You are on page 1of 11

Install and Configure Snort IDS on Windows 7

1 1. Basic snort usage Open command prompt (RUN AS ADMINISTRATOR) and go to the destination folder which is C:\snort\bin> And t pe C:\snort\bin>snort !t will run snort" # #. $o show interfaces t pe: C:\snort\bin>snort %&

'

'. (nort as a pac)et sniffer $ pe C:\snort\bin>snort *d %d+ $o show the application la er data in the pac)et. ,. C:\snort\bin>snort %de&here %e + $o displa the lin) la er data in pac)et %- + -erbose mode .. $o specif interfaces

C:\snort\bin>snort %- %i 1 %! + specif interfaces /ere ! select m interface which is 1. !f ou are using -mware or -irtual bo0 (elect our lan interface which could be #1' or ma be ,. %- + 2erbose will show all data with highlight the attac)ed data.

(nort in !3( mode :


$ pe cmd in window search1 select it and right clic) on it and select RUN AS ADMINISTRATOR than t pe: C:\snort\bin>snort %c c:\snort\etc\snort.conf %l c:\snort\log %4 ascii &here: %c + Configure file to use (role file to use) %l + 3irector to log %4 + 5ogging mode 6pcap (default)1 ascii1 none 7 Now you will get t e !st error (hown in snapshot

8ow ou ha-e to open snort.conf file for editing it. &hich is located in c:\snort\etc\ /ere error is in line no" #$ go to the line no ,. and replace word

%I&'ar to 'ar9 (replace all) Now Run again C:\snort\bin>snort %c c:\snort\etc\snort.conf %l c:\snort\log %4 ascii (ou will get )nd error

which is in line no. #,: ;or this :% first ou ha-e to change the path which will be li)e this C:\snort\lib\snort<d namicpreprocessor\ (econd go to the path C:\snort\lib\snort<d namicpreprocessor\ and cop all file from it And paste it into notepad and delete full path remain onl file name which is li)e this (sf<dns.dll) than cop again all file and paste it into config file .. at line no. #,= And most important merge this name before all 9.dll file9. (d namicpreprocessor C:\(nort\lib\snort<d namicpreprocessor\)

&hich will loo) li)e this :%

Now Run again C:\snort\bin>snort %c c:\snort\etc\snort.conf %l c:\snort\log %4 ascii (ou will get *rd error

line no. #>. and #>? Change the path for d namicengine and d namicrules &ith this c:\snort\lib and change the 9.(O9 e0tension to 9.dll9 &hich will loo) li)e this :%

Now Run again C:\snort\bin>snort %c c:\snort\etc\snort.conf %l c:\snort\log %4 ascii (ou will get #t error

;or this:% ma)e a folder name snort<d namicrules in C:\snort\lib\ Now Run again C:\snort\bin>snort %c c:\snort\etc\snort.conf %l c:\snort\log %4 ascii (ou will get $t error

line no. #:? to #?, ;or this:% comment all preprocessor normali@e lines +using ,&hich will loo) li)e this :%

Now Run again C:\snort\bin>snort %c c:\snort\etc\snort.conf %l c:\snort\log %4 ascii (ou will get .t error

;or this :% create te0t document in c:\snort\rules\ of name /w ite0list"rules1

Now Run again C:\snort\bin>snort %c c:\snort\etc\snort.conf %l c:\snort\log %4 ascii (ou will get 7t error

which is same as pre-ious error ;or this :% create te0t document in c:\snort\rules\ of name /2lac30list"rules1

Now o&en t e snort"conf file for some modification w ic are4""


!n 5ine no. 1A, change the path of -ar BC5D<EA$/ (uch as :% c56snort6rules (ame as line no. 1A. and 1A> &hich will loo) li)e this:%

8ow inline no. 11' and 11, &hich is -ar &/!$D<5!($<EA$/ ..Frules -ar B5AC4<5!($<EA$/ ..Frules

change the 78 9 into 7 6 9 which will loo) li)e :% prefer pre-ious snap shot. 8ow go to the line no. .#. and .#> (earch for these line whitelist G&/!$D<5!($<EA$/Fwhite<list.rules1 \ blac)list GB5AC4<5!($<EA$/Fblac)<list.rules and change 789 into 769 which will loo) li)e :%

8ow go to the line no. .:# which is include GBC5D<EA$/Fblac)list.rules Change the name blac)list into blac)<list" &hich will loo) li)e:%

:inally run t is command C56snort6;in<snort =i ! =l c56snort6log =c c56snort6etc6snort"conf =T %$ + $est and report on the current snort configure Hou will get the message that

Snort successfully 'alidated t e configuration> Hou can also run it in console mode for this" C56snort6;in<snort =i ! =l c56snort6log =c c56snort6etc6snort"conf =A console &here %A + set alert mode: fast 1full1console1test or none :or detecting in IDS 5= Io to the rules folder and icm&=info rules and uncomment t pe ? rules and windows t pe ? rule which are at line no. 'A 1 '.1 '= 1,. than run command C56snort6;in<snort =i ! =l c56snort6log =c c56snort6etc6snort"conf =A console And ping our s stem from different s stem ou will get the notification.. which will all stored in ?og folder.

Or run this cmd C56snort6;in<snort =i !=l c56snort6log =c c56snort6etc6snort"conf =@ ascii And ping our s stem from different s stem ou will get the notification.. which will all stored in ?og folder in A(C!! mode.