< Snort on Windows XP  Pro SP2 | Java & Friends  | Snort and MySQL Database >



Testing Snort on Windows XP  Pro SP2



What do we have in this session?

  1. Testing Snort from Windows Console

  2. Testing Snort Config File

  3. Running Snort from any Windows Path

  4. Snort in Sniffer mode

  5. Snort as Packet Logger

  6. The Not Using PCAP_FRAMES message






Testing Snort from Windows Console


Save and close the snort.conf file. Launch Windows command prompt. Type:


C:\>Snort\bin\snort --h or C:\>Snort\bin\snort -?


The command will invoke the Helps.


Running the Snort command from Windows command prompt with -h option (help)


A complete Snort commands are shown below.


USAGE: snort [-options] <filter options>

       snort /SERVICE /INSTALL [-options] <filter options>

       snort /SERVICE /UNINSTALL

       snort /SERVICE /SHOW


        -A         Set alert mode: fast, full, console, test or none  (alert file alerts only)

        -b         Log packets in tcpdump format (much faster!)

        -B <mask>  Obfuscated IP addresses in alerts and packet dumps using CIDR mask

        -c <rules> Use Rules File <rules>

        -C         Print out payloads with character data only (no hex)

        -d         Dump the Application Layer

        -e         Display the second layer header info

        -E         Log alert messages to NT Eventlog. (Win32 only)

        -f         Turn off fflush() calls after binary log writes

        -F <bpf>   Read BPF filters from file <bpf>

        -G <0xid>  Log Identifier (to uniquely id events for multiple snorts)

        -h <hn>    Home network = <hn>

        -H         Make hash tables deterministic.

        -i <if>    Listen on interface <if>

        -I         Add Interface name to alert output

        -k <mode>  Checksum mode (all,noip,notcp,noudp,noicmp,none)

        -K <mode>  Logging mode (pcap[default],ascii,none)

        -l <ld>    Log to directory <ld>

        -L <file>  Log to this tcpdump file

        -n <cnt>   Exit after receiving <cnt> packets

        -N         Turn off logging (alerts still work)

        -O         Obfuscate the logged IP addresses

        -p         Disable promiscuous mode sniffing

        -P <snap>  Set explicit snaplen of packet (default: 1514)

        -q         Quiet. Don't show banner and status report

        -r <tf>    Read and process tcpdump file <tf>

        -R <id>    Include 'id' in snort_intf<id>.pid file name

        -s         Log alert messages to syslog

        -S <n=v>   Set rules file variable n equal to value v

        -T         Test and report on the current Snort configuration

        -U         Use UTC for timestamps

        -v         Be verbose

        -V         Show version number

        -W         Lists available interfaces. (Win32 only)

        -X         Dump the raw packet data starting at the link layer

        -x         Exit if Snort configuration problems occur

        -y         Include year in timestamp in the alert and log files

        -Z <file>  Set the performonitor preprocessor file path and name

        -?         Show this information

<Filter Options> are standard BPF options, as seen in TCPDump

Longname options and their corresponding single char version

   --logid <0xid>                  Same as -G

   --perfmon-file <file>           Same as -Z

   --pid-path <dir>                Specify the directory for the Snort PID file

   --snaplen <snap>                Same as -P

   --help                          Same as -?

   --version                       Same as -V

   --alert-before-pass             Process alert, drop, sdrop, or reject before pass, default is pass before alert, drop,...

   --treat-drop-as-alert           Converts drop, sdrop, and reject rules into alert rules during startup

   --process-all-events            Process all queued events (drop, alert,...), default stops after 1st action group

   --dynamic-engine-lib <file>     Load a dynamic detection engine

   --dynamic-engine-lib-dir <path> Load all dynamic engines from directory

   --dynamic-detection-lib <file>  Load a dynamic rules library

   --dynamic-detection-lib-dir <path> Load all dynamic rules libraries from directory

   --dump-dynamic-rules <path>     Creates stub rule files of all loaded rules libraries

   --dynamic-preprocessor-lib <file>  Load a dynamic preprocessor library

   --dynamic-preprocessor-lib-dir <path> Load all dynamic preprocessor libraries from directory

   --pcap-single <tf>              Same as -r.

   --pcap-file <file>              file that contains a list of pcaps to read - read mode is implied.

