Step-by-Step Guide to Installing and Configuring Snort on Windows with Knowledge Planet

Knowledge Planet: Snort Rule Set Categories

• app-detect.rules – This category contains rules for finding and controlling the traffic generated by certain applications over the network. This category will be used to manage various aspects of how applications behave.
• blacklist.rules – This category contains rules for URIs, USER-AGENTs, DNS, and IP addresses identified as indicators of malicious activity. These rules are based on activities from the Talos sandbox, public lists of malicious URLs, and other data sources.
• browser-chrome.rules – This category includes detections for vulnerabilities present in the Chrome browser. (This is separate from the “browser-webkit” category as Chrome has enough vulnerabilities to warrant its own category, despite using the Webkit rendering engine, due to Chrome’s numerous other features.)
• browser-firefox.rules – This category contains detections for vulnerabilities present in the Firefox browser or products with the “Gecko” engine (such as Thunderbird email client).
• browser-ie.rules – This category includes detections for vulnerabilities present in the Internet Explorer browser (Trident or Tasman engine).
• browser-webkit – This category includes detections for vulnerabilities present in the Webkit browser engine (excluding Chrome), including Apple’s Safari, RIM’s mobile browsers, Nokia, KDE, Webkit itself, and Palm.
• browser-other – This category includes detections for vulnerabilities in other browsers not listed above.
• browser-plugins – This category includes detections for vulnerabilities in browser plugins (e.g., Active-x).
• content-replace – This category contains any rules that leverage Snort’s internal “replace” functionality.
• deleted – When a rule is deprecated or replaced, it moves to this category. Rules are never fully removed from the set; they are moved here instead.
• exploit – This is an older category that will soon be deprecated. This category generally searches for exploits against software.
• exploit-kit – This category includes rules specifically for detecting exploit kit activities. This does not include “post-compromise” rules (as those would be in indicator-compromise). Files dropped from exploit kit usage will reside in their respective file category.
• file-executable – This category includes rules against vulnerabilities found or delivered through executable files, regardless of platform.
• file-flash – This category includes rules against vulnerabilities found or delivered via flash files.
• file-image – This category includes rules for vulnerabilities found in image files regardless of delivery method, attacked software, or image type. (Examples: jpg, png, gif, bmp, etc.)
• file-identify – This category identifies files through extensions, file content (magic numbers), or headers found in traffic. This information is usually used to set stream bits for use in different rules.
• file-java – This category includes rules for vulnerabilities found in Java files (.jar).
• file-multimedia – This category includes rules for vulnerabilities found inside multimedia files (mp3s, movies, wmv).
• file-office – This category includes rules for vulnerabilities found in files belonging to the Microsoft Office suite (Excel, PowerPoint, Word, Visio, Access, Outlook, etc.).
• file-pdf – This category includes rules for vulnerabilities found within PDF files, regardless of creation method, delivery method, or the software impacted by the PDF (e.g., Adobe Reader and FoxIt Reader).
• file-other – This category includes rules for file vulnerabilities not belonging to any other aforementioned category.
• indicator-compromise – This category comprises rules meant specifically for detecting actively compromised systems, which may have false positives.
• indicator-obfuscation– Includes rules solely for detecting obfuscated content, analogous to encoded JavaScript rules.
• indicator-shellcode – This category includes rules just for looking in traffic for simple shellcode recognition markers. This replaces the older “shellcode.rules”.
• indicator-scan – This category includes rules solely aimed at indicating scans within network traffic, replacing the older “scan.rules”.
• malware-backdoor – This category includes rules for detecting traffic sent to known listening backdoors command channels. If malware opens a port and waits for incoming commands to control its functions, such detection will be here. A simple example is detecting BackOrifice since it listens on specific ports and executes sent commands.
• malware-cnc – This category comprises known command and control activities, used for identifying botnet traffic, including call-backs, downloads of dropped files, and exfiltration of data. Commands from “Master to Zombie” sort of things will also appear here.
• malware-tools- This category comprises rules dealing with tools considered to be malicious. For example, LOIC.
• malware-other – This category contains rules related to malware that do not fall under any of the other “malware” categories.
• os-linux – This category includes rules looking for vulnerabilities in Linux-based operating systems, but not in browsers or any other software above the OS itself.
• os-solaris – This includes rules for finding vulnerabilities within Solaris-based operating systems but not applicable to any software above the OS itself.
• os-windows – This category comprises rules for detecting vulnerabilities within Windows-based operating systems, and not for browsers or any other software above the OS.
• os-mobile – This category looks for vulnerabilities in mobile-based operating systems, not in browsers or any other software above the OS layer.
• os-other – Includes rules searching for vulnerabilities in operating systems not listed above. Policy Multimedia- This category contains rules for detecting potential violations of multimedia policy, such as detection of iTunes usage on a network. This does not cover vulnerabilities in multimedia files as in file-multimedia.
• policy-social – This category includes rules detecting potential violations of a corporate network policy for using social media (p2p, chatting, etc.).
• policy-spam – This category applies to rules that may indicate the presence of spam on a network.
• policy-other – This category encompasses rules that may violate end-user company policies not belonging to any other policy category.
• protocol-dns – This category pertains to rules that may indicate the existence of DNS protocols or vulnerabilities within DNS protocols on a network.
• protocol-finger – Includes rules indicating the presence of finger protocol or vulnerabilities within it on a network.
• protocol-ftp – Applies to rules that may indicate the presence of FTP protocol or vulnerabilities within FTP protocol on the network.
• protocol-icmp – Includes rules for indicating ICMP traffic or vulnerabilities within ICMP on a network.
• protocol-imap – Applicable for rules indicating the presence of the IMAP protocol or vulnerabilities within it on a network.
• protocol-nntp – This category pertains to rules that may indicate the presence of the NNTP protocol or vulnerabilities within it on a network.
• protocol-pop – Covers rules that may suggest the presence of the POP protocol or vulnerabilities within it on the network.
• protocol-rpc – This category applies to rules that may indicate the presence of RPC protocol or vulnerabilities within it on a network.
• protocol-scada – Applicable for rules that may indicate the presence of SCADA protocols or vulnerabilities within it on a network.
• protocol-services – Includes rules that suggest the presence of rservices protocols or vulnerabilities within them on a network.
• protocol-snmp – Pertains to rules that might indicate the presence of SNMP protocol or vulnerabilities within it on a network.
• protocol-telnet – Applies to rules that may suggest the presence of the Telnet protocol or vulnerabilities within it on the network.
• protocol-tftp – This category is for rules that may indicate the presence of the TFTP protocol or vulnerabilities within it on a network.
• protocol-voip – Involves rules that may indicate the presence of VoIP services or vulnerabilities within VoIP protocol on the network.
• protocol-other – This is for rules locating protocols or protocol vulnerabilities not fitting other “protocol” rule files.
• pua-adware – Deals with “pua” or potentially unwanted applications associated with adware or spyware.
• pua-p2p – Deals with “pua” or potentially unwanted applications associated with peer-to-peer sharing.
• pua-toolbars – Associated with “pua” or potentially unwanted applications dealing with toolbars installed on client systems (Google Toolbar, Yahoo Toolbar, Hotbar, etc.).
• pua-other – Addresses “pua” or potentially unwanted applications not belonging to aforementioned categories.
• server-apache – Deals with vulnerabilities or attacks on Apache Web servers.
• server-iis – Associated with vulnerabilities or attacks within Microsoft IIS Web servers.
• server-mssql – Deals with vulnerabilities or attacks within Microsoft SQL Server.
• server-mysql – Covers vulnerabilities or attacks associated with Oracle MySQL servers.
• server-oracle – Deals with vulnerabilities or attacks within Oracle’s SQL database server.
• server-samba – Pertains to vulnerabilities or attacks within Samba servers.
• server-webapp – Encompasses vulnerabilities or attacks on web-based applications on servers.
• server-mail – Contains rules for detecting vulnerabilities in mail servers (exchange, post office). Separate from protocol categories, as they deal with traffic towards the mail server itself.
• server-other – Includes rules for detecting vulnerabilities or attacks in servers not detailed in the list above.
• sql – Covers rules for detecting SQL injection or other vulnerabilities targeted at SQL class servers.
• x11 – Contains rules for detecting X11 usage or other vulnerabilities targeting X11 class servers.

