Installing Snort 2.8.5.

2 on Windows 7
by Kasey Efaw
snortguide@gmail.com
Tis guide is meant to assist te user is installing! configuring and running te Snort I"S tecnology on
a Windows 7 #$2%bit& o'erating system. Tis guide could easily be used for oter Windows based
('erating Systems! )ust remember wit *ista and later you are wor+ing wit te ,-.. .onfiguring
rules! deci'ering alerts and tailoring to your s'ecific networ+ is beyond te sco'e of tis guide. It is
not ad/ised to test an installation witin a 'roduction en/ironment and neiter Snort or te -utor offer
any warranty against negati/e im'acts to your systems tat may be deri/ed from following tis guide.
I a/e recei/ed many e%mails as a result of my original guide #Snort Installation on Windows 01& and
would li+e to tan+ te ('en Source .ommunity for teir +ind words and 2uestions re2uiring
troublesooting. -s a result of your feedbac+! tis guide as been u'dated to answer some common
2uestions as well as includes screen sots. In te future! I will a/e installation and usage /ideos
'osted on 3ouTube under te user name 4snortguide5.
-ltoug it is recommended to 'erform te installation from a clean! formatted dri/e! tis guide will
wor+ troug te ste's installed from witin a /irtual en/ironment. Wit te e6ce'tion of te o'erating
system itself! all software is freely a/ailable #cec+ Eula7s for .ommercial usage&. -ll lin+s are /alid
as of 89$892:8: and different ste's may be re2uired if using a /ersion differing from tose listed below.
;icrosoft Windows 7 1rofessional<
tt'<99store.microsoft.com9microsoft9Windows%7%1rofessional9'roduct9=>858$?=@
WT.mcAidBwinonlinetestAso'$A1C(fullAr$
;oDilla Eirefo6 $.F<
tt'<99www.moDilla.com9en%,S9'roducts9download.tml@'roductBfirefo6%
$.FGosBwinGlangBen%,S
;icrosoft Security Essentials<
tt'<99www.microsoft.com9securityAessentials9
.(;("( Eirewall $.8?<
tt'<99www.comodo.com9ome9download9download.''@'rodBfirewall
;icrosoft =aseline Security -nalyDer 2.8.8<
tt'<99www.microsoft.com9downloads9details.as'6@EamilyI"Bb8e7Fbbe%78df%?8e8%8b52%
c878d:82ba78Gdis'laylangBen
-cti/e1erl 5.8:.8.8::F<
tt'<99www.acti/estate.com9acti/e'erl9
Hote'adII 5.F.F
tt'<99sourceforge.net9'ro)ects9note'ad%'lus9files9note'adJ2=J2=J2:releasesJ2:binary9n''
J2:5.F.FJ2:bin9n''.5.F.F.Installer.e6e9download
Eo6it Ceader $.8.?<
tt'<99download.cnet.com9Eo6it%Ceader9$:::%8:7?$A?%8:$8$2:F.tml@'artBdl%
88F??2Gsub)BdlGtagBbutton
Kiwi Syslog Ser/er >.:.$<
tt'<99+iwisyslog.com9+iwi%syslog%ser/er%download9
7%Ki' ?.F5<
tt'<99sourceforge.net9'ro)ects9se/enDi'9files97%Ki'9?.F597D?F5.e6e9download
Win1ca' ?.8.8<
tt'<99www.win'ca'.org9install9default.tm
Snort 2.8.5.2
tt'<99dl.snort.org9snort%current9SnortA2A8A5A2AInstaller.e6e
(in+master 2.:
tt'<99sourceforge.net9'ro)ects9oin+master9files9oin+master92.:9oin+master%2.:.tar.gD9download
8& -fter installing te ('erating System and downloading all of te software listed abo/e! I would
ad/ise bot co'ying of te software to an e6ternal dri/e as well as creating a System Cestore
1oint. Tis will sorten reinstall times sould someting not wor+ as e6'ected.
