13
Install and Configure Snort IDS on Windows 7 1 1. Basic snort usage Open command prompt (RUN AS ADMINISTRATOR) and go to the destination folder which is C:\snort\bin> And type C:\snort\bin>snort It will run snort… 2 2. To show interfaces type: C:\snort\bin>snort -W 3 3. Snort as a packet sniffer Type C:\snort\bin>snort –d -d= To show the application layer data in the packet. 4. C:\snort\bin>snort -dev Where

12412_Install and Configure Snort IDS on Windows 7 (1)

Embed Size (px)

DESCRIPTION

etreteerterter

Citation preview

Install and Configure Snort IDS on Windows 7

1 1. Basic snort usage

Open command prompt (RUN AS ADMINISTRATOR) and go to the destination folder which is

C:\snort\bin>

And type

C:\snort\bin>snort

It will run snort

2 2. To show interfaces type:

C:\snort\bin>snort -W

3 3. Snort as a packet sniffer

Type C:\snort\bin>snort d

-d= To show the application layer data in the packet.

4. C:\snort\bin>snort -dev

Where

-e = To display the link layer data in packet

-v = verbose mode

5. To specify interfaces

C:\snort\bin>snort -v -i 1

-I = specify interfaces

Here I select my interface which is 1. If you are using vmware or virtual box Select your lan interface which could be 2,3 or maybe 4.

-v = Verbose will show all data with highlight the attacked data.

Snort in IDS mode :Type cmd in window search, select it and right click on it and select RUN AS ADMINISTRATORthan type:

C:\snort\bin>snort -c c:\snort\etc\snort.conf -l c:\snort\log -K ascii

Where:

-c = Configure file to use (role file to use)

-l = Directory to log

-K = Logging mode [pcap (default), ascii, none ]

Now you will get the 1st errorShown in snapshot

Now you have to open snort.conf file for editing it. Which is located in c:\snort\etc\

Here error is in line no. 45 go to the line no 45 and replace word

"Ipvar to var" (replace all)

Now Run again C:\snort\bin>snort -c c:\snort\etc\snort.conf -l c:\snort\log -K ascii

You will get 2nd error

which is in line no. 247

For this :- first you have to change the path which will be like this

C:\snort\lib\snort_dynamicpreprocessor\

Second go to the path C:\snort\lib\snort_dynamicpreprocessor\ and copy all file from it

And paste it into notepad and delete full path remain only file name which is like this

(sf_dns.dll) than copy again all file and paste it into config file .. at line no. 249

And most important merge this name before all ".dll file".

(dynamicpreprocessor C:\Snort\lib\snort_dynamicpreprocessor\)

Which will look like this :-

Now Run again

C:\snort\bin>snort -c c:\snort\etc\snort.conf -l c:\snort\log -K ascii

You will get 3rd error

line no. 265 and 268

Change the path for dynamicengine and dynamicrules

With this c:\snort\lib and change the ".SO" extension to ".dll"

Which will look like this :-

Now Run again C:\snort\bin>snort -c c:\snort\etc\snort.conf -l c:\snort\log -K ascii

You will get 4th error

For this:- make a folder name snort_dynamicrules in C:\snort\lib\

Now Run againC:\snort\bin>snort -c c:\snort\etc\snort.conf -l c:\snort\log -K ascii

You will get 5th error

line no. 278 to 284

For this:- comment all preprocessor normalize lines (using #) Which will look like this :-

Now Run again

C:\snort\bin>snort -c c:\snort\etc\snort.conf -l c:\snort\log -K ascii

You will get 6th error

For this :- create text document in c:\snort\rules\ of name white_list.rules Now Run again C:\snort\bin>snort -c c:\snort\etc\snort.conf -l c:\snort\log -K ascii

You will get 7th error

which is same as previous error

For this :- create text document in c:\snort\rules\ of name Black_list.rules

Now open the snort.conf file for some modification which are..In Line no. 104 change the path of var RULE_PATH

Such as :- c:\snort\rulesSame as line no. 105 and 106

Which will look like this:-

Now inline no. 113 and 114

Which is

var WHITE_LIST_PATH ../rules

var BLACK_LIST_PATH ../rules

change the / into \ which will look like :- prefer previous snap shot.

Now go to the line no. 525 and 526

Search for these line

whitelist $WHITE_LIST_PATH/white_list.rules, \

blacklist $BLACK_LIST_PATH/black_list.rules

and change / into \ which will look like :-

Now go to the line no. 572 which is include $RULE_PATH/blacklist.rules

Change the name blacklist into black_list

Which will look like:-

Finally run this commandC:\snort\bin>snort -i 1 -l c:\snort\log -c c:\snort\etc\snort.conf -T-T = Test and report on the current snort configure

You will get the message that

Snort successfully validated the configuration! You can also run it in console mode for this

C:\snort\bin>snort -i 1 -l c:\snort\log -c c:\snort\etc\snort.conf -A consoleWhere -A = set alert mode: fast ,full,console,test or none

For detecting in IDS :-

Go to the rules folder and icmp-info rules and uncomment type 8 rules and windows type 8 rule

which are at line no. 30 , 35, 39 ,45

than run command

C:\snort\bin>snort -i 1 -l c:\snort\log -c c:\snort\etc\snort.conf -A consoleAnd ping your system from different system you will get the notification.. which will all stored in

Log folder.

Or run this cmd

C:\snort\bin>snort -i 1-l c:\snort\log -c c:\snort\etc\snort.conf -K asciiAnd ping your system from different system you will get the notification.. which will all stored in

Log folder in ASCII mode.