Windows下安装Snort（2）

全面且官方的WinIDS Installation Guide：http://wenku.baidu.com/view/e676414f2b160b4e767fcf29.html 

这个WINIDS以snort mysQL等为基础，在windows下搭建了一个IDS系统。

这个是他的说明文档中关于Snort安装和配置的部分，值得参考。

Install and configure Snort
Navigate to the 'd:\tmp' folder, double left-click on the 'Snort...' file to start the installer, left-click the 'I Agree' button, left-click 'Next' (leave default), left-click 'Next', in the 'Destination Folder' dialog box, type 'd:\winids\snort' (less the outside quotes), left-click 'Next' allowing Snort to install, left-click the 'Close' button, and finally left-click 'OK'.

Navigate to the 'd:\tmp' folder and dissolve the 'snortrules-snapshot-CURRENT.zip' file into 'd:\winids\snort'.

Navigate to the 'd:\winids\snort\etc' folder, right-click on the 'snort.conf' file and open with 'WordPad'.

Note: Use the Find in WordPad to locate and change the variables below.

The home network variable below defines the network you wish to monitor, like the local LAN segment for instance It is set by specifying one or more networks in the form of aCIDR.

Note: The IP address below is fictitious and must be changed to the correct IP Address and CIDR that reflects the actual network that the IDS is monitoring.

Original: var HOME_NET any
Change: var HOME_NET 192.168.1.0/24

The external network below specifies one or more networks where you believe threats or attacks will originate. Thevar EXTERNAL_NET variable below can also be set by specifying a CIDR, or you can make use of the home network variable we've specified below.

Original: var EXTERNAL_NET any
Change: var EXTERNAL_NET !$HOME_NET

Original: var RULE_PATH ../rules
Change: var RULE_PATH d:\winids\snort\rules

Original: dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_dcerpc_preproc.so
Change: dynamicpreprocessor file d:\winids\snort\lib\snort_dynamicpreprocessor\sf_dcerpc.dll

Original: dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so
Change: dynamicpreprocessor file d:\winids\snort\lib\snort_dynamicpreprocessor\sf_dns.dll

Original: dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so
Change: dynamicpreprocessor file d:\winids\snort\lib\snort_dynamicpreprocessor\sf_ftptelnet.dll

Original: dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so
Change: dynamicpreprocessor file d:\winids\snort\lib\snort_dynamicpreprocessor\sf_smtp.dll

Original: dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so
Change: dynamicpreprocessor file d:\winids\snort\lib\snort_dynamicpreprocessor\sf_ssh.dll

Original: dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
Change: dynamicengine d:\winids\snort\lib\snort_dynamicengine\sf_engine.dll

Note: Find the line entr1es below and change the next lines.

Original:
# preprocessor sfportscan: proto  { all } \
#                                    memcap { 10000000 } \
#                                    sense_level { low }

Change:
preprocessor sfportscan: proto { all } \
                                    memcap { 10000000 } \
                                    sense_level { low } \
                                    logfile { portscan.log }

Note: Just below '# output log_tcpdump: tcpdump.log' insert this next line:
output alert_fast: alert.ids

Original: # output database: log, mysql, user=root password=test dbname=db host=localhost
Change: output database: log, mysql, user=snort password=l0gg3r dbname=snort host=localhost sensor_name=WinIDS

Original: include classification.config
Change: include d:\winids\snort\etc\classification.config

Original: include reference.config
Change: include d:\winids\snort\etc\reference.config

Original: # include threshold.conf
Change: include d:\winids\snort\etc\threshold.conf

Now save the file and eXit WordPad.