diff --git a/scripts/snort.ps1 b/scripts/snort.ps1 index 81ab1b3..24f2109 100644 --- a/scripts/snort.ps1 +++ b/scripts/snort.ps1 @@ -1,4 +1,3 @@ -# Function to install Snort function Install-Snort { # Define paths and URLs $tempDir = "C:\Temp" @@ -6,6 +5,8 @@ function Install-Snort { $snortInstallerPath = "$tempDir\Snort_Installer.exe" $npcapInstallerUrl = "https://npcap.com/dist/npcap-1.79.exe" $npcapInstallerPath = "$tempDir\Npcap_Installer.exe" + $winpcapInstallerUrl = "https://www.winpcap.org/install/bin/WinPcap_4_1_3.exe" + $winpcapInstallerPath = "$tempDir\WinPcap_Installer.exe" $snortBinPath = "C:\Snort\bin" $npcapPath = "C:\Program Files\Npcap" $rulesDir = "C:\Snort\rules" @@ -21,7 +22,7 @@ function Install-Snort { # Function to download a file function Download-File($url, $outputPath) { try { - Invoke-WebRequest $url -o $outputPath + Invoke-WebRequest -Uri $url -OutFile $outputPath Write-Host "Downloaded $url to $outputPath" } catch { Write-Host "Failed to download $url" @@ -33,6 +34,10 @@ function Install-Snort { Download-File $snortInstallerUrl $snortInstallerPath Start-Process -FilePath $snortInstallerPath -ArgumentList "/S" -Wait + # Download and install WinPcap + Download-File $winpcapInstallerUrl $winpcapInstallerPath + Start-Process -FilePath $winpcapInstallerPath -ArgumentList "/S" -Wait + # Download Npcap (manual installation required) Download-File $npcapInstallerUrl $npcapInstallerPath Start-Process -FilePath $npcapInstallerPath -Wait @@ -53,11 +58,13 @@ function Install-Snort { 'alert tcp any any -> any 80 (msg:"HTTP traffic detected"; sid:1000020; rev:1;)', 'alert tcp any any -> any 22 (msg:"SSH traffic detected"; sid:1000030; rev:1;)', 'alert tcp any any -> any 21 (msg:"FTP traffic detected"; sid:1000040; rev:1;)', - 'alert tcp any any -> any 25 (msg:"SMTP traffic detected"; sid:1000050; rev:1;)' - # Add more rules here... + 'alert tcp any any -> any 25 (msg:"SMTP traffic detected"; sid:1000050; rev:1;)', + 'alert icmp any any -> any any (msg:"ICMP Testing Rule"; sid:1000001; rev:1;)', + 'alert tcp any any -> any 80 (msg:"TCP Testing Rule"; sid:1000002; rev:1;)', + 'alert udp any any -> any any (msg:"UDP Testing Rule"; sid:1000003; rev:1;)' ) - # Write the rules to the file + # Write the rules to the file, ensuring correct encoding $rules | Set-Content -Path $rulesFile -Encoding UTF8 # Add Snort configuration to ossec.conf @@ -71,7 +78,8 @@ function Install-Snort { if (Test-Path $ossecConfigPath) { $ossecConfigContent = Get-Content $ossecConfigPath - $ossecConfigContent -replace "", "$snortConfig" | Set-Content $ossecConfigPath + $ossecConfigContent = $ossecConfigContent -replace "", "$snortConfig" + Set-Content -Path $ossecConfigPath -Value $ossecConfigContent Write-Host "Snort configuration added to ossec.conf." } else { Write-Host "ossec.conf file not found." @@ -81,7 +89,17 @@ function Install-Snort { $snortAdditions = @" output alert_syslog: LOG_AUTH LOG_ALERT output alert_fast: snort.alert - +config logdir: C:\Snort\log +var RULE_PATH C:\Snort\rules +var PREPROC_RULE_PATH C:\Snort\preproc_rules +var WHITE_LIST_PATH C:\Snort\rules +var BLACK_LIST_PATH C:\Snort\rules +dynamicpreprocessor directory C:\Snort\lib\snort_dynamicpreprocessor +dynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll +preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } +include \$PREPROC_RULE_PATH\preprocessor.rules +include \$PREPROC_RULE_PATH\decoder.rules +include \$PREPROC_RULE_PATH\sensitive-data.rules "@ if (Test-Path $snortConfigPath) { @@ -90,13 +108,8 @@ output alert_fast: snort.alert } else { Write-Host "snort.conf file not found." } - # Retrieve the default network interface - $defaultInterface = (Get-NetRoute -DestinationPrefix 0.0.0.0/0 | Where-Object {$_.InterfaceIndex -ne 0}).InterfaceAlias - - # Launch Snort with the default network interface - Start-Process -FilePath "C:\Snort\bin\snort.exe" -ArgumentList "-i $defaultInterface -A fast" -Wait Write-Host "Installation and configuration completed!" } -Install-Snort \ No newline at end of file +Install-Snort