Skip to main content

Install Snort IDS in Windows



Install Snort IDS in Windows

In this article, we are going to install Snort on windows, perform basic configuration then add snort rules. Snort can also be configured as an intrusion prevention system, but in our case, we will just configure snort as an IDS.

Carry out the following steps
Download and install Snort and Winpcap
Download snort rules
Configure snort.conf file
Run snort that displays alert on console
Run snort that saves alert to a file

=============================================================

Step 1:
Note: Install snort and winpcap as an administrator.

Download winpcap https://www.winpcap.org/ and install it as an administrator, just let it install with default settings. Restart your computer.

Download snort installer exe at https://www.snort.org/downloads and install it as an administrator, just choose defaults configuration where you only have to click “I Agree”, “Next” , “Next” , “Next”, “Close” and “Ok”.

===============================================================

Step 2:
Sign up for an account in snort to be able to download rules set. Signing up is easy and you will receive an email confirmation from snort then after confirmation, you now can log in and download the rule set (see image below) https://www.snort.org/downloads#rules .


Download rules



Extract the downloaded file, in my case the file is snortrules-snapshot-2990.tar.gz then it became snortrules-snapshot-2990.tar. Also extract this file and you will have four folders.

etc
preproc_rules
rules
so_rules

Copy etc contents to C:\Snort\etc\ and replace existing files to the updated version.
Copy preproc_rules contents to C:\Snort\preproc_rules\ and replace existing.
Copy rules contents to C:\Snort\rules\ 

================================================================

Step 3: Open the snort.conf file with your favorite text editor, I my case, I use wordpad.

Scroll down and look for the following lines and make change as indicated below. Do not copy paste including underlined statements, they are just remarks.

From
To       Note: Reasons are also stated here underlined
ipvar HOME_NET any
ipvar HOME_NET 192.168.43.0/24

Where 192.168.43.0/24 is my home network, yours could be different
ipvar EXTERNAL_NET any
ipvar EXTERNAL_NET !$HOME_NET

Because any IP that is not in my home net might be an external net
var RULE_PATH ../rules

var SO_RULE_PATH ../so_rules

var PREPROC_RULE_PATH ../preproc_rules
var RULE_PATH C:\Snort\rules

#var SO_RULE_PATH ../so_rules

var PREPROC_RULE_PATH  C:\Snort\preproc_rules
var WHITE_LIST_PATH ../rules

var BLACK_LIST_PATH ../rules
var WHITE_LIST_PATH C:\Snort\rules

var BLACK_LIST_PATH C:\Snort\rules
# config logdir:
config logdir: C:\Snort\log

uncomment and enter the log dir
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
dynamicpreprocessor directory C:\Snort\lib\snort_dynamicpreprocessor
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
dynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll
dynamicdetection directory /usr/local/lib/snort_dynamicrules
#dynamicdetection directory /usr/local/lib/snort_dynamicrules
# Does nothing in IDS mode
preprocessor normalize_ip4
preprocessor normalize_tcp: block, rsv, pad, urp, req_urg, req_pay, req_urp, ips, ecn stream
preprocessor normalize_icmp4
preprocessor normalize_ip6
preprocessor normalize_icmp6
# Does nothing in IDS mode
#preprocessor normalize_ip4
#preprocessor normalize_tcp: block, rsv, pad, urp, req_urg, req_pay, req_urp, ips, ecn stream
#preprocessor normalize_icmp4
#preprocessor normalize_ip6
#preprocessor normalize_icmp6
whitelist $WHITE_LIST_PATH/white_list.rules, \
   blacklist $BLACK_LIST_PATH/black_list.rules
whitelist $WHITE_LIST_PATH/white_list.rules, \
   blacklist $BLACK_LIST_PATH/black_list.rules

You need to manually create this two files with names white_list.rules and black_list.rules in C:\Snort\rules\ directory
# site specific rules
include $RULE_PATH/local.rules
# site specific rules
include $RULE_PATH\local.rules

We are changing the / to \ and do the same to all .rules down to the last rule usually is include $RULE_PATH/x11.rules. This is because we are in windows.
# include $PREPROC_RULE_PATH/preprocessor.rules
# include $PREPROC_RULE_PATH/decoder.rules
# include $PREPROC_RULE_PATH/sensitive-data.rules
include $PREPROC_RULE_PATH\preprocessor.rules
include $PREPROC_RULE_PATH\decoder.rules
include $PREPROC_RULE_PATH\sensitive-data.rules

Save the file and close wordpad.

Restart your computer (You’ve just installed snort) to avoid a lot of classtype error.

=========================================================

Step 4:
Open a command prompt as an administrator. Then cd to C:\Snort|bin then run the command below to see available interface:

snort -W

This will list a number of interaces, choose an interface represented by its index, in my case I chose 3 then just take note of this.

To show information about different switches you can enter the command:

            snort -?

Run snort that displays alerts on console with the following command:

snort -i 3 -c c:\Snort\etc\snort.conf -d -l c:\Snort\log -A console

This may take a while but as soon as the console pops up, you can monitor here when an alert is triggered. To stop snort just press ctrl+c.

==============================================================

Step 5:
Run snort that saves alert to a file. We will name it as 21June2017alert.txt to remind us when this article was created. Enter the following command.

snort -i 3 -c c:\Snort\etc\snort.conf -d -l c:\Snort\log -A console > c:\Snort\log\21june2017alert.txt

From now you can monitor the file c:\Snort\log\21june2017alert.txt for alerts.

 If you want to check whether your interface is working or not, perform a test. Open the file C:\Snort\rules\local.rules then add the alert below.

         alert icmp any any -> any any (msg: "Testing ICMP"; sid:10001)

 Rerun snort  that displays alerts on console as mentioned above. Open another command prompt and ping any host like "ping www.google.com" and check the snort console window if it displays an alert, if not then try another interface.




For more info and references:
www.snort.org
www,microsoft.com
















Comments

Post a Comment

Popular posts from this blog

Mapping the cyber security world with GIS

Using GIS software to develop a cyber map for analysis of cyber attacks globally helps IT security understand cyber world and to identify vulnerabilities in cyber networks which allow security teams to prioritize their work and solve areas with the potential to do the most damage first. Below are some cyber map images develop with GIS software. The accuracy of the data is not guaranteed and mostly referenced to the work of Cyber Security Insides on the following link. https://www.cybersecurity-insiders.com/list-of-countries-which-are-most-vulnerable-to-cyber-attacks/  http://gis.usc.edu/blog/gis-and-cybersecurity/
1 comment
Read more

Kivred on windows - Latest cyber threat intelligence on your finger tips

Kivred on windows - Latest cyber threat intelligence on your finger tips I just recently compiled kivred to an exe for ease of use. You can download the zip file, extract and run kivred.exe. You don’t have to install because the software is portable. The file can be downloaded on my github repo  https://github.com/CodesInTheShell/kivred . Let’s try to check for the latest threats as of July 13 2017 to July 14 2017. Number 1 is our settings, check out http://hailataxii.com/ for more available feeds. Number 2 are indicators of URL Watchlist identified to be a part of phishing attack. Number 3 is the scrollbar, scroll down to check more indicators. Note that you may experience kivred not responding while it is running in the background, just wait for about a minute. That's it, stay up to date with the latest cyber security threats folks. There will always be a storm coming.
Post a Comment
Read more