Install and Configure Snort IDS on Windows 7

First thing you need to Download Snort installer  from here

    www.snort.org

Install Snort and Winpcap

And explore in C:\snort  Folder

Now open www.snort.org

Login in snort and download RULES from snort website.

Unrar to c:\snort    [and overwrite without prompt ]

=>Now I m going to tell you some basics of snort before configure it

1            

               1.  Basic snort usage

Open command prompt (RUN AS ADMINISTRATOR) and go to the destination folder which is

C:\snort\bin>

And type

C:\snort\bin>snort

      It will run snort…

2          2.   To show interfaces type:

     C:\snort\bin>snort  -W

3     3.  Snort as a packet sniffer

      Type   C:\snort\bin>snort –d

     -d= To show the application layer data in the packet.

 4. C:\snort\bin>snort  -dev

             

         Where  

                        -e = To display the link layer data in packet

                        -v = verbose mode

        

 5. To specify interfaces

        

        C:\snort\bin>snort  -v  -i  1

     

                     -I = specify interfaces 

            Here I select my interface which is 1. If you are using vmware or virtual box Select your  lan interface which could be 2,3 or maybe 4.

-v = Verbose will show all data with highlight the attacked data.

  

Snort in IDS mode :

Type cmd in window search, select it and right click on it and select RUN AS ADMINISTRATOR

 than type:

C:\snort\bin>snort  -c  c:\snort\etc\snort.conf  -l  c:\snort\log  -K ascii

Where: 

                   -c = Configure file to use (role file to use)

                    -l = Directory to log

                   -K = Logging mode [pcap (default), ascii, none ]

Now you will get the 1^st error

Shown in snapshot   

Now you have to open snort.conf file for editing it. Which is located in c:\snort\etc\

Here error is in line no. 45 go to the line no 45 and replace word

                "Ipvar to var" (replace all)

    

Now Run again 

 

C:\snort\bin>snort  -c  c:\snort\etc\snort.conf  -l  c:\snort\log  -K ascii

You will get 2^nd error 

which is in line no. 247

For this :-  first you have to change the path which will be like this

C:\snort\lib\snort_dynamicpreprocessor\

 Second  go to the path C:\snort\lib\snort_dynamicpreprocessor\   and copy all file from it

And paste it into notepad and delete full path remain only file name which is like this

(sf_dns.dll) than copy again all file and paste it into config file .. at line no. 249

And most important merge this name before all ".dll file".

(dynamicpreprocessor C:\Snort\lib\snort_dynamicpreprocessor\)

Which will look like this :-

Now Run again

 

C:\snort\bin>snort  -c  c:\snort\etc\snort.conf  -l  c:\snort\log  -K ascii

You will get 3^rd error 

line no. 265 and 268

Change the path for dynamicengine and dynamicrules

With this c:\snort\lib  and change the ".SO" extension to ".dll"

Which will look like this :-

  Now Run again

C:\snort\bin>snort  -c  c:\snort\etc\snort.conf  -l  c:\snort\log  -K ascii

You will get 4^th error 

For this:-  make a folder name snort_dynamicrules  in C:\snort\lib\

  Now Run again

C:\snort\bin>snort  -c  c:\snort\etc\snort.conf  -l  c:\snort\log  -K ascii

  You will get 5^th error  

   line no.  278 to 284

               For this:- comment all preprocessor normalize lines (using #)

               Which will look like this :-

Now Run again

C:\snort\bin>snort  -c  c:\snort\etc\snort.conf  -l  c:\snort\log  -K ascii

You will get 6^th error  

For this :-  create text document in  c:\snort\rules\ of name  “white_list.rules”

Now Run again

C:\snort\bin>snort  -c  c:\snort\etc\snort.conf  -l  c:\snort\log  -K ascii

  You will get 7^th error 

which is same as previous error

For this :-  create text document in  c:\snort\rules\ of name  “Black_list.rules”

Now open the snort.conf file for some modification which are…..

In Line no. 104  change the path of var RULE_PATH

Such as :-  c:\snort\rules

Same as line no. 105 and 106

Which will look like this:-

Now inline no. 113 and 114

Which is

var WHITE_LIST_PATH ../rules

var BLACK_LIST_PATH ../rules

change the  ‘/ ’  into ‘ \ ’

which will look like :- prefer previous snap shot.

Now go to the line no. 525 and 526

Search for these line

whitelist $WHITE_LIST_PATH/white_list.rules, \

blacklist $BLACK_LIST_PATH/black_list.rules

and change ‘/’ into ‘\’ 

which will look like :- 

Now go to the line no. 572 which is  include $RULE_PATH/blacklist.rules

Change the name blacklist  into black_list…

Which will look like:-

Finally run this command

C:\snort\bin>snort  -i 1 -l  c:\snort\log  -c  c:\snort\etc\snort.conf  -T

-T = Test and report on the current snort configure

 You will get the message that

Snort successfully validated the configuration!

 You can also run it in console mode for this…

C:\snort\bin>snort  -i 1 -l  c:\snort\log  -c  c:\snort\etc\snort.conf  -A console

Where   -A = set alert mode: fast ,full,console,test or none

For detecting in IDS :-

  

Go to the rules folder and  icmp-info rules  and uncomment type 8 rules and windows type 8 rule

which are at line no. 30 , 35, 39 ,45

than run command

C:\snort\bin>snort  -i 1 -l  c:\snort\log  -c  c:\snort\etc\snort.conf  -A console

And ping your system from different system you will get the notification.. which will all stored in

Log folder.

Or  run this cmd

C:\snort\bin>snort  -i 1-l  c:\snort\log  -c  c:\snort\etc\snort.conf  -K ascii

And ping your system from different system you will get the notification.. which will all stored in

Log folder in ASCII mode.

For any query Mail me at below link:-

1423bhaskar@gmail.com

You can also find me on facebook:-

www.facebook.com/bhaskar14