@WycliffeMunene-z3n There is a built in command you can run: "snort -W" with an uppercase W that will return active interfaces. it worked more reliably with winPcap than it does with npcap. If you have Wireshark, you can also use that - the interface list on the capture startup screen in Wireshark will show the available interfaces in the same order that Snort uses since both programs use the same packet capture utility.

Not sure what version of Snort you were trying to install, but if you want to work with the last version of Snort 2 (2.9.20) on Windows 11, these instructions will work just fine. I run Snort 2.9.20 on Windows 11 and it performs exactly the same as on Windows 10 (which, BTW, remains the most widely used version of Windows by a very large margin - fewer than 10 percent of enterprises are on Windows 11). Snort will prompt you to install NpCap instead of WinPcap because NpCap works more reliably on Win11, but the installation, rule setup, and configuration for Snort haven't changed significantly in many years. These instructions are not useful for Snort 3.0, mostly because that major release was essentially an entirely new program, not just an upgrade to Snort 2.

That error usually means you either started Snort without referencing snort.conf in your startup command or you don't have the preprocessor rules enabled in Step #8 of the config file. Snort cannot load or start any preprocessors without the configuration information in the snort.conf file.

You seem to have a syntax error in one of your path variables, most likely RULE_PATH. It’s important on Windows to use full path declarations and not leave any of the relative paths that are in snort.conf by default.

Even when deployed in-line, Snort doesn't permit or deny traffic based on protocols or specific ports unless you enable a rule that takes that action (for example a rule to detect or drop tcp port 21 traffic for unsecured ftp). As long as the port(s) your game server uses are not in a Snort rule the IDS won't affect the traffic to the game server.

@@SteveGantz ok thanks. anyway, im using this command to protect any tcp. is it correct? alert tcp any any -> any any (sid:16; msg:"Flood Attempt!"; classtype: string-detect; flow: to_server, established; content:"Authorization\:Basic";) what I want to do is to protect all my tcp ports.

@@renanteauxtero3575 That rule is primarily a content match on the basic auth string but yes, it will be applied to any tcp traffic on any port.

@@SteveGantz so how do i prevent ddos using tcp? my gameserver keeps flooding using tcp connections.

@@renanteauxtero3575 There are certainly rulesets with Snort that will help alert you to when a tcp flood or other potential DDOS attack is happening, but to be candid, Snort is not the right tool for blocking these sorts of attacks. You really need a web application firewall to monitor incoming requests and determine when the traffic volume indicates a DDOS attempt. Ordinarily I would point you to Cloudflare but they're not exactly putting their best foot forward right now. You might look at the free version of Imperva or Cloudbric, or the open-source HAProxy.

The "commencing packet processing" message means that Snort has started and is running. If you don't see anything after that on screen, you first need to confirm you have some rules active and loaded. Assuming that is the case, then you either need to make sure you are directing output to the screen (with "-A console" in your startup command) or, if you are already doing that, you need to verify that you have Snort listening on the correct network interface.

@@SteveGantz which interface should I choose there are 3 disabled, 1 bluetooth device PAN, 2 Wifi direct virtual adapter

That error usually means you have not included an interface specification (such as "-i 2") in your startup command.

@@SteveGantz it's work thank you. May you give me some reference for learn snort more ? I dont know where to go after this

Did you solve it?

For the application error, install npcap

tengo el mismo error que tu, pudiste resolverlo?

@@jonathangarciacastro1638 no

chek your home net variable

i have the same error, i think is the firewall bc i try everything(rules, interfaces etc. and nothing)

@@jonathangarciacastro1638 Please let me know if you find the steps to fix this problem. Haven't found solution yet and I have no clue which firewall settings or rules I have to set.

@@VasquezXD sure bro, do you speak spanish? English is not my first language, that's why i can't explain me better

@@jonathangarciacastro1638 I do not, but you can explain in Spanish and I can use google translate or get someone to help me translate it.

