One advantage to installing Snort on Windows is that the process requires only three primary components: the WinPcap packet capture utility, the Snort installer, and a set of Snort rules. If syslog output is the goal then installing a separate syslog server is a fourth requirement. These requirements are summarized in the table below, followed by retrieval and installation instructions for each component.
Snort requirements (you need these to be able to install Snort on Windows) |
Installation packages:
|
Anytime you are going to be downloading multiple installer files or packages, it’s a good idea to settle on a standard place to put them. These instructions assume files will be downloaded directly from the relevant web sites where they are available. Many web browsers use the Downloads folder associated with each Windows user, which is an acceptable approach, although if your system has lots of things in the Downloads folder you might consider setting up a separate sub-folder for the packages associated with Snort.
Let’s begin with retrieving files from www.snort.org. There are two things we want to download: the Snort installer package and the rules files.
Note that you must create an account (which is free) and log in to Snort.org in order to download the “registered” rules file or purchase an annual subscription to download the “subscriber” rules file. The “community” version of the the rules is free and requires no user registration, but if you choose to use the community rules there are changes you must make to the snort.conf configuration file because the rules referenced in the configuration reflects the structure of the registered or subscriber rulesets.
Now install the programs (in the case of WinPcap and Snort) and extract the rules files (in the case of the Snort rules package). It is recommended that WinPcap is installed before Snort, but it is not required; at the end of the Snort installation process the program will prompt that you need to install WinPcap, whether or not the utility is already installed. If you have installed any other programs that rely on packet capture, such as Wireshark, then you will already have WinPcap installed and you can skip the first step below.
Once you have completed installing these components, you can check to see if the program responds:
On current Windows systems there will be at least two (Ethernet and wireless), three if there is a modem in the computer, and four or more depending on what additional software is installed on the computer. If both wired and wireless network interfaces are active, you should disable one before you try to run Snort, since Windows offers no way to direct a program to use a specific interface when multiple connections are available. Record the number of the interface you will use (the instructions below assume the interface number is 2; substitute the appropriate number for your computer when using the -i option in Snort start-up commands.
The next thing to do is to edit the snort.conf file to make it reflect the environment where your computer is running (see Configuring Snort with snort.conf). You should make sure that when you edit the file, you are working on the one in c:\Snort\etc (and not any other versions that may exist in temporary or download directories).