2& Wit te e6ce'tion of (in+master! you sould now systematically install all of te downloaded
software. Hote tat you may substitute some of te software #e6. ,se IE instead of Eirefo6 or
s+i' installing te Eo6it Ceader&! owe/er some software suc as Win1ca' are integral to
running Snort in te metod used in tis guide.
a& Wen installing te software! ta+e note of te following<
8& I would recommend using te default o'tions and allow te a''licable
com'onents to be run as a ser/ice9at startu'.
2& Wen installing Kiwi! uncec+ te Web -ccess! as it will e6'ire after $: days.
$& "uring te installation and running of software! te .(;("( Eirewall will
be triggered multi'le times and you will need to -llow Kiwi access.
b& I would now ensure tat te ('erating System and all software are 'atced and
u'dated. I would also run te ;icrosoft =aseline Security -nalyDer and correct any
anomalies as you see fit. It is also recommended tat you searc te Internet for
guides on ardening te Windows 7 ('erating System.
-c2uiring u'dated Cules and an (in+code<
If you a/en7t already done so! you will need to become a Cegistered member on te Snort website.
Tis is needed in order to download and use te Sourcefire *CT .ertified Cules. Snort will not be
o'erating u' to date witout tem #and (in+master will not wor+&.
tt's<99www.snort.org9signu'
-fter you a/e created an account! log in to te Snort website and co'y your 'ersonaliDed (in+code #to
be used by (in+master&. -lso! download te Sourcefire *CT .ertified Cules #registered%user release&
L be sure to grab te 4sna'sot5 /ersion! as sown below.
-''lying our u'dated Cules<
MM=EE(CE -11N3IHO TPESE ,1"-TE" C,NES! .(13 TPE EINE
.<QSH(CTQET.QSH(CT..(HE T( 3(,C "ESKT(1MM
Cigt%clic+ on te snortrules%sna'sot%2.8.tar.gD file tat we downloaded and coose 4E6tract Pere5<
Cigt%clic+ on te newly e6tracted file #snortrules%sna'sot%2.8As.tar& and coose 4E6tract files...5.
.ange te 1at to .<QSnort and cec+ 4(/erwrite witout 'rom't5<
.onfiguring te snort.conf Eile<
Edit te file you co'ied to your "es+to' #snort.conf& wit Hote'adII and 'erform te following<
.ange lines 82:%828 to read<
.ange line 2:? to read<
.ange line 28? to read<
.ange line $2? to read<
.ange line F8$ to read<
.ange line 778 to read<
.ange line 77> to read<
.ange #uncomment& line 8F$ to read<
How sa/e and close tis file. .o'y tis file to c<QsnortQetc and o/erwrite te e6isting one.
Kee' in mind tat you will need to tailor tis file #es'ecially te rule set section& and any oter
configuration files to furter suit your I"S9I1S needs.
*erifying Snort ('eration<
('en a .ommand 1rom't and run c<QsnortQbinQsnort %W #be sure to use a ca'ital 4W5&
How run c<QsnortQbinQsnort %/ %i0 #re'lace 0 wit your "e/ice Interface number found from running
te 're/ious line&
-fter a cou'le of seconds you will see 4Hot ,sing 1.-1AEC-;ES5. Snort is now running and will
alert you if a Cule is triggered. If you a/e sus'icious networ+ traffic going across your interface! te
command 'rom't window will ra'idly scroll te6t.
