, it’s spam.

By: Hans

Hans — Tue, 13 Dec 2011 16:52:00 +0000

Your link to download snort is dead.. Please update it so people can continue to use your directions and get the correct version of snort.. Thank you..

By: Kashif

Kashif — Tue, 15 Nov 2011 17:54:35 +0000

Hi amar,
I want to have SNORT send realtime alerts to my remote syslog server and also send alerts to my email address.
I am using IDS center and it seems like alerts are getting wrtitten on alerts.ids log file but it is neither sending to sysslog nor via email.
Below is config for syslog:

output alert_syslog: host=10.1.1.254:514, LOG_AUTH LOG_ALERT
output alert_fast : alerts.ids

I am using AlertMail and interneting thing is Test Messge works but it doesnt send realtime so something needs to be activated.
Below is the service paramerters I am running:

Snort is currently configured to run as a Windows service using the following
command-line parameters:

-c C:\Snort\etc\snort.conf -l C:\Snort\log -s -k all -i3

Please advice if I am missing anything.
Many thanks

By: amar

amar — Thu, 29 Sep 2011 18:29:31 +0000

There isn’t any difference in functionality, linux version has ssh modules as well, but principle is the same.

By: Ali Raza

Ali Raza — Thu, 29 Sep 2011 17:12:36 +0000

Is there any difference, feature wise, installing Snort in Windows or Linux?
Thanks

By: amar

amar — Wed, 14 Sep 2011 19:00:05 +0000

I’m writing article about it, will publish it soon.

By: Bhavin Satashiya

Bhavin Satashiya — Wed, 14 Sep 2011 17:49:54 +0000

sir, how the snort are work..will you give information about it.please..

By: amar

amar — Wed, 07 Sep 2011 12:23:56 +0000

Hello.

Try to start command prompt as administrator, then you will have more privileges.

By: GAKURU

GAKURU — Sat, 03 Sep 2011 07:47:04 +0000

how ‘re you?
please help me,i try to run snort by this command:”snort -c c:\snort\etc\snort.conf -l c:\Snort\log -i3″ on windows 7 ultimate 32bits, then an errors: Unknown preprocessor:”normalize _ipv4″ could not create registry key. what can i do to fix this error?
thanks!

By: amar

amar — Mon, 15 Aug 2011 06:25:46 +0000

I have it installed with Manage Engine Log Analyzer which is free up to 5 hosts. On the same machine snort is installed with -E flag which tells him to log everything in eventlog, then EventLog Analyzer is parsing those logs and I have created special kind of alerts that alerts me in case that some suspicious snort log has been found. You don’t need to know any programming language to implement this. I will write a new blog post how to have everything configured and setup properly.

By: amar

amar — Mon, 15 Aug 2011 06:23:34 +0000

Hi!

You can try to start snort from command prompt just to see if it is capturing anything with command snort -v. In case of error with winpcap you will see directly which error you have. Also you can try running snort -W if you have more than one network interface and then if that is the case run snort with snort -v -i number_of_interface_that_you_got_with_command_before.

By: jonh gape

jonh gape — Sat, 13 Aug 2011 16:39:50 +0000

hi! after installation of winpcap i didn’t saw anything from network driver, then what can i do?

By: GATERA J.Peter

GATERA J.Peter — Mon, 25 Jul 2011 18:36:55 +0000

hello!i need to know how i can use snort to detect network intrusion,because i’ve read that it requires the following softwares: Snort, WinPCap, Mysql……, but i do not get how i can implement that system to detect intrusion. i use windows 7 , ultimate 32bits, and i would like to ask if it requires to know at least one of the programming languages?which one is the best?
can i get source code to be used?
thanks!

By: amar

amar — Fri, 22 Jul 2011 20:27:47 +0000

You can try to create it with some network scanning tool like Retina or Nessus which is free and see what’s happening.

There are also command switches to start snort from command prompt and to display everything on console so you can check if it is working in real time.

By: amar

amar — Fri, 22 Jul 2011 20:26:12 +0000

Well first is to run snort as service and to log something, then you need to parse logs and do actions based on log entries.

For example you will have different kind of entries but with priority 1, 2 or 3, where that mean high, moderate or informational priority.

When you detect something with high priority then you can with that software do actions based on alert, I’m using Manage Engine Log Analyzer (which is free up to 5 servers) to manage actions based on log entries.

P.S. After installation you will need to download the latest ruleset for Snort and to apply them as well.

By: GATERA J.Peter

GATERA J.Peter — Fri, 22 Jul 2011 19:59:49 +0000

just i need to detect network intrusion

By: GATERA J.Peter

GATERA J.Peter — Fri, 22 Jul 2011 19:23:14 +0000

after reading some books, i found that it requires to install winpcap and snort, but after installation of snort i didn’t find anything, so can you give the principal steps to be followed? thanks

By: amar

amar — Thu, 21 Jul 2011 21:35:21 +0000

Well on site you have how to install it, then you just need to parse logs with some log analyzer and do actions based on log entries.

