Installing Snort on Windows

There are many sources of guidance on installing and configuring Snort, but few address installing and configuring the program on Windows except for the Winsnort project ( linked from the Documents page on the Snort website. Installing Snort on Windows can be very straightforward when everything goes as planned, but with the wide range of operating system environments even within similar versions of Windows, the experience of individual users can vary for a variety of technical and non-technical reasons. The instructions that follow assume you have decided to install the latest version of Snort on Windows using the executable installer file available from the Snort website.

Creating a fully functional Snort environment that reflects a real-world production implementation of the IDS involves installing and configuring quite a few separate tools. In a Windows environment, the set of tools available and technical approaches that can be implemented are more limited than they are on Linux or Unix systems, particularly for the most recent releases of Snort. Within Snort there are a large number of available preprocessors and rules of different types that may be useful in different environments depending on what is running in those environments, what information assets need protection, and the kinds of user behavior or business processes that are expected to occur. Receiving and analyzing network traffic in Snort is often the central focus, but it is just one piece of the technical puzzle. The second major function is handling the alerts and other types of output generated by the IDS. The most common alternatives for handling Snort output include sending it to a standard logging utility such as syslog, writing the log output to the screen or a monitoring console, or generating output in Snort’s special unified2 format. Unified2 is the default output method in the current release of Snort, but the Barnyard2 tool most often used to process unified2 output does not run on Windows, and implementing an alternative unified2 parser is not a straightforward task. Historically some configurations also enabled logging Snort output to a database, but the Sourcefire project responsible for Snort development and enhancement deprecated direct output logging to databases beginning with v2.9.3, so there is no longer a database output plugin in the tool. Syslog is a common type of service available in most Linux and Unix operating systems, but by default Windows uses its own event and system logs instead. There are several syslog servers available for Windows however, making output logging to syslog a viable option on Windows. The following instructions assume that Snort will be installed on Windows and configured either to direct output such as alerts to raw log files or to syslog.

Snort Installation Steps

  1. Getting and Installing Necessary Tools
  2. Configuring Snort with snort.conf
  3. Generating Alerts
  4. Installing a Syslog Server