0x02 Windows Snort2 Installation

• Install npcap

A npcap environment dependency is needed

https://npcap.com/#download

• Windows Snort2 Installation

snort -ev

0x03 Downloading Rules

New rules for the free version require signing up.

https://www.snort.org/users/sign_up

Download the rules corresponding to the installed Snort version. In this instance, the fellow blogger installed Snort 2.9.19, so download the appropriate version rules.

Inspect different version rules’ newly added changes documentation, as follows:

https://www.snort.org/downloads#rules

0x04 Configuring snort.conf Rule File

Open the /etc/snort.conf file in the installation directory using a notepad or editor, and change configurations in the following spots (modify the paths to match your installation directory):

Next, edit the “snort conf” file to specify the correct paths for Snort to locate the rule files and category files.

• Modify the settings monitoring included rules. The configurations related to rules are defined at the end of the configuration file.

var RULE_PATH D:/Snort/rules
var SO_RULE_PATH D:/Snort/so_rules  #so_rules needs to be manually created.
var PREPROC_RULE_PATH D:/Snort/preproc_rules

• Configure and activate the blacklist and whitelist files.

#Set the absolute path appropriately
var WHITE_LIST_PATH D:/Snort/rules/iplists
var BLACK_LIST_PATH D:/Snort/rules/iplists

whitelist $WHITE_LIST_PATH/default.whitelist, \
blacklist $BLACK_LIST_PATH/default.blacklist 

• Set up dynamic loading libraries.

#pathto dynamic preprocessor libraries
dynamicpreprocessor directory D:/Snort/lib/snort_dynamicpreprocessor/#pathto base preprocessor engine
dynamicengine D:/Snort/lib/snort_dynamicengine/sf_engine.dll

#pathto dynamic rules libraries
dynamicdetection directory D:/Snort/lib/snort_dynamicrules # This line should be commented out or the file should be created in the path to avoid errors.

• Modify the file paths for Classification.conf (related to rule alert levels) and Reference.conf (providing links for more alert information).

#metadatareference data.do not modify these lines
include D:/Snort/etc/classification.config
include D:/Snort/etc/reference.config

• Specify the path for the event filtering configuration file.

#Event thresholding or suppression commands. See threshold.conf 
include D:/Snort/etc/threshold.conf

• Create the blacklist and whitelist files.

black_list.rules
white_list.rules

Replace the rules within the compressed files, and place them in the installation directory under the folders rules, preproc_rules, so_rules.

• Configure Snort environment variables (Path).

• Run Snort and load rules.

snort -dev -l D:\Snort\log -h 192.168.1.0/24-c D:\Snort\etc\snort.conf

The result is shown below:

Note: If an error occurs, carefully review the error message to ensure there are no configuration file errors, verify if the setup matches the blogger’s configuration, or try restarting with administrative privileges. Troubleshoot your error message to resolve the issue.

Reference Links:

https://www.jianshu.com/p/c6cc43facd20

https://www.snort.org/rules_explanation

You might think you have many paths to choose from; in reality, you have only one path to walk.