First thing you need to Download Snort installer from here
Install Snort and Winpcap
And explore in C:\snort
Folder
Now open www.snort.org
Login in snort and download RULES from snort website.
Unrar to c:\snort
[and overwrite without prompt ]
=>Now I m going to tell you some basics of snort before
configure it
1
1.
Basic snort usage
Open command prompt (RUN AS ADMINISTRATOR) and go to the
destination folder which is
C:\snort\bin>
And type
C:\snort\bin>snort
It will run
snort…
2 2.
To show interfaces type:
C:\snort\bin>snort -W
3 3. Snort as a packet sniffer
Type
C:\snort\bin>snort –d
-d= To show the application layer data in the
packet.
4.
C:\snort\bin>snort -dev
Where
-e = To display the link layer data in
packet
-v = verbose mode
5. To specify
interfaces
C:\snort\bin>snort -v
-i 1
-I
= specify interfaces
-v = Verbose will show all data with highlight the attacked data.
Snort in IDS mode :
Type cmd in window search, select it and right click on it and select RUN AS ADMINISTRATOR
than type:
C:\snort\bin>snort
-c c:\snort\etc\snort.conf -l
c:\snort\log -K ascii
Where:
-c = Configure file to use (role file to use)
-l = Directory to log
-K = Logging mode [pcap (default), ascii, none ]
Now you will get the 1st error
Shown in snapshot
Now you have to open snort.conf file for editing it. Which
is located in c:\snort\etc\
Here error is in line no. 45 go to the line no 45 and
replace word
"Ipvar to var"
(replace all)
Now Run again
C:\snort\bin>snort -c
c:\snort\etc\snort.conf -l c:\snort\log
-K ascii
You will get 2nd error
which
is in line no. 247
For this :-
first you have to change the path which will be like this
C:\snort\lib\snort_dynamicpreprocessor\
Second go to the path
C:\snort\lib\snort_dynamicpreprocessor\
and copy all file from it
And paste it into notepad and delete full
path remain only file name which is like this
(sf_dns.dll) than copy again all file and
paste it into config file .. at line no. 249
And most important merge this name before
all ".dll file".
(dynamicpreprocessor
C:\Snort\lib\snort_dynamicpreprocessor\)
Which will look like this :-
Now Run again
C:\snort\bin>snort -c
c:\snort\etc\snort.conf -l c:\snort\log
-K ascii
You will get 3rd error
line no. 265 and 268
Change the path for dynamicengine and
dynamicrules
With this c:\snort\lib and change the ".SO" extension to ".dll"
Which will look like this :-
Now Run again
C:\snort\bin>snort -c
c:\snort\etc\snort.conf -l c:\snort\log
-K ascii
You will get 4th error
For this:-
make a folder name snort_dynamicrules
in C:\snort\lib\
Now Run again
C:\snort\bin>snort -c
c:\snort\etc\snort.conf -l c:\snort\log
-K ascii
You
will get 5th error
line
no. 278 to 284
For
this:- comment all preprocessor normalize lines (using #)
Which
will look like this :-
Now Run again
C:\snort\bin>snort -c c:\snort\etc\snort.conf -l
c:\snort\log -K ascii
You will get 6th error
For this :-
create text document in
c:\snort\rules\ of name
“white_list.rules”
Now Run again
C:\snort\bin>snort -c
c:\snort\etc\snort.conf -l c:\snort\log
-K ascii
You
will get 7th error
which is same as previous error
For this :-
create text document in
c:\snort\rules\ of name
“Black_list.rules”
Now open the snort.conf file for some modification which
are…..
In Line no. 104
change the path of var RULE_PATH
Such as :- c:\snort\rules
Same as line no. 105 and 106
Which will look like this:-
Now inline no. 113 and 114
Which is
var WHITE_LIST_PATH ../rules
var BLACK_LIST_PATH ../rules
change the ‘/ ’ into ‘ \ ’
which will look like :- prefer previous snap shot.
Now go to the line no. 525 and 526
Search for these line
whitelist $WHITE_LIST_PATH/white_list.rules, \
blacklist $BLACK_LIST_PATH/black_list.rules
and change ‘/’ into ‘\’
which will look like :-
Now go to the line no. 572 which is include $RULE_PATH/blacklist.rules
Change the name blacklist
into black_list…
Which will look like:-
Finally run this command
C:\snort\bin>snort
-i 1 -l c:\snort\log
-c c:\snort\etc\snort.conf -T
-T = Test and report on the current snort configure
You will get the message
that
Snort successfully
validated the configuration!
You can also run it
in console mode for this…
C:\snort\bin>snort
-i 1 -l c:\snort\log
-c c:\snort\etc\snort.conf -A console
Where -A = set alert
mode: fast ,full,console,test or none
For detecting in IDS :-
Go to the rules
folder and icmp-info rules and
uncomment type 8 rules and windows type 8 rule
which are at line no. 30 , 35, 39 ,45
than run command
C:\snort\bin>snort
-i 1 -l c:\snort\log
-c c:\snort\etc\snort.conf -A console
And ping your system from different system you will get the
notification.. which will all stored in
Log folder.
Or run this cmd
C:\snort\bin>snort
-i 1-l c:\snort\log
-c c:\snort\etc\snort.conf -K ascii
And ping your system from different system you will get the
notification.. which will all stored in
Log folder in
ASCII mode.
For any query Mail me at below link:-
You can also find me on facebook:-
I tried the tutorial but only ping is detected.When i attempt an attack on the system default rules dont get triggered what could be the reason?
ReplyDeleteam also working on snort .ping is also some kind of attack which snort detect. more deeply detection use BRO. that is linux based and little tricky
Deletei am new in snort.i m installing snort sucessfully but i dont know is this installation in Inline mode ? can u please shown a example where we alart, drop and reject the packet.
ReplyDeleteI am also trying to figure out with no success how to set up snort in inline mode on Windows platform. Can you help ? thanks -- my email is m.curtisdon@yahoo.co.uk
ReplyDeleteI still cannot install the snort. can anyone help me?
ReplyDelete