I created this tutorial to help students in my Intrusion Detection and Prevention class at UMUC, where I am an adjunct professor. I am glad students in other schools are finding it helpful.

I'd like thank you for your video. I'm a student of Information Security and Snort is a major program that we are taught to use and troubleshoot. Our final project is Snort with Kiwi Syslog Server & Viewer and the instructions we were given are several years old. You save me a huge headache. Thank You!

This is a wonderful, well made, perfectly paced, tutorial. A sure am glad your professorism is, adjunct :)

Hi, I want to know about.. in teh console says: could not create the registre key. What's the problem?

Steve, this is one of the best tutorials I've ever seen. Great job. Have you tried using Snort's pulledpork add-on for automatic rule updates?

Hi All, Below is the documentation i have done while installing Snort on windows 7 32 bit. Thought this will help some one. Thank Steve, for this wonderful tutorial it worked like charm :) # How to install snort in Windows # Assuming snort installed in d:\snort Step 1: Downloads Download snort installer Download rule files Step 2: Extract Rules Files ( zipped file ) Copy all the files in rules folder except license file to path where snort installed. Ex : D:\Snort ules and paste it here. copy all the prepoc rule files to snort installed location Ex: D:\Snort\prepoc_rules copy all the etc folder files to snort installed location Ex: D:\Snort\etc Note: Alert the rules will be written in Snort ules\local - local file. Step 3: Edit snort.conf file ( configuration file ) Major Divisons: This file contains a sample snort configuration. # You should take the following steps to create your own custom configuration: # # 1) Set the network variables. # 2) Configure the decoder # 3) Configure the base detection engine # 4) Configure dynamic loaded libraries # 5) Configure preprocessors # 6) Configure output plugins # 7) Customize your rule set # 8) Customize preprocessor and decoder rule set # 9) Customize shared object rule set 1) Set the network variables. Change the Home network Details Here. # Setup the network addresses you are protecting ipvar HOME_NET 192.168.0.0/16 # Set up the external network addresses. Leave as "any" in most situations ipvar EXTERNAL_NET !$HOME_NET # Note for Windows users: You are advised to make this an absolute path, # such as: c:\snort ules var RULE_PATH d:\snort ules #var SO_RULE_PATH ../so_rules - This is shared object rules, will be used later. var PREPROC_RULE_PATH d:\snort\preproc_rules 2) Configure the decoder This will enable logging directory # Configure default log directory for snort to log to. For more information see snort -h command line options (-l) # config logdir: d:\Snort\log 3) Configure the base detection engine - No change Required 4) configure dynamic loaded libraries # path to dynamic preprocessor libraries dynamicpreprocessor directory d:\Snort\lib\snort_dynamicpreprocessor # path to base preprocessor engine dynamicengine d:\Snort\lib\snort_dynamicengine\sf_engine.dll # path to dynamic rules libraries # dynamicdetection directory /usr/local/lib/snort_dynamicrules ( This is diabled as we don't use it ) - Not using Shared Object Rule hence disabled 5) Configure preprocessors Snort doesn't work in Inline mode for windows, hence disbaled below option # Inline packet normalization. For more information, see README.normalize # Does nothing in IDS mode # preprocessor normalize_ip4 # preprocessor normalize_tcp: block, rsv, pad, urp, req_urg, req_pay, req_urp, ips, ecn stream # preprocessor normalize_icmp4 # preprocessor normalize_ip6 # preprocessor normalize_icmp6 Port scan preprocessor is opened # Portscan detection. For more information, see README.sf portscan preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } change to windows path variable and this white.list and black.list files should be created in d:/snort/rules # Reputation preprocessor. For more information see README.reputation preprocessor reputation: \ memcap 500, \ priority whitelist, \ nested_ip inner, \ whitelist $WHITE_LIST_PATH\white.list, \ blacklist $BLACK_LIST_PATH\black.list 6) Configure output plugins - No Changes made 7) Customize your rule set Consist all the rule set, change to windows environment variables 8) Customize preprocessor and decoder rule set - Enable all the preprocessor and change to windows environment variables Make Sure below is enabled # Event thresholding or suppression commands. See threshold.conf include threshold.conf ##Checking for configuration: 1.Open cmd with admin previlege 2. Go to d:\snort\bin enter : snort -V ( if installed correctly it should give the version details ) D:\Snort\bin>snort -V ,,_ *-> Snort!

Have to say thanks a million for the tutorial as this helps students trying to get into this and alleviates the frustration when you start. Had some issues but I managed to figure out how to fix them basically making sure the lines made sense. Now will look at forwarding snort info to a SIEM such as AV. ossim. Can you recommend one? Syslog? Thanks again!

got this error when i running snort -i 5 -c c:\Snort\etc\snort.conf -A console -T ERROR: c:\Snort\etc\snort.conf(0) Failed to parse the IP address....... Fatal Error, Quitting.. Could not create the registry key.

