这是snort官方的安装文档。
The following is meant to be an easy guide to getting Snort up and running on a Windows XP PC. Configuration of rules, deciphering Alerts and tailoring to your specific network is beyond the scope of this article.
Starting from a clean formatted drive, I have successfully installed and configured Snort using the below steps on both a desktop and laptop, as well as on a wireless network and in a VMware session. There may be easier or more appropriate methods, but this has worked for me. Use at your own risk.
(All links are valid as of 06/29/2008)
Microsoft Windows XP Professional w/ SP2 http://www.microsoft.com/windowsxp/pro/howtobuy/default.mspx
Mozilla Firefox http://www.mozilla.com/en-US/firefox/
AVG Anti-Virus Free Edition http://free.grisoft.com/ww.download?prd=afe
ZoneAlarm Free Firewall http://www.zonealarm.com/store/content/catalog/products/sku_list_za.jsp
Microsoft Baseline Security Analyzer http://www.microsoft.com/downloads/details.aspx?FamilyId=F32921AF-9DBE-4DCE-889E-ECF997EB18E9&displaylang=en
ActivePerl http://www.activestate.com/store/productdetail.aspx?prdGuid=81fbce82-6bd5-49bc-a915-08d58c2648ca
Notepad++ http://sourceforge.net/project/showfiles.php?group_id=95717&package_id=102072
Foxit Reader http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm
Kiwi Syslog Daemon http://www.kiwisyslog.com/kiwi-syslog-daemon-overview/
7-Zip http://www.7-zip.org/
WinPcap http://www.winpcap.org/install/default.htm
Snort http://www.snort.org/dl/binaries/win32/
Oinkmaster (with GUI) http://oinkmaster.sourceforge.net/download.shtml
By default, everything will install to your C:/ drive. If you choose another path, you must adjust any references accordingly!
1) You should also take the time to install ALL updates! For guides on helping better secure the OS, I recommend reading both http://labmice.techtarget.com/articles/winxpsecuritychecklist.htm and http://www.nsa.gov/snac/downloads_winxp.cfm?MenuID=scg10.3.1.1
2) You could skip this and use IE if you want.
3) After installing, apply any updates.
4) Throughout the installation you will need to configure the firewall access accordingly.
5) MBSA requires a valid Windows license to download. After installing and running, you should correct any issues discovered.
6) ActivePerl is the chosen method used for running Oinkmaster.
7) Notepad ++ is the free file editor used for editing, among others, the snort.conf file. (I also wrote this guide with it)
8) Foxit is a free .pdf reader.
9) Kiwi is the GUI we will output our Snort alerts to. You can choose to run it as a service or, as I did, a regular windows application.
10) 7-zip allows us to unpack Oinkmaster (and most other file formats).
11) WinPcap is needed for Snort to function
12) Okay, now for configuring Snort and Kiwi!
Install the Snort executable with all defaults
Go to c:/snort and create a folder called temp
If you haven't done so already, go register at Snort: https://www.snort.org/pub-bin/register.cgi
Log in to the Snort website and copy your Oink Code. Also download VRT Certified Rules for Snort v2.8
Use 7-zip to unpack the downloaded file (snortrules-snapshot-2.8.tar)
Use 7-zip to unpack this new file (snortrules-snapshot-2.8_s) and copy it to c:/snort overwriting any existing files.
Open c:/snort/etc/snort.conf with Notepad ++ and perform the following:
Change line 194 to read var RULE_PATH c:/snort/rules
Change lines 289-293 to read dynamicpreprocessor file c:/snort/lib/snort_dynamicpreprocessor/sf_dcerpc.dll
dynamicpreprocessor file c:/snort/lib/snort_dynamicpreprocessor/sf_dns.dll
dynamicpreprocessor file c:/snort/lib/snort_dynamicpreprocessor/sf_ftptelnet.dll
dynamicpreprocessor file c:/snort/lib/snort_dynamicpreprocessor/sf_smtp.dll
dynamicpreprocessor file c:/snort/lib/snort_dynamicpreprocessor/sf_ssh.dll
Change line 312 to read dynamicengine c:/snort/lib/snort_dynamicengine/sf_engine.dll
Change line 816 to read output alert_syslog: host=127.0.0.1:514, LOG_AUTH LOG_ALERT
I like to start with my Rulesets all on and work backwards, so you can go to lines 925 - 979 and remove the # from each one
**Now save and close this file. Keep in mind that you will need to tailor this file and any other .conf files to further to suit your IDS needs.
