< WinPcap on Windows XP Pro SP2 | Java & Friends | Testing Snort on Windows XP Pro SP2 >

Snort on Windows XP Pro SP2

What do we have in this session?

Snort, Win XP Pro SP2, PHP and WinPcap
Editing the snort.conf Config File
Download and Install Snort Rules

Snort, Win XP Pro SP2, PHP and WinPcap

Now, we are ready to install and configure Snort. Please download Snort’s executable for Windows at: Snort download. The current version is 2.8.6.

Downloading Snort for Windows installer

The Snort downloaded executable for Windows

Double click the executable and follow the instructions displayed on the screen.

Windows security warning for running unverified executable

Snort License agreement statement

MySQL and ODBC already supported by default. We enable the IPv6 support. Click Next.

Snort installation options for database selection and IPv6 enabled

Select all the components and click Next.

Choosing the Snort components for installation

Please use installation path without any spaces such as "C:\Program Files". White space known to have issues on Windows machines. Click Next.

$Setting Snort root installation path to C:\Snort$

Snort for Windows installation in progress

You can see the setup details by clicking the Show details button.

The details of the Snort installation for Windows

Snort installation for Windows was completed successfully

Look like the installation was done successfully else error(s) will be displayed on the screen. The following screenshot shows the Snort’s installation path and folders. If you want to uninstall Snort, run the Uninstall.exe file located on the Snort’s root folder.

In order to uninstall Snort for Windows, run the Uninstall.exe file

Editing the snort.conf Config File

Next, we are ready to do some basic configuration to make sure Snort can run properly without any error(s). The configuration file is snort.conf which located under C:\Snort\etc folder shown below.

The Snort config file, snort.conf under the etc sub folder

Download and Install Snort Rules

Before configuring Snort, let download the Snort Rules files. In order to download Snorts’ rule files (and update later on), we need create an account (register) at Snort.org and it is free. It is also useful in getting the Oinkmaster code to complete Oinkmaster installation later. After creating an account, use the credentials to login.

Downloading the Snort rules files (registered or subscribed version) - need to register and login into Snort.org

Then, download a proper Rules file (registered-user Release) which is a free version with delayed update Release. It is better to store the compressed file under Snort root folder so when we uncompress the file, it will overwrite any existing folders (older files and folders).

-----------------------------------------------------------------

Getting the Snort rules link at Snort.org

The Snort ruleset for registered-user release gz file

By default the Snort’s rules folder is empty.

The Snort rules sub folder physical path

Use 7-zip file compression tool to uncompress the tar/gz file. Choose Extract Here menu which will overwrite the existing, same folder and file names.

Extracting the Snort ruleset tar file

The Snort ruleset file extraction is in progress

Just overwrite the existing, older files.

Snort older ruleset file overwrite confirm page

Then, the Snort’s rules folder will be populated by the rule files. Take note that the .so rule files are for Linux/Unix system.

The Snort rule files for Windows have been successfully extracted to rules sub folder

Another snort ruleset is under so_rules sub folder

Now we are ready to modify snort.conf config file just to make snort operate properly at the most basic level. Take note that originally, this config file provided for Linux/Unix system. Open snort.conf file in any unformatted text editor such as Wordpad. Change the following settings:

# Path to your rules files (this can be a relative path)

# Note for Windows users: You are advised to make this an absolute path,

# such as: c:\snort\rules

var RULE_PATH ../rules

var SO_RULE_PATH ../so_rules

var PREPROC_RULE_PATH ../preproc_rules

To the following:

# Path to your rules files (this can be a relative path)

# Note for Windows users: You are advised to make this an absolute path,

# such as: c:\snort\rules

var RULE_PATH c:\snort\rules

var SO_RULE_PATH c:\snort\so_rules

var PREPROC_RULE_PATH c:\snort\preproc_rules

The Snort for Windows dynamicpreprocessor DLL files physical path

Then, add the following dynamicpreprocessor DLL files which should be matched with the physical files shown in the above screenshot.

###################################################

# Step #4: Configure dynamic loaded libraries.

# For more information, see Snort Manual, Configuring Snort - Dynamic Modules

###################################################

# path to dynamic preprocessor libraries

dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_dce2.dll

dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_dcerpc.dll

dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_dns.dll

dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_ftptelnet.dll

dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_sdf.dll

dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_smtp.dll

dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_ssh.dll

dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_ssl.dll

Next, add the dynamicengine path and should also matched with the physical file.

# path to base preprocessor engine

# dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so

dynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll

The Snort dynamicengine path DLL file physical path

Next, comment the dynamicdetection setting.

# path to dynamic rules libraries

# dynamicdetection directory /usr/local/lib/snort_dynamicrules

< WinPcap on Windows XP Pro SP2 | Java & Friends | Testing Snort on Windows XP Pro SP2 >