Install Snort IDS in Windows
In this article, we are going to install Snort on windows, perform basic configuration then add snort rules. Snort can also be configured as an intrusion prevention system, but in our case, we will just configure snort as an IDS.
Carry out the following steps
Download and install Snort and Winpcap
Download snort rules
Configure snort.conf file
Run snort that displays alert on console
Run snort that saves alert to a file
=============================================================
Step 1:
Note: Install snort and winpcap as an administrator.
Download winpcap https://www.winpcap.org/ and install it as an administrator, just let it install with default settings. Restart your computer.
Download snort installer exe at https://www.snort.org/downloadsand install it as an administrator, just choose defaults configuration where you only have to click “I Agree”, “Next” , “Next” , “Next”, “Close” and “Ok”.
===============================================================
Step 2:
Sign up for an account in snort to be able to download rules set. Signing up is easy and you will receive an email confirmation from snort then after confirmation, you now can log in and download the rule set (see image below) https://www.snort.org/downloads#rules.
Download rules
Extract the downloaded file, in my case the file is snortrules-snapshot-2990.tar.gzthen it became snortrules-snapshot-2990.tar. Also extract this file and you will have four folders.
etc
preproc_rules
rules
so_rules
Copy etc contents to C:\Snort\etc\ and replace existing files to the updated version.
Copy preproc_rules contents to C:\Snort\preproc_rules\ and replace existing.
Copy rules contents to C:\Snort\rules\
================================================================
Step 3: Open the snort.conf file with your favorite text editor, I my case, I use wordpad.
Scroll down and look for the following lines and make change as indicated below. Do not copy paste including underlined statements, they are just remarks.
From | To Note: Reasons are also stated here underlined |
ipvar HOME_NET any | ipvar HOME_NET 192.168.43.0/24
Where 192.168.43.0/24 is my home network, yours could be different |
ipvar EXTERNAL_NET any | ipvar EXTERNAL_NET !$HOME_NET
Because any IP that is not in my home net might be an external net |
var RULE_PATH ../rules
var SO_RULE_PATH ../so_rules
var PREPROC_RULE_PATH ../preproc_rules | var RULE_PATH C:\Snort\rules
#var SO_RULE_PATH ../so_rules
var PREPROC_RULE_PATH C:\Snort\preproc_rules |
var WHITE_LIST_PATH ../rules
var BLACK_LIST_PATH ../rules | var WHITE_LIST_PATH C:\Snort\rules
var BLACK_LIST_PATH C:\Snort\rules |
# config logdir: | config logdir: C:\Snort\log
uncomment and enter the log dir |
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ | dynamicpreprocessor directory C:\Snort\lib\snort_dynamicpreprocessor |
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so | dynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll |
dynamicdetection directory /usr/local/lib/snort_dynamicrules | #dynamicdetection directory /usr/local/lib/snort_dynamicrules |
# Does nothing in IDS mode preprocessor normalize_ip4 preprocessor normalize_tcp: block, rsv, pad, urp, req_urg, req_pay, req_urp, ips, ecn stream preprocessor normalize_icmp4 preprocessor normalize_ip6 preprocessor normalize_icmp6 | # Does nothing in IDS mode #preprocessor normalize_ip4 #preprocessor normalize_tcp: block, rsv, pad, urp, req_urg, req_pay, req_urp, ips, ecn stream #preprocessor normalize_icmp4 #preprocessor normalize_ip6 #preprocessor normalize_icmp6
|
whitelist $WHITE_LIST_PATH/white_list.rules, \ blacklist $BLACK_LIST_PATH/black_list.rules | whitelist $WHITE_LIST_PATH/white_list.rules, \ blacklist $BLACK_LIST_PATH/black_list.rules
You need to manually create this two files with names white_list.rules and black_list.rules in C:\Snort\rules\ directory |
# site specific rules include $RULE_PATH/local.rules | # site specific rules include $RULE_PATH\local.rules
We are changing the / to \ and do the same to all .rules down to the last rule usually is include $RULE_PATH/x11.rules. This is because we are in windows. |
# include $PREPROC_RULE_PATH/preprocessor.rules # include $PREPROC_RULE_PATH/decoder.rules # include $PREPROC_RULE_PATH/sensitive-data.rules | include $PREPROC_RULE_PATH\preprocessor.rules include $PREPROC_RULE_PATH\decoder.rules include $PREPROC_RULE_PATH\sensitive-data.rules |
Save the file and close wordpad.
Restart your computer (You’ve just installed snort) to avoid a lot of classtype error.
=========================================================
Step 4:
Open a command prompt as an administrator. Then cd to C:\Snort|bin then run the command below to see available interface:
snort -W
This will list a number of interaces, choose an interface represented by its index, in my case I chose 3 then just take note of this.
To show information about different switches you can enter the command:
snort -?
Run snort that displays alerts on console with the following command:
snort -i 3 -c c:\Snort\etc\snort.conf -d -l c:\Snort\log -A console
This may take a while but as soon as the console pops up, you can monitor here when an alert is triggered. To stop snort just press ctrl+c.
==============================================================
Step 5:
Run snort that saves alert to a file. We will name it as 21June2017alert.txt to remind us when this article was created. Enter the following command.
snort -i 3 -c c:\Snort\etc\snort.conf -d -l c:\Snort\log -A console > c:\Snort\log\21june2017alert.txt
From now you can monitor the file c:\Snort\log\21june2017alert.txt for alerts.
If you want to check whether your interface is working or not, perform a test. Open the file C:\Snort\rules\local.rules then add the alert below.
alert icmp any any -> any any (msg: "Testing ICMP"; sid:10001)
Rerun snort that displays alerts on console as mentioned above. Open another command prompt and ping any host like "ping www.google.com" and check the snort console window if it displays an alert, if not then try another interface.
For more info and references:
www.snort.org
www,microsoft.com
