Installation
- Install Visual C++, npcap, Snort
- Copy latest Snort rules from Snort website
- Edit config.conf
- Edit local.rules
snort.conf
var HOME_NET <192.168.1.0/24>
var EXTERNAL_NET !$HOME_NET
# create whitelist.rules
# Windows
var RULE_PATH ../rules -> var RULE_PATH c:\\snort\\rules
var WHITE_LIST_PATH
var BLACK_LIST_PATH
config logdir: c:\\snort\\log
libsf_engine.so -> sf_engine.dll
/usr/local/ -> c:\\snort\\
un# include $PREPROC_RULE_PATH\\XX.rules x3
$RULE_PATH/ -> $RULE_PATH\\
Commands
> snort
# test
-T C:\\Snort\\etc\\snort.conf
-i <1> -c <snort.conf> -T
# info
-W # view interfaces
# run live
-i <1> # interface to monitor
-c <snort.conf> # config file to use
-A [console] # alert mode
-q # quiet
-u snort # user
-g snort # group
# run agains pcap
-r <pcap.pcap>
# output
> C:\\Snort\\log\\log.txt
Information
Install snort on Windows 10 (Part 2)