Thank you sooo much Sir..We got it.Thanks alot..Keep posting videos about the working of snort

Greeting, Thank you very much for sharing this wonderful video. I am new to Snort and the video gave me a great start.

Thanks for the video! It will helps me so much with my graduation project. I have a question, there's any diference on Snort Rules: Subscriber Realease and Registred User Realease? I've downloaded the Registred User Realease because i'm not a Subscriber. Sorry for my bad english.

Thank you for this vid it helped me a ton I was about to give up and found this it got snort up and running now i just need to conf it to fit my needs thank you

An error message about creating a registry key usually results when you attempt to run Snort with insufficient privileges. Try launching the Command Prompt with "Run as administrator" before you navigate to c:\Snort\bin and run the program.

In the video you test snort for the very 1st time at 13:12... when I try to run snort I get the error message:ERROR: Invalid device number: 5Fatal Error, Quitting.. How can I get around this?PS: I'm a newbie... a very very newbie... Please help

how to inject malicious code in the system..suggest some tools for DoS attack

Hello, can we write rules for ICMP to check, for example "Type: Destination Unreachable" and its sub types ?

Thanks. I corrected the interface no. now its working. Here, can I work on the string pattern matching algorithm in Snort? How can we change the algorithm?

Thank you sir this tutorial really helps me in making task about IDS and IPS. I've followed all the step in this video, making white.list file etc but when I ran snort I got: Unable to open address file c:\snort ules\white_list, Error: No such file or directory Fatal Error, Quitting... I wonder if you could help me to find out the problem? I really need your help sir. Thank you.

***** Make sure when you open the Windows command shell that you Run as administrator. Snort requires admin privileges to run, so a registry error like this typically means you are running cmd as a regular user.

i am getting the error invalid configuration line \snort_dynamicpreprocessor. please help me out

Hi Steve, Thanks for providing such an in depth video.I followed the steps mentioned in your video but I am facing a situation. When I run the snort -i 2 -c c:\Snort\etc\snort.conf -A console command, the scanning process goes on for more than 2 hours without any signs of completion. Could you let me know how to go about this problem. Your help will be greatly appreciated. Thanks in advance.

I want to thank you for creating this video.

Thanks for this nice tutorial. Do you mind if i show this in a class that i am a TA in?

Thank you,Sir. I added ICMP rule in c:\Snort ules\local file and run command, snort -A console -i 2 -c c:\Snort\etc\snort.conf -l c:\Snort\log -K ascii to get ICMP log file in folder but only getting UDP file in the folder and ERROR: OpenLogFile() => mkdir(c:\Snort\log/fe80:0000:0000:0000:8deb:18af:4fd4:2d78) log directory: Invalid argument Fatal Error, Quitting.. Not getting where the problem lies?

What ip adresses should i write in white.- and black.list?

I found one research paper in that algorithm for reducing false alarms we can improve the performance of IDS is given. I'm trying to implement it. But don't know how to go ahead using snort rules, is it possible?.

You mentioned that inline mode does not work in Windows, is that still true? Can snort be ran in IPS mode without inline? or is it only used to monitor traffic instead of preventing? Can snort be used as an IPS on a Windows system at all? Sorry if these questions are a bit repetitive.

Thanks for detailed tutorial sir.

hi Steve Gantz i did everything you did on your tutorial but at the part of mine which says "commencing packet processing " it just stops there and doesnt do anything more..why? thank you

The error that is being displayed for me is can't set DAQ BPF filter to the path I had given ..I followed the instructions verbatim .Kindly suggest the solution for this

When I run snort I am getting the following error. Please let me know where I am going wrong? pcap DAQ configured to passive. The DAQ version does not support reload. Acquiring network traffic from "0". ERROR: Can't start DAQ (-1) - h♀▓☻! Fatal Error, Quitting..

:( I thought I was getting it. Would you happen to have a copy of a configured snort.conf file along with with alert rules and program cmd commands, to compare with what I used. Very nice and informative video :)

I configure the snort, while doing this i got an error that " Initializing rule chains... ERROR: c:\snort ules/local.rules(21) Port value missing in rule! Fatal Error, Quitting... " where i did wrong? how to fix this problem?

Hi Steve, I got 1 problem and 1 question. I really hope you can help me. Problem: When I try the local.rules, it cannot detect anything. All TCP, UDP and ICMP activities cannot be detect by my snort. Question: How can I turn my snort into Anomaly based / behavior based snort?

Thanks for immediate reply but Sir I tried the same command few days ago it was creating one folder in c:\Snort\log with separate files for tcp,udp,ICMP but now its giving fatal error and only file for udp.

