Installing Snort on Windows

Problem

You want to install Snort on your Windows machine.

Solution

Before you install Snort, you must download and install the WinPcap driver:

1. Download the WinPcap driver from http://WinPcap.polito.it/install/default.htm. The latest stable version of WinPcap at the time of this writing is Version 3.0.
2. Double-click on the install fileWinPcap_3_0.exe, in this caseto launch the installation.
3. The Welcome to the Installation Wizard window appears. Click Next to continue.
4. You are presented with the license agreement. Click on the box labeled "Yes, I agree with all the terms of this license agreement," and then click Next to continue.
5. The WinPcap installation status appears on the screen, and you are presented with the Readme Information window. Click Next to continue.
6. Last, you'll see the Installation Complete window stating that WinPcap 3.0 has been successfully installed. Click OK to exit the installation.
7. Next, it is a good practice to reboot after installing the WinPcap drivers.

Now that WinPcap is installed, continue with the Snort installation:

1. Download the Snort executable file from http://www.snort.org/dl/binaries/win32. The latest stable version of Snort at the time of this writing is Version 2.2.0.
2. Double-click on the install filesnort-2_2_0.exe, in this caseto launch the installation.
3. You are presented with the GNU General Public License agreement (Figure 1-1). Once you have read and accepted the terms of the agreement, click I Agree.

   Figure 1-1. License Agreement window

    
4. Next you must determine what type of database support you need (Figure 1-2). If you require support for Microsoft SQL Server or Oracle, you must have the necessary client software already installed on your computer. For basic installation in this example, accept the default and install Snort without SQL Server or Oracle database support. Click Next.

   Figure 1-2. Installation Options window

    
5. The next screen allows you to choose the Snort components that you wish to install (Figure 1-3). You can see the description by dragging your mouse over each component. By default, all components are selected. Click Next.

   Figure 1-3. Choose Components window

    
6. The next screen allows you to choose an install location for Snort (Figure 1-4). The default location is C:Snort. You may select a different location by typing directly into the Destination Folder area, or by choosing Browse and selecting a location. Click Install.

   Figure 1-4. Choose Install Location window

    
7. You now see the status of the Snort installation (Figure 1-5). You can click on Show Details to see more information for each file that is being installed.

   Figure 1-5. Installing window

    
8. The installation status informs you when the installation is complete (Figure 1-6). If you would like to view the details of the installation, you may scroll through them in the status window or you can right-click on this window and choose Copy Details to Clipboard. This saves the complete details of the installation to a buffer. You may then open Notepad, or another text editor, and paste the results by choosing EditPaste or by typing Ctrl-V. Click Close in the Snort installation window to close the dialog box.

   Figure 1-6. Installation Complete window, with Show Details

    
9. Last, you see a window that states that Snort was successfully installed (Figure 1-7). Click OK to close this window.

   Figure 1-7. Successful Installation window

    

Discussion

Snort is available for Windows NT, 2000, and XP (but not Windows 98). It requires the free WinPcap driver to read network traffic off the wire. Snort Version 2.2.0 needs only a total of 9.2 MB to install (although you need much more to store logfiles).

The installation creates six subdirectories within the root C:Snort directory: bin, contrib, doc, etc, log, and rules. It also installs the Uninstall.exe file under the root C:Snort directory. The bin subdirectory contains the snort.exe executable and some DLL files. The contrib subdirectory contains various extra programs and contributed add-ons to Snort. The doc subdirectory holds the Snort manual, signature descriptions, and various installation and README files. The etc subdirectory holds various configuration files, including snort.conf. The log directory is empty, but is used later when Snort is running in packet logger mode. The rules subdirectory holds all the rules files that are activated via the snort.conf file.

Once Snort is installed, you can test it by running the Snort executable. From the command-line prompt, change to the directory that holds the Snort executableC:Snortin, in this case. Type snort -W to test that Snort is functioning and it can access the WinPcap drivers. The output should be a list of available network adapters on the computer, such as the following:

C:Snortin>snort -W

 

-*> Snort! <*-

Version 2.2.0-ODBC-MySQL-FlexRESP-WIN32 (Build 30)

By Martin Roesch (roesch@sourcefire.com, www.snort.org)

1.7-WIN32 Port By Michael Davis (mike@datanerds.net, 

www.datanerds.net/~mike)

1.8 - 2.x WIN32 Port By Chris Reid 

(chris.reid@codecraftconsultants.com)

 

Interface Device Description

-------------------------------------------

1 DeviceNPF_{28DE4D02-08E8-4AD3-9D6D-3CA34B7EF04F} 

(Intel(R) PRO/Wireless LAN2100 3B Mini PCI Adapter 

(Microsoft's Packet Scheduler) )

2 DeviceNPF_{D194BF1A-3F38-4B9B-ACAE-A33FC77A5FD8} 

(VMware Virtual Ethernet Adapter)

3 DeviceNPF_{D16195CA-706E-4BC9-844A-98215EC5CC03} 

(VMware Virtual Ethernet Adapter)

If the output does not include one or more adapters, you may need to reinstall or install a different version of WinPcap. It is a good practice to reboot after installing the WinPcap drivers. If you are installing a different version of WinPcap, first uninstall the previous version by using the C:Program FilesWinPcap/Uninstall.exe program.

See Also

Recipe 1.5