Prerequisites
- Host OS: Windows 7 SP1
- VirtualBox (latest stable build)
- WinPcap 4.1.3 – packet-capture driver
- Snort 2.8.6 Windows build (
Snort_2_8_6_Installer.exe) - Official rule set:
snortrules-snapshot-2860.tar.gz - AppServ 8.6.0 – Apache + MySQL + PHP stack
- BASE 1.4.5 (
base-1.4.5.tar.gz) – web front-end
All components are installed on a single lab workstation.
1. Install WinPcap
Run WinPcap_4_1_3.exe with default options.
2. Install Snort
- Execute
Snort_2_8_6_Installer.exe, accept the license, keep all defaults, install toC:\Snort. - Extract the rule archive into
C:\Snort, merging folders when prompted. - Verify that
C:\Snort\rulesis now populated.
Configure Snort
Edit C:\Snort\etc\snort.conf:
var RULE_PATH c:\snort\rules
var SO_RULE_PATH c:\snort\so_rules
var PREPROC_RULE_PATH c:\snort\preproc_rules
dynamicpreprocessor directory c:\snort\lib\snort_dynamicpreprocessor
dynamicengine c:\snort\lib\snort_dynamicengine\sf_engine.dll
preprocessor http_inspect: global \
iis_unicode_map c:\snort\etc\unicode.map 1252
output database: alert, mysql, \
user=snort password=snort dbname=snortdb host=localhost
# Rule includes
include $RULE_PATH/snmp.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/shellcode.rules
include $RULE_PATH/policy.rules
include $RULE_PATH/info.rules
include $RULE_PATH/icmp-info.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/chat.rules
include $RULE_PATH/multimedia.rules
include $RULE_PATH/p2p.rules
include $RULE_PATH/spyware-put.rules
include $RULE_PATH/specific-threats.rules
include $RULE_PATH/voip.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/bad-traffic.rules
include $PREPROC_RULE_PATH/preprocessor.rules
include $PREPROC_RULE_PATH/decoder.rules
include $SO_RULE_PATH/bad-traffic.rules
include $SO_RULE_PATH/chat.rules
include $SO_RULE_PATH/dos.rules
include $SO_RULE_PATH/exploit.rules
include $SO_RULE_PATH/imap.rules
include $SO_RULE_PATH/misc.rules
include $SO_RULE_PATH/multimedia.rules
include $SO_RULE_PATH/netbios.rules
include $SO_RULE_PATH/nntp.rules
include $SO_RULE_PATH/p2p.rules
include $SO_RULE_PATH/smtp.rules
include $SO_RULE_PATH/sql.rules
include $SO_RULE_PATH/web-activex.rules
include $SO_RULE_PATH/web-client.rules
include $SO_RULE_PATH/web-misc.rules
3. Install AppServ
Run appserv-win32-8.6.0.exe:
- Destination:
C:\AppServ(default) - Select Apache, MySQL, and PHP components
- Set MySQL root password to an 8-character value
- Except Windows Firewall prompt for Apache
Confirm the stack is running by browsing to http://localhost.
4. Prepare MySQL Databases
Open a command prompt and connect to MySQL:
mysql -u root -p
Inside the MySQL shell:
CREATE DATABASE snortdb;
CREATE DATABASE snortarc;
USE snortdb;
SOURCE c:/snort/schemas/create_mysql;
USE snortarc;
SOURCE c:/snort/schemas/create_mysql;
GRANT USAGE ON *.* TO 'snort'@'localhost' IDENTIFIED BY 'snort';
GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,ALTER ON snortdb.* TO 'snort'@'localhost';
GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,ALTER ON snortarc.* TO 'snort'@'localhost';
SET PASSWORD FOR 'snort'@'localhost' = PASSWORD('snort');
5. Deploy BASE
- Extract
base-1.4.5.tar.gzintoC:\AppServ\www\base. - Browse to
http://localhost/baseand follow the web-based setup wizard:- Database type: MySQL
- Database name:
snortdb - Username:
snort - Password:
snort - Host:
localhost - Archive DB:
snortarc
- Complete the configuration; BASE will create its tables automatically.
6. Launch Snort in NIDS Mode
Open an elevated command prompt:
c:\snort\bin\snort -i 1 -dev -c c:\snort\etc\snort.conf -l c:\snort\log
-i 1uses the first available interface; adjust to match your adapter index (snort -Wlists adapters).- Traffic will be logged to
c:\snort\logand inseretd intosnortdb.
7. Generate Test Alerts
From another host on the same subnet:
nmap -sS <Windows-IP>
Return to BASE at http://localhost/base – alerts will appear in real time.
Troubleshooting
If Snort exits with dynamic-engine errors, verify the paths in snort.conf point to existing DLL files and that WinPcap is correctly installed.