Snort Setup on Windows 7
Quick and simple setup of Snort on a home Windows 7 machine for the beginner. Having Snort on your home PC may be a bit overkill, but adds an extra layer of security your AV or other security apps may not catch. It’s an excellent idea if you’d like to get some hands on experience with an IDS. It’s primarily catered toward unix/linux environments, but also works for Windows.
First install Snort. At the time of this writing it’s version 126.96.36.199.
Then find the windows exe binary…
Next, download the rules on the same page. The Community rules will be just fine for home use, otherwise Registered rules are free, but you’ll have to create an account.
Now run the installer, next, next etc.
Since Snort sniffs packets, you’ll need WinPcap installed. You should already have it if you’ve ran wireshark or other apps that require packet sniffing.
Once the install is complete, navigate to your Snort directory. Ex..
C:\Snort>dir Volume in drive C has no label. Volume Serial Number is 2742-AE74 Directory of C:\Snort 01/03/2015 11:12 AM <DIR> . 01/03/2015 11:12 AM <DIR> .. 01/03/2015 10:39 AM <DIR> bin 07/02/2017 09:12 AM 138 command.txt 01/03/2015 10:39 AM <DIR> doc 01/03/2015 10:39 AM <DIR> etc 01/03/2015 10:39 AM <DIR> lib 08/30/2017 04:25 PM <DIR> log 01/03/2015 10:39 AM <DIR> preproc_rules 01/03/2015 10:56 AM <DIR> rules 01/03/2015 10:39 AM 50,102 Uninstall.exe 2 File(s) 50,240 bytes 9 Dir(s) 43,470,057,472 bytes free C:\Snort>
Since the binary lives in (you guessed it) the binary folder, you’ll need to navigate to the /bin folder to run snort..but it’s nearly useless without rules in place.
Unzip the newly downloaded rules file to your 2 Snort Rules folders.
Go to your snort config file /etc/snort.conf and open in your favorite txt editor. Again, Snort was designed primarily for Linux, so the default configs are set for a Unix type environment.
It may differ slightly, but change…
var HOME_NET 192.168.YourIPoctet.1/24
and everything but your you home network or….
var EXTERNAL_NET !$HOME_NET
Change the “Path to your rules files..” section to:
var RULE_PATH c:\snort\rules var PREPROC_RULE_PATH c:\snort\preproc_rules
If you’d like to create a log file and set its path, then change the “config logdir” which is commented out, to you current log file dir.
Next, in the conifg file go to “Step 4”. You’ll see some default linux paths - change them to your windows paths. (dynamic engine C:\snort\lib)
Go through the rest of the config file, as you may wish to customize what you’d like to monitor.
Now that the config file is complete and customized for Windows we can test if it works properly.
Open up cmd and navigate to your Snort binaries folder (C:\snort\bin)
Before anything else can be done, you’ll need to find the correct interface for snort to monitor.
This will display all of your interfaces. Make sure to choose the right one - if you’re not sure which one we’ll run a rul test to verify snort is working.
Once you have the correct interface (or what you think is the correct on), we can run quick config test.
snort -i 2 -c c:\etc\snort.conf -T
i = interface
c = rule path
T = test
If everything looks good after the test, then we can run another quick test to verify rules are working properly.
We’ll set a temporary rule to alert on all TCP traffic. This is also where you can figure out if you have the wrong interface selected.
Create a path in the snort.conf file under Step 7 such as
This will point our master rules file to a local.rules file we can quickly create.
Open up your favorite text editor and create a rule to alert on all TCP. (Make sure to change the sid’s if you make more custom rules). All you’ll need in the text file is a rule string…
rule tcp any any -> any any (msg: "TCP conf test"; sid:1111111; )
Save this as local.rules in your c:\Snort\etc folder or default rule path.
Now run snort…
snort -i 2 -c c:\snort\etc\snort.conf -A console
It takes a few seconds to fire up and load everything. Once you see Commencing packet processing all is good. Now test by navigating to a webpage or refreshing this one - something to create TCP traffic. If done correctly Snort should’ve caught this and triggered the alert.
Now you know it’s working properly, so you can remove or comment out the TCP rule, and start running Snort.
To make things easier you can create a batch file to either run at start up or run whenever executed.
cd c:\Snort\bin snort -i 2 -c c:\snort\etc\snort.conf -A console