LAB

Use of Snort Software in Intrusion Detection System (IDS) 2

Select and configure the right security system for a given organization firewalls and IDS

Installation of Snort Software

1. Go to snort.org
2. Download the snort installer for windows
3. Go to rules options
4. Download rules from snortrules-snapshot-2976.tar.gz
5. Download the snort to click on snort installer for windows
6. Extract the snort rules
7. Copy rules from snortrules-snapshot-2976.tar.gz into rules folder in snort into drive c
8. Copy preporc_rules from snortrules-snapshot-2976.tar.gz into preproc_rules folder in
snort into drive c
9 . Copy etc from snortrules-snapshot-2976.tar.gzinto etc folder in snort into
drive c 10 . Install notepad++
11. Go to etc folder in snort folder into the c drive
12. Now right click on snort option and edit with notpadc++
13. Go to line 45 and change the any with 192.168.0.0/16
14. Go to line 48 and change any with !$HOME_NET
15. Go to line 104 and change the rules pats as (c:\snort\rules)
16. Go to line 105 and write # before var
17. Go to line 106 and change the route as (c:\snort\preproc_rules)
18. Go to line 109 and change the rules as (c:\snort\rules)
19. Go to line 110 and change the rules as (c:\snort\rules)
20. Go to line 182 and delete # and write path as (c:\snort\log)
21. Go to line 243 and change the path as (c:\snort\lib\snort_dynamicpreprocessor)
23 . Go to line 246 and change the path
as(c:\snort\lib\snort_dynamicengine\sf_engine.dll)
24. Go to line 249 and write # before dynamicdetection

25 . Go to line 261,262,263,264,265 and write #

before the line 26 . Go to line 413 and delete # before
the line.
27. Go to line 506 and change forward slash(/) to backward slach(\) and write
(white.list_rules)
28. Go to line 507 and change forward slash(/) to backward slach(\) and write
(black.list_rules)
29. Now go to NEW FILE and write a code as
# Whitelist file
# put whitelisted addresses here,one per
line Save as white.list in RULES FOLDER IN SNORT
30. NOW go to NEW FILE and write a code as
# Blacklist file
# put blacklisted addresses here, one per
line Save as black.list in RULES FOLDER IN SNORT.
31. CHECK THE white.list and black.list in RULES FOLDER IN SNORT
32.Now go to line 541 and change the forward slash(/) to backward(\), go to SEARCH
OPTION AND click on FIND IN FILES option and click on replace and replace here
forward slash(/) to backward( \)
33 . Go to line 666,667,668 and delete # from beginning
35. NOW SAVE ALL DATA FROM SAVE OPTION IN MENU BAR
36. GO TO cmd and right click and RUN AS ADMINISTRATOR
37. Write cd \snort
Cd \bin
Snort –V
Snort –W
Snort –i 5 –c c:\snort\etc\snort.conf –T
38.GO TO RULES AND CLICK ON LOCAL AND OPENWITH
NOTEPAD AND WRITE SOME RULES HERE As
alerticmp-any any -> any any (msg :‖Testing ICMP‖; sid:1000001;)
alertudp-any any -> any any (msg :‖Testing UDP‖; sid:1000002;)
alerttcp -any any -> any any (msg :‖Testing TCP‖; sid:1000003;)
CLICK TO SAVE BUTTON AND SAVE IT
39. GO TO CMD AND WRITE THE COMMAND
AS Snort –i 5 –c c:\snort\etc\snort.conf –A console

1. Install the Snort Software

 66 | P a g e

2. Install the snort rules

3. Copy all data from rules folders into snort folders corresponding data

67 | P a g e

4 . Go to etc folder in snort folder into the c drive 5 . Now right click on snort option
and edit with notpadc++ 6. Change the data According to the above statements