By: GATERA J.Peter

GATERA J.Peter — Thu, 21 Jul 2011 20:07:29 +0000

hi! i need to became a snort user,but i do not have enough skills to configure and use it, may i get help and guide for this? i use windows7 ,32bits. thanks!

By: » snort

» snort — Fri, 03 Jun 2011 02:13:22 +0000

[...] http://blog.amarkulo.com/how-to-install-snort-ids-on-windows « Time to go to college NOT [...]

By: FooSpidy » Blog Archive » A fairly decent honeypot

FooSpidy » Blog Archive » A fairly decent honeypot — Sun, 20 Jun 2010 14:23:24 +0000

[...] Snort release the needed tweaks may vary. A good guide for installing Snort on Windows can be found here. Below are instructions for tweaking the snort.conf file as of the 2.8.6 Snort [...]

By: steve

steve — Thu, 01 Apr 2010 16:12:37 +0000

Well I’ll try it again the lines you have are not the same using Notepad ++ 269 270 are not what you have listed nor ar the otheres i will try and see if i find them line by line thanks

By: Amar Kulo

Amar Kulo — Thu, 01 Apr 2010 15:56:08 +0000

You are getting that because you didn’t read my blog post and you didn’t edited snort.conf like i have wrote. You need to point snort to look on right places because default conf is for linux and that’s why you need to edit it like I have described above.

By: steve

steve — Thu, 01 Apr 2010 15:52:14 +0000

with -K i get
error: C:\Documents and setting\snort\destop\snort-2.8.5.3\src\parser.c(5050)
Could not stat dynamic module path “/usr/local/lib/snort_dynamicpreprocessor/”:
no such file or directory
fatal error, quitting…

By: Amar Kulo

Amar Kulo — Thu, 01 Apr 2010 15:29:29 +0000

You need to pay attention to case of the switch, because -k and -K are not the same.

-k Checksum mode (all,noip,notcp,noudp,noicmp,none)
-K Logging mode (pcap[default],ascii,none)

By: steve

steve — Thu, 01 Apr 2010 15:27:08 +0000

Got a fatal error when i took out -k ascii but when i add just the -k it seems to runs fine shows me a lot of information including what looks like all the commands might it be working correctly now?

By: Amar Kulo

Amar Kulo — Thu, 01 Apr 2010 15:11:54 +0000

Hmm strange, try without -K ascii switch

By: steve

steve — Thu, 01 Apr 2010 15:10:48 +0000

I get a Unknown command line checksum option: ascii fatal error, quiting
when i do that

By: Amar Kulo

Amar Kulo — Thu, 01 Apr 2010 15:00:28 +0000

Nope, I’m referring to the post above comments. There I have written snort -v -c C:\snort\etc\snort.conf -l C:\snort\log -K ascii as a line to test everything from command prompt

I’m glad that I could help.

By: steve

steve — Thu, 01 Apr 2010 14:56:35 +0000

Not sure i follow you is the blog post on twitter ? sorry new to this side of IT im just build kiosks for stores and just started school to get some more knowledge but Seems like i have a ways to go

By: Amar Kulo

Amar Kulo — Thu, 01 Apr 2010 14:26:34 +0000

The easiest way to run snort for testing is to run command prompt and from there to write all commands. You can read blog post again and see how did I do it from command prompt for testing. When you edit snort.conf file you just need to pass it to snort.exe with -c path_to_config_file and some extra parameters for testing like verbose, interface number if needed and so on.

I have wrote about that in blog post.

By: steve

steve — Thu, 01 Apr 2010 14:22:43 +0000

Ok seems when run that command now i get the list of commands and and the final line says you need to tell me to do something.Thank you so much im in the process of trying to find these commands in the .conf they seem to be in different places then you have it on here im using the Notepad++.

By: Amar Kulo

Amar Kulo — Thu, 01 Apr 2010 13:08:06 +0000

Snort is not recognized as a command because you don’t have it in path but that’s ok, you just need to enter c:\snort\bin and run snort from there or type whole path c:\snort\bin\snort.exe

Regarding the second problem, .conf file is a text file, you can edit it notepad, wordpad or any other text editor, I prefer notepad++ which is free and works really good.

By: steve

steve — Thu, 01 Apr 2010 13:03:27 +0000

I get snort is not recognized command through that command prompt. So i went back and saw i need to configure this to be active but when i go to the C:\Snort\etc\snort.conf file it seems i dont have a program installed that will read it. When i right click it doesnt give me the Open With option so how would i configure it ? Other then winpcap is there something else i would need? Snort.com mentions Barnyard but this is also in a format the is unreadable in my Virtual.

By: Amar Kulo

Amar Kulo — Thu, 01 Apr 2010 12:41:31 +0000

Strange because I have done this on vmware with 2003 as guest and xp as host and it worked without any problems. How do you start snort? Which error messages are you receiving?

