Installation

  1. Install Visual C++, npcap, Snort
  2. Copy latest Snort rules from Snort website
  3. Edit config.conf
  4. Edit local.rules

snort.conf

var HOME_NET <192.168.1.0/24>
var EXTERNAL_NET !$HOME_NET

# create whitelist.rules

# Windows
var RULE_PATH ../rules -> var RULE_PATH c:\\snort\\rules
var WHITE_LIST_PATH
var BLACK_LIST_PATH
config logdir: c:\\snort\\log
libsf_engine.so -> sf_engine.dll
/usr/local/ -> c:\\snort\\
un# include $PREPROC_RULE_PATH\\XX.rules x3

$RULE_PATH/ -> $RULE_PATH\\

Commands

> snort

# test
-T C:\\Snort\\etc\\snort.conf
-i <1> -c <snort.conf> -T

# info
-W # view interfaces

# run live
-i <1> # interface to monitor
-c <snort.conf> # config file to use
-A [console] # alert mode
-q # quiet
-u snort # user
-g snort # group

# run agains pcap
-r <pcap.pcap>

# output
> C:\\Snort\\log\\log.txt

Information

Install snort on Windows 10 (Part 2)