   --pcap-list "<list>"            a space separated list of pcaps to read - read mode is implied.

   --pcap-loop <count>             this option will read the pcaps specified on command line continuously.

                                   for <count> times.  A value of 0 will read until Snort is terminated.

   --pcap-reset                    if reading multiple pcaps, reset snort to post-configuration state before reading next pcap.

   --pcap-show                     print a line saying what pcap is currently being read.

   --exit-check <count>            Signal termination after <count> callbacks from pcap_dispatch(), showing the time it

                                   takes from signaling until pcap_close() is called.

   --conf-error-out                Same as -x

   --enable-mpls-multicast         Allow multicast MPLS

   --enable-mpls-overlapping-ip    Handle overlapping IPs within MPLS clouds

   --max-mpls-labelchain-len       Specify the max MPLS label chain

   --mpls-payload-type             Specify the protocol (ipv4, ipv6, ethernet) that is encapsulated by MPLS

   --require-rule-sid              Require that all snort rules have SID specified.


Testing Snort Config File


Let test the snort basic configuration that we have done. Run the following command. The meanings have been summarized in the following Table.




-c <rules>

Use Rules File <rules>

-l <ld>

Log to directory <ld>


Be verbose

-i <if>

Listen on interface <if>


Test and report on the current Snort configuration


C:\>Snort\bin>snort -c c:\snort\etc\snort.conf -l c:\snort\log -i2 -T


Running the Snort command from Windows command prompt to test Snort configuration file


Running Snort from any Windows Path


In order to run snort and other related binaries, put the path in Windows environment variables and the steps are shown below.


Setting Snort environment variable so that Snort command can be run from any Windows path: relative or absolute


Close any Windows console and re-open it. Run snort.exe from the root, C:\ drive.


Running Snort from any Windows Path with --h option (help)



Next, let have some story about Snort. Depending on your needs, Snort runs in three different modes: Sniffer, Packet Logger, and Network Intrusion modes.


Snort in Sniffer mode


If you’re running Snort from the command line with two network adapters, specify which adapter to monitor:


C:\>snort -v -i#


# is the number of the applicable adapters (as shown on the output of the snort -W command).

You must use this -i switch whenever you run the snort program on the command line. Sniffer mode is the simplest iteration of Snort. To run it, follow these steps: from the command line (within the %SnortPath%\bin directory and in our case, we can run it from any Windows path) type:


C:\>snort -v -i2








Running Snort as sniffer mode


This command runs Snort as a packet sniffer with the verbose switch, outputting TCP/IP packet headers to the screen. Press Ctrl+C keys to stop the output. Snort/WinPcap summarizes its activities, as shown in the following screenshot.


Running snort with verbose output on interface no. 2


To receive a more detailed capture of packets on the wire, type:


C:\>snort -vd -i2


Running snort with verbose output and details on interface no. 2


This command provides the TCP/IP headers and packet information (descriptive). Type snort at the command line for a full list of all the switches. If you’re getting TCP headers, you know that so far you’re right on track. If you have more than one network card in your Snort IDS system, type:


C:\>snort -W


Running snort with -W option to view the available interfaces on the run machine


This command determines how WinPcap has these adapters numbered, and is only available in the Win32 version of Snort.


Snort as Packet Logger


You can test Snort’s logging abilities with the -l (log) switch, by typing (take note on the order of the options):


C:\>snort -vde -l c:\Snort\log -i2


Running Snort for Windows as packet logger


Please press Ctrl+C to stop.


Sample of Snort output run as packet logger


The generated Snort log file


This runs Snort in descriptive verbose mode and logs all its findings to the directory called log under the Snort installation directory. The individual packets are filed in hierarchical directories based on the IP address from where the packet was received. Several command-line switches are specific to logging and output, including the ability to log all packets to a single binary file. Play around with those as needed.


The Not Using PCAP_FRAMES message


The Not Using PCAP_FRAMES message is normal. Try the following command:


C:\>snort -v -ix


Replace x with the number of the NIC which snort will use. If you’re using the wrong NIC 'pcap_frames' error will show up and if you use the right NIC pcap_frame error appears and just stays there until you have some traffic running through. So, make sure to use the right number of NIC when running snort. When running as a service, a valid and appropriate NIC number also must be specified.








< Snort on Windows XP  Pro SP2 | Java & Friends  | Snort and MySQL Database >