Thank you very much for this tutorial, it really helped me a lot!

I keep getting ERROR: log_tcpdump: Failed to open log file "log/snort.log.1391550775": Result too large D: Couldn't find anything on Google about it either.

Very nicely explained. But not getting any alert everything 0% though I checked interface no.s using -W.

Very nice. Thanks for this excellent tutorial.

Is there a way to view log (c:\Snort\log) files on command prompt. I tried to open them in word, wordpad, notepad but it just displays some characters that make no sense

Excellent video. I've installed Snort on Ubuntu, but never on Windows. Process was much the same, however, Snort does not see my eth0 interface. Any hints on how I can troubleshoot?

how do we send results - syslog? to a SEIM?

Hi Steve, great video! However, I was hoping you could help me as I'm currently getting this error after entering the snort -i 5 command without -T: The DAQ version does not support reload. Aquiring network traffic from "0" ERROR: Can't start DAQ -1 - a\>>..! Fatal Error, Quitting.. Pleae bear in mind that I do not have any physical networks connected when I enter Snort - W. Thank you

Hi Professor, Please help when you can... I followed the steps as best as I can however, when I ran snort I got the following error: ERROR: c:\snort\etc\snort.conf(45) Missing argument to 10.11.0.0\23

Hii, im having an error when i try to open the console. After checking the rules, shows up this message "ERROR: log_tcpdump: Failed to open log file "c\Snort\log/snort.log.1449743171": Fatal Error, Quiting..." What can i do? Thanks a lot by the support, by the way.

During test I entered the command: c:\Snort\bin>snort -i 1 -c c:\Snort\etc\snort.conf -A console. However, I receive the following error: c:\Snort\etc\snort.conf Unknown rule type: memcap. Fatal Error, Quitting...

Hiii, I m facing problem while running IDS in snort. When I run Snort in IDS mode, it was unable to initialize rules and show the message "0 Snort rules read, 0 detection rules, 0 decoder rules, 0 preprocessor rules, 0 Option Chains linked into 0 Chain Headers 0 Dynamic rules and alerts file in log is also of 0 KB means no alert is their in alerts.ids file. Please suggest the solution for this error. Thanks in advance:

when i run on cmd window then an error comes...Unable to open rules files"Snort\etc\snort.conf":Invalid argument.. can you please help me in this...i am student and trying ti install for my project work...ASAP

If I remove -K then it gives ERROR: Can't set DAQ BPF filter to 'ascii' (╘=P)! Fatal Error, Quitting.. Could not set the event message file.

think you so much it worked i have another question supposing that i want to install snort on ubuntu VM which version should i choose i tryed once to do it on ubuntu 14.04 LTS but when i runed the command # apt-get install snort-mysql i got this message: package snort-mysql is not availabe,but is referred to by another package,thi mean that the package is missing, has been obsoleted,or is only availabe from another source. thinks

Mine is stuck loading on "Commencing packet processing . What can i do to fix this?

please can i use snort 2.9.7.0 on windows 8 i cant find any documentation about it. think you

I got it to run but when I went to test the alerts it says: Commencing packet processing. And nothing happens...

Hi! I followed all the steps and I have this message: Warning: no preprocessors configured for policy 0. The preprocessor rules are enabled in Step #8 of the config file. So, what can I do? Thank you

First I would like to thank you for the tutorial it has been a great help in understanding IDS. I installed Snort v2960 but when I checked the availabe interface via Snort -W in the command line I get a blank table with no Physical address or IP address. I checked the system info, the network adapter it shows Adapter Type Not Available Product Type WAN Miniport (SSTP) Installed Yes PNP Device ID ROOT\MS_SSTPMINIPORT\0000 Last Reset 3/18/2014 12:22 PM Index 0 Service Name RasSstp IP Address Not Available IP Subnet Not Available Default IP Gateway Not Available DHCP Enabled No DHCP Server Not Available How should I proceed now?

let me know the program - interface command for core 2 duo ( 13.00 min)

good morning i have 2 problems when i run thus command :snort -W i get an umpty table and when i run this command : Snort -i eth -c c:\Snort\etc\snort.conf -A console i get thi error message pcap Daq configured to passive The DAQ version does not support reload thinks

Hey steve, First of all, thank you for the tutorial. I followed your instruction and snort was configured successfully but when I did the local.rules bit it gave me an error c:\Snort ules/local.rules unmatch quote in rule option "msg" Fatal error quitting could not create registry key Can you please help me out?

Hi Steve :)) When i run this command line "snort -i 5 -c c:\Snort\etc\snort.conf -A console -T" i got this error message: "Error: c:\Snort\etc\snort.conf(514) => Unable to open address file c:\Snort ules\black.list, Error: No such file or directory" How can i fix it? Thanks!!

