How to use snort in windows

Introduction To Snort:

In this tutorial we will look at installing and configuration of snort on Windows 10. Snort is an open source and popular Intrusion Detection System (IDS). It works by actively monitoring of network traffic parsing each packet and alerting system administrator of any anomalous behavior that goes against the snort rules configured by the administrator according to the security policies of an organization.

Installing Snort 2.9.17 on Windows 10 A Step By Step Guide:

1. For Windows 10 64 bit supported SNORT’s executable file can be downloaded from here.

2. Open the downloaded snort executable file.

3. Click On ‘I Agree’ on the license agreement.

4. Choose components of Snort to be installed.

5. Click “Next” and then choose install location for snort preferably a separate folder in Windows C Drive.

6. Click “Next” Installation process starts and then it completes as shown in figure 04:

7. When you click “ Close” you are prompted with this dialogue box:

8. Installing Npcap is required by snort for proper functioning.

9. Npcap for Windows 10 can be downloaded from here.

10. Opening Npcap setup file, Click on ‘I Agree’ To license agreement.

11. Now we proceed to choose which components of Npcap are to be installed and then clicking on “Install”.

12. Installation process starts and completes. Clicking on “Next” we have:

13. Now the window for installation of Npcap shows it has been installed. Clicking “Finish”.

14. After installing Snort and Npcap enter these commands in windows 10 Command prompt to check snorts working

15. As you can see in the above figure that snort runs successfully.

This is how you can download and install Snort along with its dependency i.e. Npcap.

Configuring Snort 2.9.17 on Windows 10:

After installing Snort on Windows 10, Another important step to get started with Snort is configuring it on Windows 10.

Note: The italicized portion with a left hand side border states commands which were pre-written in the configuration file of Snort so we need to make changes according to the commands mentioned in the images, to be precise we need to enter configuration commands as shown in the images to configure snort.

1. Go to this link and download latest snort rule file.
2. Extract 3 folders from the downloaded snortrules-snapshot-29170.tar folder into the Snorts corresponding folders in C drive.

Folders to be extracted are: rules , preproc_rules , etc

• rules folder contains the rules files and the most important local.rules file. Which we will use to enter all our rules.
• etc folder contains all configuration files and the most important file is snort.conf file which we will use for configuration

3. Now open the snort.conf file through the notepad++ editor or any other text editor to edit configurations of snort to make it work like we want it to.

4. Setup the network addresses you are protecting

ipvar HOME_NET any

Note: Mention your own host IP addresses that you want to protect.

5. Setup the external network into anything that is not the home network. That is why ! is used in the command it denotes ‘not’.

# Set up the external network addresses. Leave as “any” in most situationsipvar EXTERNAL_NET any

6. Now we have to define the directory for our rules and preproc rules folder

# Path to your rules files (this can be a relative path)# Note for Windows users: You are advised to make this an absolute path,# such as: c:\snort\rulesvar RULE_PATH ../rulesvar SO_RULE_PATH ../so_rulesvar PREPROC_RULE_PATH ../preproc_rules

7. Now we have to setup our white list and black list path it will be in our snorts’ rule folder

# If you are using reputation preprocessor set thesevar WHITE_LIST_PATH ../rulesvar BLACK_LIST_PATH ../rules

8. Next we have to enable to log directory, so that we store logs in our log folder. Uncomment this line and set absolute path to log directory

# Configure default log directory for snort to log to. For more information see snort -h command line options (-l)## config logdir:

9. Now we will set the path to dynamic preprocessors and dynamic engine

# path to dynamic preprocessor libraries
dynamic preprocessor   directory/usr/local/lib/snort_dynamicpreprocessor/

10. We will do same thing for dynamic preprocessor engine

# path to base preprocessor enginedynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so

11. Now lets set our reputation preprocessors:

# path to dynamic rules libraries# dynamicdetection directory /usr/local/lib/snort_dynamicrules

12. Just comment out these lines as shown in figure 19 in doing so we are excluding packet normalization of different packets.

13. Scroll down to the reputation preprocessors. We will just change the name of the files since white list , black list are not rules they are just the list of IP addresses labelled as black or white

# Reputation preprocessor. For more information see README.reputationpreprocessor reputation: \memcap 500, \priority whitelist, \nested_ip inner, \whitelist $WHITE_LIST_PATH/whitelist, \blacklist $BLACK_LIST_PATH\black.list

14. Converted back slashes to forward slashes in lines 546–651.

15. Again just convert forward slashes to backslashes and uncomment the lines below:

# decoder and preprocessor event rules# include $PREPROC_RULE_PATH/preprocessor.rules# include $PREPROC_RULE_PATH/decoder.rules# include $PREPROC_RULE_PATH/sensitive-data.rules

16. Now we just need to verify the presence of this command at the bottom of snort.conf file.

17. Click on Save file and save all changes to save the configuration file (snort.conf).

18. Now recalling the Step 13 white list , black list are not rules they are just the list of IP addresses labelled as black or white right now these files don’t exist in our rule path which is why we have to create them manually , save them in this folder C:\Snort\rules.

• Go to Notepad++ and create new file.
• Comment it #White-listed IPs.
• Name the file white.list and save the file.

• Create another new file.
• Comment it #Black-listed IPs.
• Name the file black.list and save the file.

19. Now we test snort again by running Command prompt as admin. To check if it’s running fine after all the configurations.

20. We can also the check the wireless interface cards from which we will be using snort by using the command below we can see the list of our wireless interface cards through entering this command in command prompt.

Snort — W

21. configuration validation check command:
Now we will enter a command To check validation of snort’s configuration
by choosing a specific wireless interface card (1) the rest of command shows the config file path . The command is :

snort -i 1 -c C:\Snort\etc\snort.conf -T

It can be seen in the given figure that Snort successfully validates our configuration. This brings us to the end of our installation and configuration tutorial.

If you want to follow it through our references used for writing this tutorial then references are given below.

References:

1. How to Install, Configure, and Test Snort on Windows
2. Install Snort 2.9.8 on Windows

How do you use a Snort tool?

Does Snort have a GUI?

What is Snort command?