Defending your network with Snort for Windows

Posted on Sunday, March 30, 2014 7:23 am by TCAT Shelbyville IT Department

SNortlogo
When you hear about Snort, the De facto of Intrusion Detection Systems, you think of Linux.  Snort offers a Windows setup and signatures that can be used with any operating system.

Snort should be a dedicated computer in your network.  This computer’s logs should be reviewed often to see malicious activities on your network.

Steps to install Snort on Windows :
1. Download Snort from the Snort.org website. (http://www.snort.org/snort-downloads)
2. Download Rules from here. You must register to get the rules. (You should download these often)
3. Double click on the .exe to install snort.  This will install snort in the “C:\Snort” folder.
It is important to have WinPcap installed
4. Extract the Rules file. You will need WinRAR for the .gz file.
5. Copy all files from the “rules” folder of the extracted folder.  Now paste the rules into “C:\Snort\rules” folder.
6. Copy “snort.conf” file from the “etc” folder of the extracted folder.  You must paste it into “C:\Snort\etc” folder. Overwrite any      existing file.  Remember if you modify your snort.conf file and download a new file, you must modify it for Snort to work.
7. Open a command prompt (cmd.exe) and navigate to folder “C:\Snort\bin” folder. ( at the Prompt, type cd\snort\bin)
8. To start (execute) snort in sniffer mode use following command:
snort -dev -i 3
-i indicates the interface number.  You must pick the correct interface number.  In my case, it is 3.
 -dev is used to run snort to capture packets on your network.

To check the interface list,  use following command:
 snort   -W
Finding an interface

You can tell which interface to use by looking at the Index number and finding Microsoft.  As you can see in the above example, the other interfaces are for VMWare.  My interface is 3.

9. To run snort in IDS mode, you will need to configure the file “snort.conf” according to your network environment.
10. To specify the network address that you want to protect in snort.conf file, look for the following line.
var HOME_NET 192.168.1.0/24  (You will normally see any here)
11. You may also want to set the addresses of DNS_SERVERS, if you have some on your network.

Example:

example snort
12. Change the RULE_PATH variable to the path of rules folder.
 var RULE_PATH c:\snort\rules

path to rules
13. Change the path of all library files with the name and path on your system. and you must change the path    of snort_dynamicpreprocessorvariable.
C:\Snort\lib\snort_dynamiccpreprocessor
You need to do this to all library files in the “C:\Snort\lib” folder. The old path might be: “/usr/local/lib/…”. you will need to    replace that path with your system path.  Using C:\Snort\lib
14. Change the path of the “dynamicengine” variable value in the “snort.conf” file..
Example:
 dynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll

libraries

 

15 Add the paths for “include classification.config” and “include reference.config” files.
  include c:\snort\etc\classification.config
include c:\snort\etc\reference.config
16. Remove the comment (#) on the line to allow ICMP rules, if it is  commented with a #.
 include $RULE_PATH/icmp.rules
17. You can also remove the comment of ICMP-info rules comment, if it is commented.
 include $RULE_PATH/icmp-info.rules
18. To add log files to store alerts generated by snort,  search for the “output log” test in snort.conf and add the following line:
output alert_fast: snort-alerts.ids
19.  Comment (add a #) the  whitelist $WHITE_LIST_PATH/white_list.rules and the blacklist

Change the nested_ip inner , \  to nested_ip inner #, \
20. Comment out (#) following lines:
#preprocessor normalize_ip4
#preprocessor normalize_tcp: ips ecn stream
#preprocessor normalize_icmp4
#preprocessor normalize_ip6
#preprocessor normalize_icmp6

21. Save the “snort.conf” file.
22. To start snort in IDS mode, run the following command:

snort -c c:\snort\etc\snort.conf -l c:\snort\log -i 3
(Note: 3 is used for my interface card)

If a log is created, select the appropriate program to open it.  You can use WordPard or NotePad++ to read the file.

To generate Log files in ASCII mode, you can use following command while running snort in IDS mode:
snort -A console -i3 -c c:\Snort\etc\snort.conf -l c:\Snort\log -K ascii

23. Scan the computer that is  running snort from another computer by using PING or NMap (ZenMap).

After scanning or during the scan you can check the snort-alerts.ids file in the log folder to insure it is logging properly.  You will see IP address folders appear.

Snort monitoring traffic –

traffic

Snort’s detailed report when scanning has stopped –

termination

 

Log files –

logs

 

 

Note:  Read the setup and configuration of Snort from Snort.org.  While this is a demo, Snort can be configured thousands of ways to detect and alert you in the event you have malicious activity on your network.  Downloading signatures often is extremely important

About TCAT Shelbyville IT Department

The Tennessee College of Applied Technology - is one of 46 institutions in the Tennessee Board of Regents System, the seventh largest system of higher education in the nation. This system comprises six universities, fourteen community colleges, and twenty-six Applied Technology Colleges.
This entry was posted in Computer Security, Computers, Education, freeware, Hacking, Information Technology, network, Networking, Software, Windows and tagged , , , , , . Bookmark the permalink.

1 Response to Defending your network with Snort for Windows

  1. Deborah says:
    Thursday, January 8, 2015 8:33 am at 08:33

    Thank you so much – excellent resource!!

    Reply

Leave a comment