Installing & Configuring Snort 2.9.

20 on
Windows 10

Introduction To Snort:

In this tutorial we will look at installing and configuration of snort on Windows 10. Snort is
an open source and popular Intrusion Detection System (IDS). It works by actively
monitoring of network traffic parsing each packet and alerting system administrator of any
anomalous behavior that goes against the snort rules configured by the administrator
according to the security policies of an organization.

Installing Snort 2.9.17 on Windows 10 A Step By Step Guide:

1. For Windows 10 64 bit supported SNORT’s executable file can be downloaded from
here.

2. Open the downloaded snort executable file.

3. Click On ‘I Agree’ on the license agreement.

Figure 01: License agreement for Snort 2.9.17

4. Choose components of Snort to be installed.

Figure 02: Choosing Components for Snort 2.9.17

5. Click “Next” and then choose install location for snort preferably a separate folder in
Windows C Drive.

Figure 03: Choose Install location for Snort 2.9.17

6. Click “Next” Installation process starts and then it completes as shown in figure 04:
Figure 04: Setup Complete for Snort 2.9.17

7. When you click “ Close” you are prompted with this dialogue box:

Figure 05: Window showing details of software needed to run Snort successfully

8. Installing Npcap is required by snort for proper functioning.

9. Npcap for Windows 10 can be downloaded from here.

10. Opening Npcap setup file, Click on ‘I Agree’ To license agreement.

Figure 06: License agreement for Npcap 1.10

11. Now we proceed to choose which components of Npcap are to be installed and then
clicking on “Install”.

Figure 07: Choose Components to install for Npcap 1.10

12. Installation process starts and completes. Clicking on “Next” we have:

Figure 08: Setup completed for Npcap 1.10

13. Now the window for installation of Npcap shows it has been installed. Clicking “Finish”.
Figure 09: Successful installation for Npcap 1.10 completed

14. After installing Snort and Npcap enter these commands in windows 10 Command prompt
to check snorts working

Figure 10: Successfully running Snort on Windows 10 through command prompt

15. As you can see in the above figure that snort runs successfully.

This is how you can download and install Snort along with its dependency i.e. Npcap.

Configuring Snort 2.9.17 on Windows 10:

After installing Snort on Windows 10, Another important step to get started with Snort is
configuring it on Windows 10.

Note: The italicized portion with a left hand side border states commands which were pre-
written in the configuration file of Snort so we need to make changes according to the
commands mentioned in the images, to be precise we need to enter configuration commands
as shown in the images to configure snort.

1. Go to this link and download latest snort rule file.

2. Extract 3 folders from the downloaded snortrules-snapshot-29170.tar folder into the
Snorts corresponding folders in C drive.

Folders to be extracted are: rules , preproc_rules , etc

• rules folder contains the rules files and the most important local.rules file. Which we
will use to enter all our rules.
• etc folder contains all configuration files and the most important file is snort.conf file
which we will use for configuration
3. Now open the snort.conf file through the notepad++ editor or any other text editor to edit
configurations of snort to make it work like we want it to.

4. Setup the network addresses you are protecting

ipvar HOME_NET any

Note: Mention your own host IP addresses that you want to protect.

Figure 11: Setting up the Home Network Address in Snort

5. Setup the external network into anything that is not the home network. That is why ! is
used in the command it denotes ‘not’.

# Set up the external network addresses. Leave as “any” in most

situationsipvar EXTERNAL_NET any

Figure 12: Setting up the external Network Addresses in Snort

6. Now we have to define the directory for our rules and preproc rules folder

# Path to your rules files (this can be a relative path)# Note for Windows
users: You are advised to make this an absolute path,# such as:
c:\snort\rulesvar RULE_PATH ../rulesvar SO_RULE_PATH ../so_rulesvar
PREPROC_RULE_PATH ../preproc_rules

Figure 13: Setting up path to our rules files and preproc rules folder in Snort

7. Now we have to setup our white list and black list path it will be in our snorts’ rule folder

# If you are using reputation preprocessor set thesevar WHITE_LIST_PATH

../rulesvar BLACK_LIST_PATH ../rules

Figure 14: Setting up our White List and Black List files paths in Snort

8. Next we have to enable to log directory, so that we store logs in our log folder.
Uncomment this line and set absolute path to log directory

