Snort is a free and open source network intrusion prevention system (NIPS) and network intrusion detection system (NIDS).



Snort can be run as a Windows Service using FireDaemon Pro. FireDaemon Pro will allow you to have Snort start automatically at boot prior to login, start multiple instances of Snort and restart Snort should it crash. This HOWTO will show you how to set it up. You can also use FireDaemon Fusion to manage FireDaemon and other Windows services via your web browser.


Snort Setup Under FireDaemon Pro

First download and install the latest Windows executable of Snort.



At the end of the Snort installation, you may be prompted to install WinPcap. Download and install the latest Windows executable of WinPcap.



If you intend to use Snort as a Network Intrusion Detection System then you will need a ruleset. You have 2 options for rulesets: the free version which requires registration but is 30 days old, or the rule subscription which costs per ruleset but rules are available immediately upon release. Regardless of which way you get the ruleset, you will need to download the ruleset from the download page here. Extract the contents of "snortrules-snapshot-xxxx.tar.gz" to C:\Snort.


Download and install FireDaemon Pro into the directory of your choice (typically C:\Program Files\FireDaemon).


Next start the FireDaemon GUI from the desktop shortcut. Click on the "Create a new service definition" button in the toolbar (or type Ctrl+N) and enter the information into the fields as you see below. Adjust paths to suit your installation. Pay special attention to the Parameters list.


No matter which mode you choose, enter the following in the Executable and Working Directory fields:

  • Executable: The path to the snort.exe file. For the purposes of this HOWTO, the path is C:\Snort\bin\snort.exe.
  • Working Directory: The directory containing the snort.exe file. For the purposes of this HOWTO, the path is C:\Snort\bin.


Snort can be run in one of 3 modes: Sniffer, Packet Logger and Network Intrusion Detection System Mode. Figure out the mode you want to use below and put its parameters in the parameters box.

The most important field on the tab is the Parameters. The Parameters define the initial setup of your server.

Sniffer mode

Sniffer mode does not log anything to disk and to see its output, you would have to change to Session 0 so it will not be useful to run it as a Windows service.


Packet logger mode

Packet Logger Mode logs all packets to a log file. The basic parameters are:

-dev -l C:\Snort\log -h 192.168.1.0/24
  • "-dev" Logs the application layer data (d), link layer packet headers (e) and prints all packets (v).
  • "-l C:\Snort\log" Saves all logs to the C:\Snort\log directory. If your directory name contains spaces, then you will need to enclose the entire directory with quotes (e.g. "C:\Snort Logs". The directory must also exist otherwise the windows service will not work properly.
  • "-h 192.168.1.0/24" Tells Snort which network is the local network and keeps logs easy to read. Must be in CIDR format (x.x.x.x/xx).


Network intrusion detection system mode

Network Intrusion Detection System Mode monitors network traffic and performs actions on this traffic based on rulesets. The basic parameters are:

-dev -l C:\Snort\log -h 192.168.1.0/24 -c C:\Snort\etc\snort.conf
  • "-dev" Logs the application layer data (d), link layer packet headers (e) and prints all packets (v).
  • "-l C:\Snort\log" Saves all logs to the C:\Snort\log directory. If your directory name contains spaces, then you will need to enclose the entire directory with quotes (e.g. "C:\Snort Logs". The directory must also exist otherwise the windows service will not work properly.
  • "-h 192.168.1.0/24" Tells Snort which network is the local network and keeps logs easy to read. Must be in CIDR format (x.x.x.x/xx).
  • "-c C:\Snort\etc\snort.conf" Loads the configuration file which contains the rulesets. This is required for NIDS mode.


For more information about command line options, please see the Snort Documentation here.


Now click on the Settings tab. If you DON'T want to see Snort running, uncheck the Interact with Desktop check box. You can optionally run Snort as the user you installed it as. In the Logon Account field type your username (e.g. Administrator) and then enter the user's password twice in the Password and Confirm fields. You can change the Process Priority to allocate more CPU time to the dedicated server or specify which cores the dedicated server will run on.



Now click on the Lifecycle tab. Uncheck Graceful Shutdown and check Console Application.



Now click on the Install button to install and start Snort! If you are running Windows Vista or later your server will start on Session 0. You will need to switch desktops to see your server running.



Editing the snort.conf file

Since Snort was originally built for the Linux platform you will need to do a few edits to the snort.conf file to get Snort working with windows. The included snort.conf for version 2.9.6.2 found at the end of this HOWTO contains these changes, but when there is a new version you will need to do the following edits yourself:

Find:

dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
and replace with:
dynamicpreprocessor directory C:\Snort\lib\snort_dynamicpreprocessor
Find:
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
and replace with:
dynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll

Find:

whitelist $WHITE_LIST_PATH/white_list.rules, \
and replace with:
#whitelist $WHITE_LIST_PATH/white_list.rules, \
Find:
#preprocessor normalize_ip4
#preprocessor normalize_tcp: ips ecn stream
#preprocessor normalize_icmp4
#preprocessor normalize_ip6
#preprocessor normalize_icmp6

and replace with:

#preprocessor normalize_ip4
#preprocessor normalize_tcp: ips ecn stream
#preprocessor normalize_icmp4
#preprocessor normalize_ip6
#preprocessor normalize_icmp6

If you are not a ruleset subscriber (that is, you are using the free registered version), then you will also need to do the following edits:


Find:

dynamicdetection directory /usr/local/lib/snort_dynamicrules

and replace with:

#dynamicdetection directory /usr/local/lib/snort_dynamicrules

If you are a ruleset subscriber (that is, you are using the paid version), find:

dynamicdetection directory /usr/local/lib/snort_dynamicrules

and replace with:

dynamicdetection directory C:\Snort\lib\snort_dynamicrules

Example snort.conf config file

You can download an example snort.conf file for version 2.9.6.2 at the bottom of this page (which is current at the time this HOWTO was written).