Upload
er-ankur-saxena
View
43
Download
1
Embed Size (px)
DESCRIPTION
etreteerterter
Citation preview
Install and Configure Snort IDS on Windows 7
1 1. Basic snort usage
Open command prompt (RUN AS ADMINISTRATOR) and go to the destination folder which is
C:\snort\bin>
And type
C:\snort\bin>snort
It will run snort
2 2. To show interfaces type:
C:\snort\bin>snort -W
3 3. Snort as a packet sniffer
Type C:\snort\bin>snort d
-d= To show the application layer data in the packet.
4. C:\snort\bin>snort -dev
Where
-e = To display the link layer data in packet
-v = verbose mode
5. To specify interfaces
C:\snort\bin>snort -v -i 1
-I = specify interfaces
Here I select my interface which is 1. If you are using vmware or virtual box Select your lan interface which could be 2,3 or maybe 4.
-v = Verbose will show all data with highlight the attacked data.
Snort in IDS mode :Type cmd in window search, select it and right click on it and select RUN AS ADMINISTRATORthan type:
C:\snort\bin>snort -c c:\snort\etc\snort.conf -l c:\snort\log -K ascii
Where:
-c = Configure file to use (role file to use)
-l = Directory to log
-K = Logging mode [pcap (default), ascii, none ]
Now you will get the 1st errorShown in snapshot
Now you have to open snort.conf file for editing it. Which is located in c:\snort\etc\
Here error is in line no. 45 go to the line no 45 and replace word
"Ipvar to var" (replace all)
Now Run again C:\snort\bin>snort -c c:\snort\etc\snort.conf -l c:\snort\log -K ascii
You will get 2nd error
which is in line no. 247
For this :- first you have to change the path which will be like this
C:\snort\lib\snort_dynamicpreprocessor\
Second go to the path C:\snort\lib\snort_dynamicpreprocessor\ and copy all file from it
And paste it into notepad and delete full path remain only file name which is like this
(sf_dns.dll) than copy again all file and paste it into config file .. at line no. 249
And most important merge this name before all ".dll file".
(dynamicpreprocessor C:\Snort\lib\snort_dynamicpreprocessor\)
Which will look like this :-
Now Run again
C:\snort\bin>snort -c c:\snort\etc\snort.conf -l c:\snort\log -K ascii
You will get 3rd error
line no. 265 and 268
Change the path for dynamicengine and dynamicrules
With this c:\snort\lib and change the ".SO" extension to ".dll"
Which will look like this :-
Now Run again C:\snort\bin>snort -c c:\snort\etc\snort.conf -l c:\snort\log -K ascii
You will get 4th error
For this:- make a folder name snort_dynamicrules in C:\snort\lib\
Now Run againC:\snort\bin>snort -c c:\snort\etc\snort.conf -l c:\snort\log -K ascii
You will get 5th error
line no. 278 to 284
For this:- comment all preprocessor normalize lines (using #) Which will look like this :-
Now Run again
C:\snort\bin>snort -c c:\snort\etc\snort.conf -l c:\snort\log -K ascii
You will get 6th error
For this :- create text document in c:\snort\rules\ of name white_list.rules Now Run again C:\snort\bin>snort -c c:\snort\etc\snort.conf -l c:\snort\log -K ascii
You will get 7th error
which is same as previous error
For this :- create text document in c:\snort\rules\ of name Black_list.rules
Now open the snort.conf file for some modification which are..In Line no. 104 change the path of var RULE_PATH
Such as :- c:\snort\rulesSame as line no. 105 and 106
Which will look like this:-
Now inline no. 113 and 114
Which is
var WHITE_LIST_PATH ../rules
var BLACK_LIST_PATH ../rules
change the / into \ which will look like :- prefer previous snap shot.
Now go to the line no. 525 and 526
Search for these line
whitelist $WHITE_LIST_PATH/white_list.rules, \
blacklist $BLACK_LIST_PATH/black_list.rules
and change / into \ which will look like :-
Now go to the line no. 572 which is include $RULE_PATH/blacklist.rules
Change the name blacklist into black_list
Which will look like:-
Finally run this commandC:\snort\bin>snort -i 1 -l c:\snort\log -c c:\snort\etc\snort.conf -T-T = Test and report on the current snort configure
You will get the message that
Snort successfully validated the configuration! You can also run it in console mode for this
C:\snort\bin>snort -i 1 -l c:\snort\log -c c:\snort\etc\snort.conf -A consoleWhere -A = set alert mode: fast ,full,console,test or none
For detecting in IDS :-
Go to the rules folder and icmp-info rules and uncomment type 8 rules and windows type 8 rule
which are at line no. 30 , 35, 39 ,45
than run command
C:\snort\bin>snort -i 1 -l c:\snort\log -c c:\snort\etc\snort.conf -A consoleAnd ping your system from different system you will get the notification.. which will all stored in
Log folder.
Or run this cmd
C:\snort\bin>snort -i 1-l c:\snort\log -c c:\snort\etc\snort.conf -K asciiAnd ping your system from different system you will get the notification.. which will all stored in
Log folder in ASCII mode.