Prerequisites
Snort requires the following dependencies:
Microsoft C++ Redistributable Runtimes
https://www.techpowerup.com/download/visual-c-redistributable-runtime-package-all-in-one/
WinRar
https://www.win-rar.com/download.html?&L=0
Npcap v 0.9984
https://npcap.com/dist/
Snort account
Register for a FREE Snort account, once registered make sure you validate the accouby by clicking on the email sent to you.
Steps to install Snort prerequisites:
1. Download and install Winrar
2. Download Visual C++ redistributable from the TechPowerUp URL provided
3. Unzip the folder to C:\VCC
5. Navigate to VCC folder and run the bat file (install_all.bat)
6. Install Npcap and select all default options
Download and install Snort and Snort rules
6. Navigate to this URL and download and install SNORT:
https://www.snort.org/downloads/snort/Snort_2_9_20_Installer.x64.exe
7. Download my pre-prepared Snort install folder which has all the latest rules installed, configurations files and optimum settings for a Windows installation:
https://drive.google.com/file/d/1dbHs8-B5yfqlCyRGhiNuWkb-DtwN4Sxy/view?usp=sharing
8. Unzip the contents over the top of your existing Snort installation at :
C:\Snort
9. Accept over writing the existing files
This will copy all of my Windows Snort settings, rules and configuration files on to your drive.
Testing Snort
10. Now open a command prompt as administrator (right-click and run as admin)
11. Now check Snort is installed and check the version number: (leave off the > this just symbolises the command prompt)
>snort.exe -V
12. Check the network interface Snort is running on
>snort -W
Your output should look similar to this window:
This output indicates that Snort is configured correctly and displays our virtual network adaptor. Make a note of the INDEX NUMBER which corresponds to your network connection. In my example it is 1.
15. Start Snort (below the number 1 indicates MY network connection (index number from step 12)
>snort -i 1 c -c c:\Snort\etc\snort.conf -T
16. You can edit / add / delete local rules and add custom alert messages by editing :
C:\Snort\rules\local.rules
It is recommended to use Notepad ++ for the editing although not mandatory.
17. RUN SNORT AND ANALYSE NETWORK TRAFFIC
>snort i 1 -c c:\Snort\etc\snort.conf -A console
This screen shot above is my virtual lab environment. I setup Snort on Windows Server 2022 VM and I have an Ubuntu VM. I added a rule to Snort to detect incoming ICMP packets and added a custom alert message, Eliyah is my friend from University and I was writing these instructions for primarily for him and our final year cyber security project so I added his name to the custom alert :)
I pinged the Windows VM and as you can see from the right hand side of the image Snort correctly alerts me to the ping and displays my custom message.