Wile still lea/ing te Snort command 'rom't window o'en! launc a second command 'rom't
window. Erom te new window! run te command 'ing google.com If it asn7t occurred already! tis
'ing command will trigger a Snort alertR

3ou can now close bot command 'rom't windows! as we a/e /erified tat Snort is installed and
alerting correctly in /erbose mode. To test tat our configuration file is correct! o'en a new command
'rom't window and ty'e<
c<QsnortQbinQsnort %i0 %s %l c<QsnortQlogQ %c c<QsnortQetcQsnort.conf #re'lace 0 wit your "e/ice Interface
number&
If you a/e correctly entered all information! you sould recei/e a graceful e6it suc as te screen sot
below. If you recei/e a fatal error! you sould first /erify tat you a/e ty'ed all modifications
correctly into te snort.conf file and ten searc troug te file for entries matcing your fatal error
message.
*erifying Kiwi ('eration and Tying it to Snort<
How o'en te Kiwi Syslog Ser/er .onsole and ty'e .TCN%T #you sould see a test message a''ear!
wic indicates Kiwi is wor+ing&
,sing Hote'adII! create a file on your "es+to' called Snortstart.bat and 'lace te following line of
code in it<
c<QsnortQbinQsnort %i0 %s %l c<QsnortQlogQ %c c<QsnortQetcQsnort.conf #re'lace 0 wit your "e/ice Interface
number&
-lso create a sortcut on your "es+to' for te Kiwi Syslog Ser/er .onsole
('en te Kiwi Syslog Ser/er .onsole #if it isn7t already&
How rigt%clic+ and run Snortstart.bat as an -dministrator. Wait #about tirty seconds& until you see
te familiar line 4Hot ,sing 1.-1AEC-;ES5 at te end.
Einally! o'en anoter command 'rom't window and run< 'ing google.com
and........
-t tis 'oint you sould see te Snort -lert out'utting into KiwiRRRR
Hote tat te reason wy we a/e to run our batc file as an -dministrator is tat! in our current
configuration! we need to maintain rigts to not only out'ut our alerts to Kiwi! but to write tem to a
log file.
-t tis 'oint we a/e successfully installed Snort and a/e our -lerts being out'ut to two sources. (ur
final ste' will be to configure (in+master to el' us u'date and manage our Cules.
.onfiguring (in+master and *erifying its ('eration<
Cigt%clic+ on te oin+master%2.:.tar.gD file tat we downloaded and coose 4E6tract Pere5
Cigt%clic+ on tis new file #oin+master%2.:.tar& and coose 4E6tract Pere5
How we a/e a new folder called oin+master%2.:. ;o/e tis new folder into c<Qsnort
Oo to c<Qsnort and create a folder named< tem'
Oo to c<QsnortQoin+master%2.:Qcontrib and co'y te oin+gui file to your "es+to'. Cename tis file to<
,'date Snort Cules
How we a/e an additional module we need to download and install<
(nce te file as been downloaded! o'en a command 'rom't window and ty'e te line as sown
below #note tat your 'at name migt be different. (nce te installation as been com'lete! you can
close te command 'rom't window.
How double%clic+ on our ,'date Snort Cules file we a/e on te des+to' and configure (in+master to
matc te screen sots sown<
Hote tat your 4Editor5 'at may be different tan tat sown.
How go bac+ to te 4Ce2uired files and directories5 tab and clic+ 4Edit5 #to te rigt of te
oin+master.conf file entry&.
.ange line 52 to read<
Were Soin+codeT is e2ual to te 'ersonal (in+code you downloaded from Snort.org earlier in tis
guide.
How sa/e your oin+master.conf file and close Hote'adII
3ou are now bac+ at te main (in+master O,I 'age
.lic+ 4Sa/e current settings5
.lic+ 4,'date rulesR5
-fter a few minutes of watcing te rule u'date 'rocess! it will read< done.
.lic+ 4E6it5 to close out of te (in+master O,I.
MMCE;E;=EC TP-T E*EC3 TI;E 3(, ,1"-TE TPE C,NES! 3(, WINN HEE" T( ST(1
-H" TPEH CEST-CT SH(CT E(C TPE HEW C,NES T( T-KE EEEE.TMM
Tan+s again and +ee' te 2uestions and comments comingR
%Kasey