-
Notifications
You must be signed in to change notification settings - Fork 43
/
README.WIN32
161 lines (141 loc) · 8.09 KB
/
README.WIN32
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
$Id$
Snort Installation for the Win32 environment
March 2003 by Rich Adamson ( radamson at routers dot com )
and updated in December 2004, March 2006.
Introduction
The snort intrusion detection system was written as an application intended for
use on a Unix operating system, relying mostly on a low-level independent
communications driver referred to as libpcap. Thanks to the efforts by a number
of supporters(1), snort has been ported to the 32-bit Microsoft Windows
operating systems of recent vintage including Windows NT, 2000, XP and others.
Snort requires the same low-level drivers, WinPcap, in order to function on the
Windows operating system. (Note: running snort on the older Windows 9x systems
should be avoided.)
This README file is intended to document the minimum drivers required by snort.
The user may wish to install other snort-related components such as IIS,
Apache, or Snortsnarf as well. Installation documentation for those components
is available from(2):
http://www.winsnort.com
Snort
Following the installation instructions provided with snort.
WinPcap Driver
Snort requires the WinPcap driver to be installed in order to function. Snort
has been extensively tested with WinPcap v4.1. The current installation
package can be downloaded from:
http://winpcap.org/
The WinPcap installation will install packet.dll and wpcap.dll drivers in the
system32 directory. (Note: if older versions of these two drivers exist, the
instructions at the above URL suggests manually deleting them from your system,
reboot, then install newer drivers. Do NOT use any of the WinPcap "beta"
versions as they are likely to fail.)
LibnetNT Driver
Certain snort functions, notably the FlexResp functions, will also require an
appropriate version of LibnetNT to be installed in order for snort to operate
properly. Snort 2.6 has been tested with the version of LibnetNT version 1.02f.
The current installation package can be downloaded from:
http://www.securitybugware.org/libnetnt/
The snort installation includes LibnetNT.dll driver in the snort/bin
directory, and relies on the use the WinPcap drivers noted above to function.
(Note: the FlexResp routines were being rewritten as of Dec 2004, therefore
please verify that work has been completed prior to attempting to use them.)
Installation Test Steps:
The following steps can be used to test the installation of snort and its
associated drivers.
1. From a command line prompt, change directories to where snort was installed
(cd \snort\bin)
2. Execute the following as a way to verify that snort can access the WinPcap
drivers:
snort -W
The result should provide a list of available NIC adapters on the system.
If more than one adapter is listed, note the interface number (e.g, 1, 2, 3)
of the NIC adapter that you expect snort to use for monitoring/sniffing. If
the command does not provide any list, the WinPcap drivers are not installed
properly; review the installation procedures provided with WinPcap and
reinstall if necessary. (Note specifically the instructions at
http://winpcap.polito.it/ that suggest removing old versions of WinPcap and
rebooting prior to installing a newer version.)
3. Execute the following to ensure an understanding as to which version of
snort is installed:
snort -V
and note the result (version 2.2, etc.). The specific version number will
be required if you ask for assistance from the snort mailing list along with
the specific Windows operating system that you are using.
4. Next, using the interface number noted in step #2, above, execute:
snort -v -n 3 -i 2
where 2 should be replaced with the interface number noted. This will cause
snort to operate in a basic sniffer mode (-v), displaying the headers of the
first 3 packets observed (-n 3) from the interface specified (-i 2). If
packets are displayed, snort is functional and can find the low-level WinPcap
drivers. If no packets are displayed, either the packet drivers are not
installed correctly, or, the interface number (-i 2 in the example above) is
incorrect.
5. If snort is functional, locate and read the contents of the snort.conf
configuration file. The default installation places the file in the
snort\etc directory. Modify the contents to include:
var HOME_NET 10.1.1.0/27 (replace 10.1.1.0/27 with your internal
network addresses)
var EXTERNAL_NET !$HOME_NET (this tells snort the External Network is
everything not Internal)
var RULE_PATH c:\snort\rules (this tells snort where to find the
installed Rules)
Save the text file, and execute the following (adjust each directory path to
match your installation):
C:\Snort\snort.exe -c "C:\snort\etc\snort.conf" -l "C:\snort\Log" -A full
-i 2 -d -e -X
Note: Be sure to create the c:\snort\log directory on your machine before
executing the above. If the above command line entry does not return to a
command line prompt, then snort is running, listening to all packets on
interface 2 (-i 2), dumping those packets that match the Rules to files in
the C:\snort\Log directory. If after executing the above, snort aborts and
returns to a command line prompt, carefully read the data that snort sent to
the screen as it will suggest configuration and rule errors, etc.
6. Carefully READ the documentation included in the snort installation,
including:
snort\doc\snort_manual.pdf
snort\doc\FAQ
Note: these two references (along with other text files included in the
snort\doc directory) should answer 95% of your initial questions.
Technical Notes:
1. Snort was written using the C programming language calling various routines
provided in the libpcap.lib and packet.lib libraries. If an old version of
WinPcap exits on your Windows system, newer versions should be installed
from the URLs noted above. At the time this document was written, snort
v2.2 functioned properly on Windows 2000, 2003, and Windows XP systems
with:
system32\packet.dll version reported: 3.0.0.18
dated April 4, 2003
size: 57,344 bytes
system32\wpcap.dll version reported: 3.0.0.18
dated April 4, 2003
size: 1208,896 bytes
snort\bin\LibnetNT.dll (no version reported)
dated May 2, 2003
size 68,161 bytes
2. If you intend to run snort on a multiprocessor Intel system, WinPcap v3.0
or higher is required. Earlier versions of these libraries did not support
the multiprocessor systems. Do NOT attempt to use any of the WinPcap "beta"
versions as snort will likely fail.
3. If you intend to run snort as a Win32 Service, ALWAYS run snort from the
command line FIRST to ensure there are no configuration or rule errors.
Snort will NOT report errors when run as a Service; it will simply abort
providing no clue why it aborted. The syntax for running snort as a
Service can be seen by simply executing snort from the command line
(no command line parameters) and reviewing the first several lines
displayed.
=============================================================
(1) Contributors to this README file include:
Rich Adamson
Chris Reid
(2) Installation Documentation for other Snort-related components:
Michael E. Steele, ( www.winsnort.com ) has prepared, written and
maintained several excellent documents integrating other snort-related
components. The documents can be downloaded from:
http://www.winsnort.com
As of March 2003, the following configuration / installation documents were
available:
Snort with IIS and Snortsnarf
Snort with MySQL, IIS and ACID
Snort with Apache and Snortsnarf
Snort with MySQL, Apache and ACID
Snort with Slave and Snortsnarf
Snort with MySQL, Slave and ACID