Back to Posts

Snort

Posted in Defense

Advance your Pentesting Skills at Slayer Labs!
Networks Engineered to Exploit.
- Windows/UNIX - Domains/Subnets - Access/Post/Lateral - Low Cost VPN Ranges -


Snort Setup on Windows 7


Install

Quick and simple setup of Snort on a home Windows 7 machine for the beginner. Having Snort on your home PC may be a bit overkill, but adds an extra layer of security your AV or other security apps may not catch. It’s an excellent idea if you’d like to get some hands on experience with an IDS. It’s primarily catered toward unix/linux environments, but also works for Windows.

First install Snort. At the time of this writing it’s version 2.9.9.0.

https://www.snort.org/downloads

Then find the windows exe binary…

Next, download the rules on the same page. The Community rules will be just fine for home use, otherwise Registered rules are free, but you’ll have to create an account.

Now run the installer, next, next etc.

Since Snort sniffs packets, you’ll need WinPcap installed. You should already have it if you’ve ran wireshark or other apps that require packet sniffing.

Setup

Once the install is complete, navigate to your Snort directory. Ex..

C:\Snort>dir
 Volume in drive C has no label.
 Volume Serial Number is 2742-AE74
 
 Directory of C:\Snort
 
01/03/2015  11:12 AM    <DIR>          .
01/03/2015  11:12 AM    <DIR>          ..
01/03/2015  10:39 AM    <DIR>          bin
07/02/2017  09:12 AM               138 command.txt
01/03/2015  10:39 AM    <DIR>          doc
01/03/2015  10:39 AM    <DIR>          etc
01/03/2015  10:39 AM    <DIR>          lib
08/30/2017  04:25 PM    <DIR>          log
01/03/2015  10:39 AM    <DIR>          preproc_rules
01/03/2015  10:56 AM    <DIR>          rules
01/03/2015  10:39 AM            50,102 Uninstall.exe
               2 File(s)         50,240 bytes
               9 Dir(s)  43,470,057,472 bytes free
 
C:\Snort>


Since the binary lives in (you guessed it) the binary folder, you’ll need to navigate to the /bin folder to run snort..but it’s nearly useless without rules in place.

Unzip the newly downloaded rules file to your 2 Snort Rules folders.

C:\Snort\rules
C:\Snort\preproc_rules


Configure Rules

Go to your snort config file /etc/snort.conf and open in your favorite txt editor. Again, Snort was designed primarily for Linux, so the default configs are set for a Unix type environment.

It may differ slightly, but change…

var HOME_NET 192.168.YourIPoctet.1/24


and everything but your you home network or….

var EXTERNAL_NET !$HOME_NET


Change the “Path to your rules files..” section to:

var RULE_PATH c:\snort\rules
var PREPROC_RULE_PATH c:\snort\preproc_rules


If you’d like to create a log file and set its path, then change the “config logdir” which is commented out, to you current log file dir.

Next, in the conifg file go to “Step 4”. You’ll see some default linux paths - change them to your windows paths. (dynamic engine C:\snort\lib)

Go through the rest of the config file, as you may wish to customize what you’d like to monitor.

Now that the config file is complete and customized for Windows we can test if it works properly.

Test

Open up cmd and navigate to your Snort binaries folder (C:\snort\bin)

Before anything else can be done, you’ll need to find the correct interface for snort to monitor.

snort -w


This will display all of your interfaces. Make sure to choose the right one - if you’re not sure which one we’ll run a rul test to verify snort is working.

Once you have the correct interface (or what you think is the correct on), we can run quick config test.

snort -i 2 -c c:\etc\snort.conf -T


i = interface

c = rule path

T = test

If everything looks good after the test, then we can run another quick test to verify rules are working properly.

We’ll set a temporary rule to alert on all TCP traffic. This is also where you can figure out if you have the wrong interface selected.

Create a path in the snort.conf file under Step 7 such as

include $RULE_PATH/local.rules


This will point our master rules file to a local.rules file we can quickly create.

Open up your favorite text editor and create a rule to alert on all TCP. (Make sure to change the sid’s if you make more custom rules). All you’ll need in the text file is a rule string…

rule tcp any any -> any any (msg: "TCP conf test"; sid:1111111; )


Save this as local.rules in your c:\Snort\etc folder or default rule path.

Now run snort…

snort -i 2 -c c:\snort\etc\snort.conf -A console


It takes a few seconds to fire up and load everything. Once you see Commencing packet processing all is good. Now test by navigating to a webpage or refreshing this one - something to create TCP traffic. If done correctly Snort should’ve caught this and triggered the alert.

C:\Snort Run

Now you know it’s working properly, so you can remove or comment out the TCP rule, and start running Snort.

To make things easier you can create a batch file to either run at start up or run whenever executed.

Snort.bat:

cd c:\Snort\bin
snort -i 2 -c c:\snort\etc\snort.conf -A console

Custom Cyber Ranges >>

https://slayerlabs.com

Read Next

Optimize Apache httpd