Post by ZF on Mar 20, 2014 1:39:14 GMT -5
Installing Snort 2.8.6.0 on Windows 7
Right-click on the snortrules-snapshot-2861.tar.gz file that we downloaded and choose “Extract Here”:
Right-click on the newly extracted file (snortrules-snapshot-2861.tar) and choose “Extract files...”
Change the Path to C:\Snort and check “Overwrite without prompt”:
Configuring the snort.conf File:
Using Notepad++ open the file C:\Snort\etc\snort.conf and edit the following (change the lines):
# Path to your rules files (this can be a relative path)
# Note for Windows users: You are advised to make this an absolute path,
# such as: c:\snort\rules
var RULE_PATH C:\Snort\rules
var SO_RULE_PATH C:\Snort\so_rules
var PREPROC_RULE_PATH C:\Snort\preproc_rules
# If you are using reputation preprocessor set these
var WHITE_LIST_PATH C:\Snort\rules
var BLACK_LIST_PATH C:\Snort\rules
###################################################
# Step #4: Configure dynamic loaded libraries.
# For more information, see Snort Manual, Configuring Snort - Dynamic Modules
###################################################
# path to dynamic preprocessor libraries
dynamicpreprocessor directory C:\Snort\lib\snort_dynamicpreprocessor
# path to base preprocessor engine
dynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll
# path to dynamic rules libraries
#dynamicdetection directory /usr/local/lib/snort_dynamicrules
Verifying Snort Operation:
Open a Command Prompt and run c:\snort\bin\snort -W (be sure to use a capital “W”)
Now run c:\snort\bin\snort -v -iX (replace X with your Device Interface number found from running
the previous line)
After a couple of seconds you will see “Not Using PCAP_FRAMES”. Snort is now running and will
alert you if a Rule is triggered. If a Rule us triggered the command prompt window will rapidly scroll
text. While still leaving the Snort command prompt window open, launch a second command prompt
window. From the new window, run the command ping google.com If it hasn't occurred already, this
ping command will trigger a Snort alert. You can now close both command prompt windows, as we have verified that Snort is installed and alerting correctly in verbose mode.
To test that our configuration file is correct, open a new command prompt window and type:
c:\snort\bin\snort -iX -s -l c:\snort\log\ -c c:\snort\etc\snort.conf –T (replace X with your Device
Interface number)
If you have correctly entered all information, you should receive a graceful exit such as the screen shot
below. If you receive a fatal error, you should first verify that you have typed all modifications
correctly into the snort.conf file and then search through the file for entries matching your fatal error
message.
If you receive an error stating “Could not create the registry key.” it is because you are not running the
command prompt as an Administrator.
Verifying Kiwi Operation and tying it to Snort:
Now open the Kiwi Syslog Server Console and type CTRL-T (you should see a test message appear,
which indicates Kiwi is working)
Using Notepad++, create a file on your Desktop called Snortstart.bat and place the following line of
code in it:
c:\snort\bin\snort -iX -s -l c:\snort\log\ -c c:\snort\etc\snort.conf (replace X with your Device Interface
number)
Right-click on the snortrules-snapshot-2861.tar.gz file that we downloaded and choose “Extract Here”:
Right-click on the newly extracted file (snortrules-snapshot-2861.tar) and choose “Extract files...”
Change the Path to C:\Snort and check “Overwrite without prompt”:
Configuring the snort.conf File:
Using Notepad++ open the file C:\Snort\etc\snort.conf and edit the following (change the lines):
# Path to your rules files (this can be a relative path)
# Note for Windows users: You are advised to make this an absolute path,
# such as: c:\snort\rules
var RULE_PATH C:\Snort\rules
var SO_RULE_PATH C:\Snort\so_rules
var PREPROC_RULE_PATH C:\Snort\preproc_rules
# If you are using reputation preprocessor set these
var WHITE_LIST_PATH C:\Snort\rules
var BLACK_LIST_PATH C:\Snort\rules
###################################################
# Step #4: Configure dynamic loaded libraries.
# For more information, see Snort Manual, Configuring Snort - Dynamic Modules
###################################################
# path to dynamic preprocessor libraries
dynamicpreprocessor directory C:\Snort\lib\snort_dynamicpreprocessor
# path to base preprocessor engine
dynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll
# path to dynamic rules libraries
#dynamicdetection directory /usr/local/lib/snort_dynamicrules
Verifying Snort Operation:
Open a Command Prompt and run c:\snort\bin\snort -W (be sure to use a capital “W”)
Now run c:\snort\bin\snort -v -iX (replace X with your Device Interface number found from running
the previous line)
After a couple of seconds you will see “Not Using PCAP_FRAMES”. Snort is now running and will
alert you if a Rule is triggered. If a Rule us triggered the command prompt window will rapidly scroll
text. While still leaving the Snort command prompt window open, launch a second command prompt
window. From the new window, run the command ping google.com If it hasn't occurred already, this
ping command will trigger a Snort alert. You can now close both command prompt windows, as we have verified that Snort is installed and alerting correctly in verbose mode.
To test that our configuration file is correct, open a new command prompt window and type:
c:\snort\bin\snort -iX -s -l c:\snort\log\ -c c:\snort\etc\snort.conf –T (replace X with your Device
Interface number)
If you have correctly entered all information, you should receive a graceful exit such as the screen shot
below. If you receive a fatal error, you should first verify that you have typed all modifications
correctly into the snort.conf file and then search through the file for entries matching your fatal error
message.
If you receive an error stating “Could not create the registry key.” it is because you are not running the
command prompt as an Administrator.
Verifying Kiwi Operation and tying it to Snort:
Now open the Kiwi Syslog Server Console and type CTRL-T (you should see a test message appear,
which indicates Kiwi is working)
Using Notepad++, create a file on your Desktop called Snortstart.bat and place the following line of
code in it:
c:\snort\bin\snort -iX -s -l c:\snort\log\ -c c:\snort\etc\snort.conf (replace X with your Device Interface
number)