windows下的snort安装

这是snort官方的安装文档。
The following is meant to be an easy guide to getting Snort up and running on a Windows XP PC.  Configuration of rules, deciphering Alerts and tailoring to your specific network is beyond the scope of this article.

Starting from a clean formatted drive, I have successfully installed and configured Snort using the below steps on both a desktop and laptop, as well as on a wireless network and in a VMware session.  There may be easier or more appropriate methods, but this has worked for me.  Use at your own risk.

(All links are valid as of 06/29/2008)

Microsoft Windows XP Professional w/ SP2    http://www.microsoft.com/windowsxp/pro/howtobuy/default.mspx
Mozilla Firefox                                http://www.mozilla.com/en-US/firefox/
AVG Anti-Virus Free Edition                    http://free.grisoft.com/ww.download?prd=afe
ZoneAlarm Free Firewall                        http://www.zonealarm.com/store/content/catalog/products/sku_list_za.jsp
Microsoft Baseline Security Analyzer        http://www.microsoft.com/downloads/details.aspx?FamilyId=F32921AF-9DBE-4DCE-889E-ECF997EB18E9&displaylang=en
ActivePerl                                    http://www.activestate.com/store/productdetail.aspx?prdGuid=81fbce82-6bd5-49bc-a915-08d58c2648ca
Notepad++                                    http://sourceforge.net/project/showfiles.php?group_id=95717&package_id=102072
Foxit Reader                                http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm
Kiwi Syslog Daemon                            http://www.kiwisyslog.com/kiwi-syslog-daemon-overview/
7-Zip                                        http://www.7-zip.org/
WinPcap                                        http://www.winpcap.org/install/default.htm
Snort                                        http://www.snort.org/dl/binaries/win32/
Oinkmaster (with GUI)                        http://oinkmaster.sourceforge.net/download.shtml

By default, everything will install to your C:/ drive.  If you choose another path, you must adjust any references accordingly!

1)  You should also take the time to install ALL updates!  For guides on helping better secure the OS, I recommend reading both http://labmice.techtarget.com/articles/winxpsecuritychecklist.htm and http://www.nsa.gov/snac/downloads_winxp.cfm?MenuID=scg10.3.1.1

2)  You could skip this and use IE if you want.

3)  After installing, apply any updates.

4)  Throughout the installation you will need to configure the firewall access accordingly.

5)  MBSA requires a valid Windows license to download.  After installing and running, you should correct any issues discovered.

6)  ActivePerl is the chosen method used for running Oinkmaster.

7)  Notepad ++ is the free file editor used for editing, among others, the snort.conf file.  (I also wrote this guide with it)

8)  Foxit is a free .pdf reader.

9)  Kiwi is the GUI we will output our Snort alerts to.  You can choose to run it as a service or, as I did, a regular windows application.

10) 7-zip allows us to unpack Oinkmaster (and most other file formats).

11) WinPcap is needed for Snort to function

12) Okay, now for configuring Snort and Kiwi!

        Install the Snort executable with all defaults
        Go to c:/snort and create a folder called temp
        If you haven't done so already, go register at Snort: https://www.snort.org/pub-bin/register.cgi
        Log in to the Snort website and copy your Oink Code.  Also download VRT Certified Rules for Snort v2.8
        Use 7-zip to unpack the downloaded file (snortrules-snapshot-2.8.tar)
        Use 7-zip to unpack this new file (snortrules-snapshot-2.8_s) and copy it to c:/snort overwriting any existing files.
        
        Open c:/snort/etc/snort.conf with Notepad ++ and perform the following:
            Change line 194 to read      var RULE_PATH c:/snort/rules
            Change lines 289-293 to read dynamicpreprocessor file c:/snort/lib/snort_dynamicpreprocessor/sf_dcerpc.dll
                                         dynamicpreprocessor file c:/snort/lib/snort_dynamicpreprocessor/sf_dns.dll
                                         dynamicpreprocessor file c:/snort/lib/snort_dynamicpreprocessor/sf_ftptelnet.dll
                                         dynamicpreprocessor file c:/snort/lib/snort_dynamicpreprocessor/sf_smtp.dll
                                         dynamicpreprocessor file c:/snort/lib/snort_dynamicpreprocessor/sf_ssh.dll
            Change line 312 to read      dynamicengine c:/snort/lib/snort_dynamicengine/sf_engine.dll
            Change line 816 to read      output alert_syslog: host=127.0.0.1:514, LOG_AUTH LOG_ALERT
            I like to start with my Rulesets all on and work backwards, so you can go to lines 925 - 979 and remove the # from each one
            
        **Now save and close this file.  Keep in mind that you will need to tailor this file and any other .conf files to further to suit your     IDS needs.    
            
