Installing Snort slave on Windows

From open-voip.org

Jump to: navigation, search
  • download snortrules-snapshot-CURRENT.tar.gz from snort.org
  • copy to c:\snort\rules
  • save a copy of c:\snort\etc\snort.conf for backup

Change the snort.conf as follow:

var HOME_NET any
var EXTERNAL_NET any
var RULE_PATH c:\snort\rules
var PREPROC_RULE_PATH c:\snort\preproc_rules
Original Line(s): var RULE_PATH ../rules
Change to: var RULE_PATH d:\winids\snort\rules

Original Line(s): var PREPROC_RULE_PATH ../preproc_rules
Change to: var PREPROC_RULE_PATH d:\winids\snort\preproc_rules

Original Line(s): dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
Change to: dynamicpreprocessor directory d:\winids\snort\lib\snort_dynamicpreprocessor

Original Line(s): dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
Change to: dynamicengine d:\winids\snort\lib\snort_dynamicengine\sf_engine.dll

Original Line(s): # dynamicpreprocessor file <full path to libsf_ftptelnet_preproc.so>
Change to: dynamicpreprocessor file d:\winids\snort\lib\snort_dynamicpreprocessor\sf_ftptelnet.dll

Original Line(s): # dynamicpreprocessor file <full path to libsf_smtp_preproc.so>
Change to: dynamicpreprocessor file d:\winids\snort\lib\snort_dynamicpreprocessor\sf_smtp.dll

Original Line(s):

#preprocessor sfportscan: proto  { all } \
#                         memcap { 10000000 } \
#                         sense_level { low }
Change to:

preprocessor sfportscan: proto  { all } \
                        memcap { 10000000 } \
                        sense_level { low } \
                        logfile { portscan.log }
Original Line(s): # dynamicpreprocessor file <full path to libsf_ssh_preproc.so>
Change to: dynamicpreprocessor file d:\winids\snort\lib\snort_dynamicpreprocessor\sf_ssh.dll

Original Line(s): # dynamicpreprocessor file <full path to libsf_dcerpc_preproc.so>
Change to: dynamicpreprocessor file d:\winids\snort\lib\snort_dynamicpreprocessor\sf_dce2.dll

Original Line(s): # dynamicpreprocessor file <full path to libsf_dns_preproc.so>
Change to: dynamicpreprocessor file d:\winids\snort\lib\snort_dynamicpreprocessor\sf_dns.dll

Just below '# output log_tcpdump: tcpdump.log' insert this next line: 
output alert_fast: alert.ids

Original Line(s): # output database: log, mysql, user=root password=test dbname=db host=localhost
Change to: output database: log, mysql, user=snort password=l0gg3r dbname=snort host=localhost sensor_name=WinIDS

Original Line(s): include classification.config
Change to: include d:\winids\snort\etc\classification.config

Original Line(s): include reference.config
Change to: include d:\winids\snort\etc\reference.config

Original Line(s): # include $PREPROC_RULE_PATH/preprocessor.rules
Change to: include $PREPROC_RULE_PATH/preprocessor.rules

Original Line(s): # include $PREPROC_RULE_PATH/decoder.rules
Change to: include $PREPROC_RULE_PATH/decoder.rules

Original Line(s): # include threshold.conf
Change to: include d:\winids\snort\etc\threshold.conf

Now save the file and eXit WordPad.

Run Snort

check interfaces with -W

d:\winids\snort\bin>snort -W 

run snort

D:\winids\snort\bin>snort -c d:\winids\Snort\etc\snort.conf -l d:\winids\snort\log -i 2

where

-i is the interface
-l log file

Run snort as service

 D:\winids\Snort\bin>snort /service /install -c d:\winids\Snort\etc\snort.conf -l  d:\winids\snort\log -i 3
Personal tools