# Configure default log directory for snort to log to. For more information
see snort -h command line options (-l)## config logdir:
Figure 15: Setting up Log Directory Path in Snort

9. Now we will set the path to dynamic preprocessors and dynamic engine

# path to dynamic preprocessor libraries

dynamic preprocessor directory/usr/local/lib/snort_dynamicpreprocessor/

Figure 16: Setting up path to dynamic preprocessors and dynamic engine in Snort

10. We will do same thing for dynamic preprocessor engine

# path to base preprocessor enginedynamicengine

/usr/local/lib/snort_dynamicengine/libsf_engine.so

Figure 17: Setting up the path to dynamic preprocessor engine in Snort

11. Now lets set our reputation preprocessors:

# path to dynamic rules libraries# dynamicdetection directory

/usr/local/lib/snort_dynamicrules

Figure 18: Path to dynamic rules libraries in Snort

12. Just comment out these lines as shown in figure 19 in doing so we are excluding packet
normalization of different packets.

Figure 19: Commenting out packet normalization commands in Snort

13. Scroll down to the reputation preprocessors. We will just change the name of the files
since white list , black list are not rules they are just the list of IP addresses labelled as black
or white

# Reputation preprocessor. For more information see

README.reputationpreprocessor reputation: \memcap 500, \priority whitelist,
\nested_ip inner, \whitelist $WHITE_LIST_PATH/whitelist, \blacklist
$BLACK_LIST_PATH\black.list
Figure 20: Whitelisting and Blacklisting IPs through the command as shown in figure

14. Converted back slashes to forward slashes in lines 546–651.

Figure 21 : Converted back slashes to forward slashes in specific lines in snort.conf file
Figure 22: Converted back slashes to forward slashes in specific lines in snort.conf file

15. Again just convert forward slashes to backslashes and uncomment the lines below:

# decoder and preprocessor event rules# include

$PREPROC_RULE_PATH/preprocessor.rules# include
$PREPROC_RULE_PATH/decoder.rules# include $PREPROC_RULE_PATH/sensitive-
data.rules

Figure 23 : Converted back slashes to forward slashes in specific lines and uncommenting specific
lines in snort.conf file

16. Now we just need to verify the presence of this command at the bottom of snort.conf file.

Figure 24: verifying presence of “include threshold.conf” command in snort.conf file

17. Click on Save file and save all changes to save the configuration file (snort.conf).

18. Now recalling the Step 13 white list , black list are not rules they are just the list of IP
addresses labelled as black or white right now these files don’t exist in our rule path which is
why we have to create them manually , save them in this folder C:\Snort\rules.

• Go to Notepad++ and create new file.

• Comment it #White-listed IPs.
• Name the file white.list and save the file.

Figure 25 : Creating White List IPs file

• Create another new file.

• Comment it #Black-listed IPs.
• Name the file black.list and save the file.

Figure 26 : Creating Black List IPs file in Snort

19. Now we test snort again by running Command prompt as admin. To check if it’s running
fine after all the configurations.
Figure 27: Test Running of Snort in Windows 10 after Configuration

20. We can also the check the wireless interface cards from which we will be using snort by
using the command below we can see the list of our wireless interface cards through entering
this command in command prompt.

Snort — W

21. configuration validation check command:

Now we will enter a command To check validation of snort’s configuration
by choosing a specific wireless interface card (1) the rest of command shows the config file
path . The command is :

snort -i 1 -c C:\Snort\etc\snort.conf -T

Figure 28 : Checking Validation of Snort Configuration in Command Prompt

It can be seen in the given figure that Snort successfully validates our configuration. This
brings us to the end of our installation and configuration tutorial.

If you want to follow it through our references used for writing this tutorial then references
are given below.

References:

1. How to Install, Configure, and Test Snort on Windows

2. Install Snort 2.9.8 on Windows
Βιβλιογραφία
https://zaeemjaved10.medium.com/installing-configuring-snort-2-9-17-on-windows-10-
26f73e342780
https://npcap.com/#download
https://www.snort.org/