Install snort under Windows

You need to install snort under Windows. The process is more troublesome, mainly to configure trouble.

There is a comprehensive web site that describes how to install snort under Windows: http://www.winsnort.com/

Some articles on the internet, but are relatively old, the environment is also very complex, to use MySQL. I just want to use snort on the command line OK.

Full and official Winids installation guide:http://wenku.baidu.com/view/e676414f2b160b4e767fcf29.html

The process of configuring snort: http://blog.sina.com.cn/s/blog_627b3f930100x5pe.html "This is very carefully spoken, and there are all the resources you need to download, nice!!! 】

Installation of http://www.smatrix.org/bbs/read.php?tid=4366 Snort-windows platform under the Windows platform based on snort intrusion detection system http://wenku.baidu.com/ View/a4bda62a3169a4517723a3e1.html

Snort Installation Guide (Windows2003 platform) http://comic.sjtu.edu.cn/bbs/forum_posts.asp?TID=4100

Windows XP snort deployment Intrusion detection system IDs detailed steps http://hi.baidu.com/cia%D0%AD%BB%E1/blog/item/d8eb98177f45a44020a4e9e0.html

here is the snort-related software mentioned in the previous article:

First get the packages we need (the latest package):
1, Snort2.0.exe (the latest version of Snort under the Windows platform, Linux platform is already snort2.4.3)
http://www.snort.org
2, Winpcap_3_2_alpha1.exe (Windows version of the Pcap)
http://winpcap.polito.it
3, Idscenter11rc4.zip (Windows version of the Snort based graphics console)
Http://www.packx.net
4, Sam_20050206_bin.zip (*uinx, Windows version of the use of snort with the real-time analysis software < use Java writing >)
Http://www.lookandfeel.com
5, Mysql-5.0.16-win32.zip (Windows version of the MySQL database server)
Http://www.mysql.com
6, acid-0.9.6b23.tar.gz (PHP-based intrusion Detection Database analysis Console)
Http://www.cert.org/kb/acid
7, Adodb465.tgz (ADOdb (Active data Objects data Base) library for PHP)
Http://jaist.dl.sourceforge.net/sourceforge/adodb/adodb465.zip
8, Apache_2055-win32.msi (Windows version of the Apache Web server)
http://www.apache.org
9, Php-5.1.1-win32.zip (Windows version of the PHP script environment support)
Http://www.php.net
10, jpgraph-2.0.tar.gz (PHP below the graphics library)
Http://www.aditus.nu/jpgraph
11, Phpmyadmin-2.2.7-pl1-php3.zip (PHP based MySQL database management program)
Http://www.phpmyadmin.net
12. Bsae 1.2.7 Intrusion Detection Database analysis console based on PHP
http://sourceforge.net/project/showfiles.php?group_id=103348

How these software is installed here will not be specific, need to refer to the above article.

This is specifically about the configuration of snort.

After snort is installed, you need to configure the snort.conf files in etc.

#windows下snort. conf file must be modified in several places:

Original: Var rule_path. /rules
Instead: var rule_path C:\Snort\rules

Original: #dynamicpreprocessor directory/usr/local/lib/snort_dynamicpreprocessor/
Change to:dynamicpreprocessor directory C:\Snort\lib\snort_dynamicpreprocessor (must not be followed by/)

Original: #dynamicengine/usr/local/lib/snort_dynamicengine/libsf_engine.so
Instead:dynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll

Original: Dynamicdetection Directory/usr/local/lib/snort_dynamicrules
READ:dynamicdetection directory C:\Snort\lib\snort_dynamicrules
And then copy all the files in the C:\Snort\so_rules\precompiled\FC-9\i386\2.9.0.1 to
C:\Snort\lib\snort_dynamicrules//The above FC-9 is not necessarily right, you can try it first. Look at the different systems.

Original: Include Classification.config
Instead: include C:\Snort\etc\classification.config

Original: Include Reference.config
Instead: include C:\Snort\etc\reference.config

Original: # include threshold.conf
Instead: include C:\Snort\etc\threshold.conf

Original: # does nothing in IDS mode
#preprocessor NORMALIZE_IP4
#preprocessor Normalize_tcp:ips ECN Stream
#preprocessor Normalize_icmp4
#preprocessor NORMALIZE_IP6
#preprocessor NORMALIZE_ICMP6
Before adding #, comment out.

Formerly: Preprocessor Http_inspect:global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535
READ: Preprocessor http_inspect:global iis_unicode_map C:\Snort\etc\unicode.map 1252 compress_depth 65535 Decompress_ Depth 65535
Because under Windows Unicode.map this file is under the ETC folder.

When configured, save.

#下载规则库

When you install snort under Windows, there is no rule library by default and you need to download it yourself. Address http://www.snort.org/snort-rules/#rules, need to register, but I have been down ...

#设置预处理器

In snort.conf, you can set up some of the preprocessor of the detection directly, of course, it can also be implemented by some front-end software, such as the idscenter that will be mentioned below.
Like what:

Sets the preprocessor for the port scan, cancels the comment for the second line, and adds the log save file at the end.
# Portscan Detection. For more information, Readme.sfportscan
# preprocessor Sfportscan:proto {all} memcap {10000000} sense_level {low}logfile {postscan.log}

Set ARP spoofing preprocessor, also uncomment, change IP and Mac to your IP and Mac values.
# Preprocessor Arpspoof
# Preprocessor arpspoof_detect_host:172.26.75.114 bc:ae:c5:81:be:95

Other preprocessor settings are similar.

#设置输出

Set your output below, and comment out the corresponding line if you need to output anything.
###################################################
# step #6: Configure output Plugins
# For more information, Manual, configuring Snort-output Modules
###################################################

Like what:
# syslog
# Output Alert_syslog:log_auth Log_alert

# Pcap
# Output Log_tcpdump:tcpdump.log

Insert output alert_fast:alert.ids (Alert log for fast mode)

#选择网卡:

Go to the command line and use Snort-w to view the available network interfaces of the system in the directory where the Snort.exe file resides. Remember the number of the network card that needs to be monitored, for example, 2, then use-I 2 to select the corresponding network card.

#将snort安装为系统服务:

C:\snort\bin>snort/service/install-c.. /etc/snort.conf-i 2-l. /snort/log-de

[Snort_service] Successfully added the Snort service to the Services database. If you see the tip above, it's a success.

#将snort服务设置为自启动

You can set snort to start automatically in Services.msc.

#如果改变了snort. conf, you will need to restart Snort to load the configuration file:

net stop Snortsvc

net start Snortsvc

#如果有误, you can delete the Snort service:

SC Delete Snortsvc

Snort that starts IDs mode by command after completion

Snort-i2-de-l.. /log-c.. /etc/snort.conf

You can also install Idscenter for snort management in the graphical interface.