Who is Using Cyberthreat Intel & How? Take Survey - Enter to Win iPad
Previous Question | Back to Intrusion Detection FAQ Home

Intrusion Detection FAQ: Running Snort Under Windows

Loras R. Even
Updated by Jim McMillan
November 2009

Introduction

Snort is an open source intrusion detection/prevention system created by Martin "Marty" Roesch, founder of Sourcefire. It is capable of performing real-time traffic analysis and logging. It is the most widely used IDS/IPS system. It can monitor for, detect and respond to various attack strategies by using signature, protocol and anomaly-based inspection techniques.

Many security tools run primarily on Linux/Unix (*nix) platforms. For various reasons, many system administrators have been raised on Windows Operating Systems. This lack of security tool availability can be frustrating to these system administrators. Luckily, some Snort functionality has been ported to Windows.

To perform a basic install of Snort on a Windows system, Windows 7 Ultimate in this example, we will need to download a couple of programs. First we will need to get the Snort Installer binary from Snort.org. For Snort to work properly, we will need to put our network interface card (NIC) into promiscuous mode where it can see all traffic the flows to it. To do this on Windows, we will need to download the Windows Packet Capture library from WinPCap.org.

Tools Utilized For Our Installation

Snort: Snort's official web site is: http://www.snort.org. The site has links to the tools we will need to get snort up and running. A review of the tools available for Snort will reveal that many of them are designed to only run on *nix platforms. However, you will notice that there are core components that have been ported to Windows platforms. We will be installing version 2.8.5.1, which is the current stable version. The binary needed to install Snort can be found in the downloads section of the website, or directly at http://dl.snort.org/snort-current/Snort_2_8_5_1_Installer.exe.

WinPCap: WinPCap is a third party library that is REQUIRED by Snort. Installation is easy and straight forward. The installer for WinPCap can be downloaded from the WinPCap website at http://www.winpcap.org/install/default.htm. We will be installing version 4.1.1, which is the current stable version.

Installation on Windows 7

After you have downloaded the files referenced above, installation is pretty straightforward. If you have User Account Control (UAC) enabled, you will need to answer "Yes" when prompted "Do you want to allow the following program to make changes to this computer?" for both WinPCap and Snort.

The computer we are using for this install has a Dual Core 3GHz processor and 4GB of RAM running Windows 7 Ultimate (32bit).

First we will start by installing the WinPCap libraries so we can sniff all the packets from our NIC. Installation of WinPCap is pretty easy. For our installation we will be accepting all of the default settings. To start the installation, navigate to the location of the WinPCap file we have downloaded. Right click the file and select "Run as Administrator". You will be presented a title screen.

figure 1

Just click "Next" to continue to the Welcome screen.

Click "Next" again to continue to the License Agreement screen.

To continue installation of WinPCap, you must agree to the license terms by clicking "I Agree". If you do not agree to the terms of the license agreement, you will not be able to install WinPCap. Once you click "I Agree", you can continue the installation with Installation Options.

We will leave these settings as they are and click "Install". This will start the installation process. This process will not take very long and you will see the Completion screen next.

Click "Finish" to exit the WinPCap setup application. You will need to reboot your computer at this time.

Once you computer has rebooted, you can verify installation of WinPCap by looking at the Programs and Features section of the Programs applet in your Control Panel.

Now we are ready to move on and install Snort.

To install Snort, navigate to the location of the Snort Installer file. Right click the file and select "Run as Administrator". As we did with WinPCap, we will also be installing Snort with all the default settings. The setup application will launch and prompt you to read and agree to the License Agreement.

Click "I Agree" if you are satisfied with the License Agreement. If you do not agree, you will not be able to install Snort. Once you click "I Agree", setup will continue with the next step and prompt you for the installation type. We will be performing a simple install for our example and will not require any further support options.

Select the first radio button as seen above and click "Next" to select the Snort components to install.

Let's leave all the components selected and click "Next" to move on to select our installation location.

For our install, let's take the default location of "c:\snort" and click "Next". At this point we have given the setup application all of the information it needs to extract the files necessary for our installation.

Once the files are extracted, we will need to click "Close" to exit the setup application. The setup application will alert you to make sure a minimum version of WinPCap is installed (which we have completed) and that we need to edit the Snort configuration file.

Click "OK" to acknowledge this and close the setup application. You may get a notification from the Windows Program Compatibility Assistant warning that the program might not have installed correctly. If you do, select "This program installed correctly" and continue on.

As we were told by the Snort setup application, we will need to change a couple of parameters in the c:\snort\etc\snort.conf file. To do so, let's use Microsoft's Wordpad application. Open the snort.conf file and find the lines highlighted below:

Once you find these lines, modify them to reflect our default install path (c:\snort) as seen below:

Save this file and close Wordpad. We are now ready to use our installation of Snort!

To verify that Snort is installed and running correctly you can run a couple of commands from the Command Prompt. Open a command prompt as Administrator, switch to the "C:\Snort\Bin" directory and run "snort.exe -W" to see a list of interfaces available to Snort. The following is output from the command on Windows 7:

As you can see, the computer in the example has only one interface with an "Interface" number of "1". If we wanted to use Snort as a sniffer and watch all traffic on this interface, we could issue the command "snort.exe -i 1 -v". This command would run Snort in verbose mode (-v) and have it listen on interface 1 (-i 1). It would also dump the header of each packet to the screen. To collect further information, we could use the -d option to capture and display packet payload. Note: You can use CTRL-C to interrupt the running program.

Let's start Snort as a sniffer to display packet headers and contents. The command we want to enter at our command prompt is "snort.exe -i 1 -vd". You can always run Snort with the "-?" option to get a full list of options available. To stop sniffing packets, break out of the program by pressing Ctrl-C.

Congrats! You now have Snort running under Windows! However, be aware that Windows binaries are the last distributions to be updated when Snort is updated. This may leave you open to the vulnerabilities being patched for a longer period of time on Windows environments. According to Mike Poor, a founder and senior security analyst with InGuardians (http://www.inguardians.com/), "Version 3 of Snort will not be ported to Windows anytime soon, if at all." (Mike Poor, personal communications, November 12 2009)

Resources

Snort.Org (n.d.). What is Snort?. Retrieved from http://www.snort.org/

Snort.Org (n.d.). Required Software. Retrieved from http://www.snort.org/start/requirements

WinPCap.Org (n.d.). WinPcap: The Windows Packet Capture Library. Retrieved from http://www.winpcap.org/

Snort.Org (n.d.). Snort Users Manual 2.8.5. Retrieved from http://www.snort.org/assets/125/snort_manual-2_8_5_1.pdf

< Previous Question | Back to Intrusion Detection FAQ Home | Next Question >