Wednesday, July 24, 2013

Tutorial to Configure and Use Snort IDS on Windows XP



This tutorial explain steps to configure Snort on Widnows XP machine and how to use it for detection of attacks.


Steps:
1. Download Snort from "http://www.snort.org/" website.

2. Also download Rules from the same website. You need to sign up to get rules for registered users.
3. Click on the Snort_(version-number)_Installer.exe file to install it. By-default it will install snort in the "C:\Snort" directory.

4. Extract downloaded Rules file: snortrules-snapshot-(number).tar.gz

5. Copy all files from the "rules" directory of the extracted folder and paste them into "C:\Snort\rules" directory.

6. Copy "snort.conf" file from the "etc" directory of the extracted folder and paste it into "C:\Snort\etc" directory. Overwrite existing file if there is any.

7. Open command prompt (cmd.exe) and navigate to directory "C:\Snort\bin" directory.

8. To execute snort in sniffer mode use following command:
   snort -dev -i 2
   -i indicate interface number.
  -dev is used to run snort to capture packets.

  To check interface list use following command:
  snort   -W

9. To execute snort in IDS mode, we need to configure a file "snort.conf" according to our network environment.

10. Set up network address  we want to protect in snort.conf file. To do that look for "HOME_NET" and add your IP address.
   var HOME_NET 10.1.1.17/8

11. You can also set addresses or DNS_SERVERS, if you have any. otherwise go to the next step.

12. Change RULE_PATH variable with the path of rules directory.
    var RULE_PATH c:\snort\rules
13. Change the path of all libraries with the name and path on your system. or change path of snort_dynamicpreprocessor variable.
     sor file C:\Snort\lib\snort_dynamiccpreprocessor\sf_dcerpc.dll
    You need to do this to all library files in the "C:\Snort\lib" directory. The old path might be something like: "/usr/local/lib/...". you need to replace that path with you system path.

14. Change path of the "dynamicengine" variable value in the "snort.conf" file with the path of your system.  Such as:
  dynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll

15 Add complete path for "include classification.config" and "include reference.config" files.
   include c:\snort\etc\classification.config
   include c:\snort\etc\reference.config

16. Remove the comment on the line to allow ICMP rules, if it is alredy commented.
    include $RULE_PATH/icmp.rules

17. Similary, remove the comment of ICMP-info rules comment, if it is already commented.
    include $RULE_PATH/icmp-info.rules

18 To add log file to store alerts generated by snort, search for "output log" test and add following line:
   output alert_fast: snort-alerts.ids

19.  Comment whitelist $WHITE_LIST_PATH/white_list.rules and blacklist $BLACK_LIST_PATH/black_list.rules lines.  Also ensure that you add change the line above $WHITE_LIST_PATH
Change nested_ip inner , \  to nested_ip inner #, \

20. Comment following lines:
#preprocessor normalize_ip4
#preprocessor normalize_tcp: ips ecn stream
#preprocessor normalize_icmp4
#preprocessor normalize_ip6
#preprocessor normalize_icmp6

21. Save the "snort.conf" file and close it.

22. Go to the "C:\Snort\log" directory and create a file: snort-alerts.ids

23. To start snort in IDS mode, run following command:
     snort -c c:\snort\etc\snort.conf -l c:\snort\log -i 2 

   Above command will generate log file that will not be readable without using a tool. To read it use following command:
  C:\Snort\Bin\> snort -r ..\log\log-filename

To generate Log files in ASCII mode use following command while running snort in IDS mode:
     snort -A console -i2 -c c:\Snort\etc\snort.conf -l c:\Snort\log -K ascii

24. Scan the computer running snort from another computer using PING or launch attack. Then check snort-alerts.ids file the log folder.

You can also download my modified snort.conf file here. It works with Snort_2_9_5_Installer.exe

3 comments:

  1. I am not getting alert on the cmd window ,
    I used the your conf file to run snort 2.9.5

    Please help me to isolate the problem

    regards,
    chetan

    ReplyDelete
    Replies
    1. @chetan: Try following command
      snort -A console -i2 -c c:\Snort\etc\snort.conf -l c:\Snort\log -K ascii
      Then try to access web pages from your computer.

      Delete
  2. I could not find "sf_dcerpc.dll" file in the path "C:\Snort\lib\snort_dynamicpreprocessor"
    I am using SNORT 2.9 version.
    I cold not find this dll file in any site also.
    Could you please help me

    ReplyDelete