By: steve

steve — Thu, 01 Apr 2010 12:38:43 +0000

Been trying to install snort on a virtual machine. The virtual is through VMware and its Windows 2003 server. And the actuall physical computer is Windows 7 I cannot get this to work i have Winpcap and have installed it and i have the rules and have installed them. All the files within my Snort folder are not able to be read by my Virtual machine 2003 server. Is there something i didnt download i have all the files snort.com says you need and none of those can be read either. What did i miss?

By: Amar Kulo

Amar Kulo — Mon, 15 Feb 2010 07:49:56 +0000

Sorry, it was my mistake that one extra “\” was left behind on preprocesor line. Now it’s removed.

Regardin logs, if you are using -l path then check if snort can write to log directory.

Instruction says that config detection: search-method ac-bnfa max_queue_events 5 should be written on one line, not on two, and if you are writing them on 2 then you need “\” on the end of the first line.

By: gregg

gregg — Mon, 15 Feb 2010 01:22:39 +0000

Regarding ennguyennguyen’s problem with max_queue_events:

The instructions say to use this:
config detection: search-method ac-bnfa
max_queue_events 5

But this is missing a “\” after “ac-bnfa” to ensure this is interpreted as one long command without an end-of-line. Alternatively, you can simply write it as
config detection: search-method ac-bnfa max_queue_events 5

As for problems incurred by an extra trailing “\”, make sure there is nothing on the line that follows, so that the command interpreter will pick up the end-of-line. “\” is just for readability. If your code is all mashed up so that one command follows another without a blank line, and you are using trailing “\”, then the interpreter won’t know where parameters end and the next command begins. For example, the code segment:

preprocessor ftp_telnet_protocol: \
preprocessor ftp_telnet_protocol: \

will try to be read as
preprocessor ftp_telnet_protocol: preprocessor ftp_telnet_protocol:

which is nonsense.

Make sure you have newlines where newlines are needed, and “\” where the command is NOT supposed to end.

By: ennguyennguyen

ennguyennguyen — Wed, 13 Jan 2010 19:00:08 +0000

Amar Kulo, why can’t my snort write log file into folders? I try many ways, but that still doesn’t work.

By: ennguyennguyen

ennguyennguyen — Wed, 13 Jan 2010 13:11:37 +0000

Yes, I’m waiting for you. Actually, I decided to ignore IDSCenter. Instead of IDSCenter, I run snort through command line.

BUT still I have trouble with snort. I try apacheDoS and guess what, Snort doesn’t write any log into alert.ids. But when I using nmap, Snort writes log. What wrong with that? Can you suggest me some more tools to test Snort?

Thank you so much.

By: Amar Kulo

Amar Kulo — Wed, 13 Jan 2010 10:10:17 +0000

Hmm I have tested my conf and still don’t have problem with trailing \. I have updated post with my snort.conf file just for the records.

Regarding stream5 preprocessor, I don’t know why is it complaining because stream5 should be in dynamic engine, there is no separate preprocessor .dll file for it.

Test with my config file and see what happens.

I don’t use IDSCenter, but I will give it a go to see what kind of problems are you having.

By: ennguyennguyen

ennguyennguyen — Tue, 12 Jan 2010 10:49:38 +0000

Snort really is a big mess. When I can run snort in command line, I failed to start Snort in IDSCenter. IDSCenter refrase the snort.conf in somekind of structure and it cause Snort failed to start. Can you post an entry show us how to configure IDSCenter? I’m going crazy with this.

Exactly, I have problems with the preprocessor bo.

preprocessor bo

preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy windows timeout 180
preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp yes
preprocessor stream5_tcp: policy windows, use_static_footprint_sizes,
preprocessor stream5_udp: ignore_any_rules
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: default_server
preprocessor ftp_telnet: \
preprocessor ftp_telnet_protocol: \
preprocessor ftp_telnet_protocol: \
preprocessor ftp_telnet_protocol: \
preprocessor SMTP: \
preprocessor ssh: server_ports { 22 } \
preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 7801 7702 7900 7901
7902 7903 7904 7905 7906 6907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917
7918 7919 7920 }, trustservers, noinspect_encrypted
preprocessor dcerpc2: memcap 102400, events [co ]
preprocessor dcerpc2_server: default, policy WinXP, \
preprocessor dns: ports { 53 } enable_rdata_overflow

This mess, from stream5 to the end of this. I always have trouble like “unknown preprocessor stream5″ or “must configure http inspect global configuration first” and so far, ftp_telnet, bla bla bla….

Thanks!!!!

By: ennguyennguyen

ennguyennguyen — Tue, 12 Jan 2010 10:13:02 +0000

I follow your step, ignore the last “/”. Snort run smoothly, but there still an error:

ERROR: c:\snort\etc\snort.conf(273) Unknown rule type: max_queue_events.

I wonder what this problem is.

By: Amar Kulo

Amar Kulo — Fri, 08 Jan 2010 19:41:37 +0000

It could be, I will test it on Monday and fix it in post if it is correct.

Tnx for the tip anyway.