@@VasquezXD hey, i didnt find the problem with the alerts, so i tried another way.Install snort in the firewall Pfsense and now it works perfectly for me

That's how malware in gets in your PC.

You wrote ect instead of etc

@@nelsonalvarez5311 Can you help me? C:\Snort\bin>snort -i 1 -c c:\Snort\etc\snort.conf -T Running in Test mode --== Initializing Snort ==-- Initializing Output Plugins! Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file "c:\Snort\etc\snort.conf" PortVar 'HTTP_PORTS' defined : [ 36 80:90 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1812 1830 1942 2231 2301 2381 2578 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5450 5600 5814 6080 6173 6988 7000:7001 7005 7071 7144:7145 7510 7770 7777:7779 8000:8001 8008 8014:8015 8020 8028 8040 8080:8082 8085 8088 8090 8118 8123 8180:8182 8222 8243 8280 8300 8333 8344 8400 8443 8500 8509 8787 8800 8888 8899 8983 9000 9002 9060 9080 9090:9091 9111 9290 9443 9447 9710 9788 9999:10000 11371 12601 13014 15489 15672 19980 29991 33300 34412 34443:34444 40007 41080 44449 50000 50002 51423 53331 55252 55555 56712 ] PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535 ] PortVar 'ORACLE_PORTS' defined : [ 1024:65535 ] PortVar 'SSH_PORTS' defined : [ 22 ] PortVar 'FTP_PORTS' defined : [ 21 2100 3535 ] PortVar 'SIP_PORTS' defined : [ 5060:5061 5600 ] PortVar 'FILE_DATA_PORTS' defined : [ 36 80:90 110 143 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1812 1830 1942 2231 2301 2381 2578 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5450 5600 5814 6080 6173 6988 7000:7001 7005 7071 7144:7145 7510 7770 7777:7779 8000:8001 8008 8014:8015 8020 8028 8040 8080:8082 8085 8088 8090 8118 8123 8180:8182 8222 8243 8280 8300 8333 8344 8400 8443 8500 8509 8787 8800 8888 8899 8983 9000 9002 9060 9080 9090:9091 9111 9290 9443 9447 9710 9788 9999:10000 11371 12601 13014 15489 15672 19980 29991 33300 34412 34443:34444 40007 41080 44449 50000 50002 51423 53331 55252 55555 56712 ] PortVar 'GTP_PORTS' defined : [ 2123 2152 3386 ] Detection: Search-Method = AC-Full-Q Split Any/Any group = enabled Search-Method-Optimizations = enabled Maximum pattern length = 20 ERROR: c:\Snort\etc\C:\Snort\ect\classification.config(0) Unable to open rules file "c:\Snort\etc\C:\Snort\ect\classification.config": Invalid argument.

@@thengochuyen4676 you have typed ect in the rules path in the snort.conf file, try using the find tool in notepad to check for any other ect instance and change it for etc

@@nelsonalvarez5311 thank you so much

Can you help me? How to fix this error? I am trying to run Snort on my PC win 8 Running in packet logging mode --== Initializing Snort ==-- Initializing Output Plugins! ERROR: Can not get write access to logging directory "c:\Snort\etc\snort.conf". (directory doesn't exist or permissions are set incorrectly or it is not a directory at all) Fatal Error, Quitting.. Could not create the registry key.

Run "snort -W" from the command line (has to be a capital W) and you should get a list of available interfaces in numbered order. this is the answer

@@Vran4441 doesn't work :(

if you did not install winpcap, go ahead. If you have, try npcap

Did you solve it?

Based on the line number, I'm guessing you have not fully commented out (that is, disabled) the reputation preprocessor. You need to put a # character in the first position of every line in the preprocessor configuration in snort.conf. You should also verify that there is a \ character at the end of each of the first 5 lines in the reputation preprocessor configuration (not after the last line).

@@SteveGantz I made that changes and it seems to be working. Thanks for your help.

facing same problem. any solution?

You need more memory