How to install and configure Snort on Windows (part 2)

Home > Search > How-to
  by

Test Snort Local.Rules
Go here, C:Snort ules, and open local.rules in wordpad.  
After the text, we will add 3 alert rules,
to test and see if Snort will detect traffic based on a local rule:

alert icmp $HOME_NET any -> $HOME_NET any (msg:"ICMP test Jeremy"; sid:10000001;)
alert udp $HOME_NET any -> $HOME_NET any (msg:"UDP test Jeremy"; sid:10000002;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"TCP test Jeremy"; sid:10000003;)
Then, open a command line prompt.
cd snort
cd bin
snort –i 1 –c c:Snortetcsnort.conf –A console

Tip: this might not always be 1 (snort –i 1 –c c:Snortetcsnort.conf –A console).  
Run this command to get the right number:
cd snort

To test the first rule (ICMP), just ping another device in the LAN,
and snort should detect this ICMP traffic.  
By default, the network will already have UDP traffic,
so we should start to see UDP traffic appear.  
Lastly, open a web browser and go to any website, and we should see TCP traffic.  
Once we can see that Snort is detecting these three rules,
we should have a high degree of trust that Snort is good to go.  
We will want to remove these 3 rules from the local.rules file,
and then start Snort, and let it do it’s thing.


Real Snort config
In the rules file here, C:Snort ules, the following rules should be added.

We add this rule to log ping-of-death attacks
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"External ICMP"; sid:10000002;)

We add this rule to learn of unknown external TCP connections into our network/machines
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"External TCP"; sid:10000002;)


How to know if traffic is good or bad
Enter this command into a command line prompt:
Nslookup ipaddress

For example, I didn’t know what 173.192.194.94 was.  Using this technique,
I found it was teamviwer.  I configured teamviewer to not run as a service.


If you get “non-existent domain”, then look up the IP address here, like this:

http://whatismyipaddress.com/ip/107.14.38.169 Quick jump start with Snort



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter in the box below so that we can be sure you are a human.




Comments