If you want, copy c:/snort/etc/snort.conf to c:/snort (just to have a backup copy)
Open a Command Prompt and run c:/snort/bin/snort -W
Now run c:/snort/bin/snort -v -iX (replace X with your adapter number discovered from running the previous line)
Open another Command Prompt and run: ping snort.org
At this point you should see some text scrolling in the other Command Prompt. This is a Snort Alert in action!
Kill the Snort process (CTRL-C) and close both Command Prompt windows.
Now open Kiwi, hit okay and type CTRL-T (you should see a test message appear, which indicates Kiwi is working)
Using Notepad ++, create a file with the line c:/snort/bin/snort -iX -s -l c:/snort/log/ -c c:/snort/etc/snort.conf (replace X with your adapter number
discovered from running the previous line). Save this file on your Desktop as SnortStart.bat
Now run Snortstart.bat and wait (about thirty seconds) until you see the Snort piggy on the left.
Open another Command Prompt and run: ping google.com
At this point you should see the Snort Alert outputting into Kiwi.
13) Use 7-zip to unpack the oinkmaster.tar file.
Use 7-zip to unpack this new file (oinkmaster-2.0)
Copy the oinkmaster-2.0 folder to c:/snort
Open a Command Prompt and run: ppm install Tk
When the install is done, run: ppm install Win32::FileOp (When the install is done, close the Command Prompt window)
Go to c:/snort/oinkmaster-2.0/contrib and copy the oinkgui file to your Desktop. Rename this file to: Update Snort Rules
Run the Update Snort Rules file and let’s configure Oinkmaster:
Change the first line to C:/Snort/oinkmaster-2.0/oinkmaster.pl
Change the second line to C:/Snort/oinkmaster-2.0/oinkmaster.conf
Click Edit to the right of C:/Snort/oinkmaster-2.0/oinkmaster.conf and perform the following:
Change line 52 to read url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-2.4.tar.gz where <oinkcode> is equal to the
Oink Code you copied earlier. (Now close Notepad ++ and be sure to save the .conf file)
Change the third line to C:/Snort/rules
Pick the Optional files and directories tab
Change the third tab to C:/Snort/temp
Change the fourth tab to C:/Program Files/Notepad++/notepad++.exe
Click verbose
Click Save current settings
Click Update rules!
After a few minutes of watching the rules update, it will read: done.
Click Exit
**Remember that every time you update the rules, you will need to stop and then restart Snort for the new rules to take effect.
I would appreciate any comments or notification of any errors encountered by anyone who tries performing these steps.
Kasey
snortguide@gmail.com
----------------------------------------------------------------------------
按照上边的装完后,snort能正常启动但是抓不到包,折腾了半天,最后终于解决了。
其实问题很简单,看这句话:
Open a Command Prompt and run c:/snort/bin/snort -W
Now run c:/snort/bin/snort -v -iX (replace X with your adapter number discovered from running the previous line)
我在执行c:/snort/bin/snort -W 后出现 两条接口信息 如下
1 /Device/NPF_GenericDialupAdapter (Adapter for generic dialup and VPN capture)
2 /Device/NPF_{F29F8E88-0030-4E26-9FE0-1D2EF5996B23} (NDIS 5.0 driver )
而我在执行c:/snort/bin/snort -v -iX 时用得是 c:/snort/bin/snort -v -i1 问题就出在了这里,之后我改用c:/snort/bin/snort -v -i2 问题就解决了,很是郁闷啊。(其实各个几口后面已经标的很明显了 2是 NIDS 的驱动)。
windows下的snort安装
最新推荐文章于 2023-12-30 12:27:15 发布