MR STEVE help please i have that problemelog_tcpdump failed to open log file "log\snort.log.1462156687"

Thank you so much Professor, it has been really useful ! But my only problem is that when I run Snort, it blocks on " Commencing packet processing ", I've waited 1 h, but it doesn't seem to work.. Any suggestions ?

When attempting to run the test, I get this message. "ERROR: Can't set DAQ BPF filter to c:Snort\etc\snort.conf -A console -T, Fatal Error, Quitting."

This is a great video sir.. thanks for sharing.

i installed snort, validated it worked fine for a day but now its giving error which says "ERROR :can't set DAQ BPF filter to c:\snort\etc\snort.conf -A console" . Can anybody help????

hello, when i wanted to test Snort , it says :ERROR Invalid device number: 5 , can you please explain to me what it means ??

many Thanks professor, I'm getting ERROR : c:\Snort\etc\C:\Snort ules/app-detect.rules unable to open rules file "c:\Snort\etc\C:\Snort ules/app-detect.rules": invalid argument. can U explain me prof? thanks before

hello thank you for the video, my install went well, when I run snort I get: Decoding Ethernet ERROR: log_tcpdump: Failed to open log file "log/snort.log.1421404290": Result too large Fatal Error, Quitting.. any way to shorten the output? or increase the buffer?

Hai Sir.. Nice tutorial.. Worked well... Sir, can you help me for how to put the alerts from snort into a database. Please help me with the database issue. What i want to do to get the alerts into a database. Thankyou... Waiting for your reply. Thanks again.

Thanks for the video professor, its very helpful. I'm getting: ERROR: c:\Snort\etc\snort.conf(511) => Unable to open address file C:\Snort ule s\white_list, Error: No such file or directory Fatal Error, Quitting.. In the conf file, I have it set to: var WHITE_LIST_PATH C:\Snort ules var BLACK_LIST_PATH C:\Snort ules and whitelist $WHITE_LIST_PATH\white_list, \ blacklist $BLACK_LIST_PATH/black_list I set the backslash in the path to the white list as you did, no luck. I cant see anything wrong with the configuration? Any ideas?

fantastic video thank you

Hi, thank you so much for the video! Helped a lot. I got this error saying - Active response: can't open ip! I'm completely clueless about what to do!

Thank you.

Error: c:\Snort ules\app-detect.rules(33) Unknown ClassType: web-application-attack Fatal Error, Quitting.. help me as fast as u can sir????

Thanks for this professor I'm getting this: ERROR: c:\Snort\etc\snort.conf Missing/incorrect dynamic engine lib specifier. But, I set to: dynamicengine c:\Snort\lib\snort_dynamicengine\sf_engine.dll This path & dll file certainly exist

Thanks for the tutorial, it was very helpful! But I get this error when testing.. ERROR: Invalid device number: 5. Fatal Error, Quitting.. I don't understand what I did wrong. can you please help me?

I am also running as administrator

sir i have done everything following your lead but i'm having a challenge . Index Physical Address IP Address Device Name Description ----- ---------------- ---------- ----------- ----------- no network can detected. please help

Your guide was very helpful. I am very close but at the end I get the following error Decoding Ethernet ERROR: log_tcpdump: Failed to open log file "log/snort.log.1409115629": Result too large Fatal Error, Quitting.. I appreciate your help here and thank you again for making this video

Thanks alot, very nicely explained... however i couldn't get any alerts.. everything is 0%

Nevermind, hand to uncomment "output log_tcpdump: tcpdump.log" :D

CooL.... (y)

i solved the problem local.rules(21) Port value missing in rule! but i am not able to capturing the data what im browsing in my system. tell me how to solve this problem? where i did wrong?

i give the administator privilages to cmd " Run as Administator" on cmd. i got an error on interface 5 ERROR: Invalid device number: 5 and i change the interface numbers as 1,2,3,4 for these ERROR: c:\snort ules/local.rules(21) Port value missing in rule! How to fix this problem?

hi i am getting error indicating when test if the snort rules are working(snort.conf -A console that part). Loading dynamic engine C:\Snort\lib\snort_dynamicengine... ERROR: Failed to load C:\Snort\lib\snort_dynamicengine: 126 Fatal Error, Quitting.. please help. i ran cmd prompt as administrator as well followed the steps as well. thank you

Can you resolve my proplem : "Invalid device number 5" when i run command line "c:\Snort\bin>snort -i 5 -c c:\Snort\etc\snort.conf - T

Help When I running "snort -c c:\Snort\etc\snort.conf -i c:\Snort\log -K ascii " in cmd. it shows "ERROR:Can't start DAQ (-1) - H0<

hi there i am having problem i followed every step,but when i try to run snort with out testing -T, it don't show no packets but gives me a message saying "commencing packet processing (pid=9124)" please help???