        If you want, copy c:/snort/etc/snort.conf to c:/snort (just to have a backup copy)
        Open a Command Prompt and run c:/snort/bin/snort -W
        Now run c:/snort/bin/snort -v -iX (replace X with your adapter number discovered from running the previous line)
        Open another Command Prompt and run: ping snort.org
            At this point you should see some text scrolling in the other Command Prompt.  This is a Snort Alert in action!  
            Kill the Snort process (CTRL-C) and close both Command Prompt windows.
        Now open Kiwi, hit okay and type CTRL-T (you should see a test message appear, which indicates Kiwi is working)
        Using Notepad ++, create a file with the line c:/snort/bin/snort -iX -s -l c:/snort/log/ -c c:/snort/etc/snort.conf (replace X with your adapter number
        discovered from running the previous line).  Save this file on your Desktop as SnortStart.bat
        Now run Snortstart.bat and wait (about thirty seconds) until you see the Snort piggy on the left.
        Open another Command Prompt and run: ping google.com
        At this point you should see the Snort Alert outputting into Kiwi.
        
13) Use 7-zip to unpack the oinkmaster.tar file.
    Use 7-zip to unpack this new file (oinkmaster-2.0)
    Copy the oinkmaster-2.0 folder to c:/snort
    Open a Command Prompt and run: ppm install Tk
    When the install is done, run: ppm install Win32::FileOp (When the install is done, close the Command Prompt window)
    Go to c:/snort/oinkmaster-2.0/contrib and copy the oinkgui file to your Desktop.  Rename this file to: Update Snort Rules
    
    Run the Update Snort Rules file and let’s configure Oinkmaster:
        Change the first line to  C:/Snort/oinkmaster-2.0/oinkmaster.pl
        Change the second line to C:/Snort/oinkmaster-2.0/oinkmaster.conf
        
    Click Edit to the right of C:/Snort/oinkmaster-2.0/oinkmaster.conf and perform the following:
        Change line 52 to read url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-2.4.tar.gz where <oinkcode> is equal to the
        Oink Code you copied earlier. (Now close Notepad ++ and be sure to save the .conf file)
            
        Change the third line to  C:/Snort/rules
    Pick the Optional files and directories tab
        Change the third tab to   C:/Snort/temp
        Change the fourth tab to  C:/Program Files/Notepad++/notepad++.exe
        
    Click verbose
    Click Save current settings
    Click Update rules!
    
    After a few minutes of watching the rules update, it will read: done.
    Click Exit
    
**Remember that every time you update the rules, you will need to stop and then restart Snort for the new rules to take effect.

I would appreciate any comments or notification of any errors encountered by anyone who tries performing these steps.

Kasey
snortguide@gmail.com
----------------------------------------------------------------------------
按照上边的装完后，snort能正常启动但是抓不到包，折腾了半天，最后终于解决了。
其实问题很简单，看这句话：
Open a Command Prompt and run c:/snort/bin/snort -W
Now run c:/snort/bin/snort -v -iX (replace X with your adapter number discovered from running the previous line)

我在执行c:/snort/bin/snort -W 后出现 两条接口信息 如下
1  /Device/NPF_GenericDialupAdapter (Adapter for generic dialup and VPN capture)
2 /Device/NPF_{F29F8E88-0030-4E26-9FE0-1D2EF5996B23} (NDIS 5.0 driver )
而我在执行c:/snort/bin/snort -v -iX  时用得是 c:/snort/bin/snort -v -i1  问题就出在了这里，之后我改用c:/snort/bin/snort -v -i2 问题就解决了，很是郁闷啊。（其实各个几口后面已经标的很明显了 2是 NIDS 的驱动）。