[Snort-users] Snort-installlation.

J Doe general at ...17107...
Fri May 19 20:20:25 EDT 2017


> On May 19, 2017, at 5:38 PM, Brian <brianhansen789 at ...11827...> wrote:
> 
> Hallo everyone!
> I am having trouble with my snort-installation.
> It cant be succesfully, because of the need for "wincap 4.1.1
> But i have wincap on my pc, and a littel screen-window tells me the same.
> I have tried to overrite the existing wincap on my pc, but still no 
> progress.
> Can someone give me a hint to succesfully my snort-installation.
> 
> Last question....
> As i understand the "snort-universe" - i need to install (using my 
> "oinkcode") som of the packaede like "Daemonlogger", "OfficeCat" or/and 
> some "Rules" to get the Snort-install. working corektly
> - Am i wright or lost.... :0) ???
> 
> Best regards
> Brian Hansen, Denmark

Hi Brian,

I believe you are referring to WinPcap [1].  WinPcap is a Windows driver that provides libpcap style support for Windows hosts (libpcap is used by Snort to retrieve network traffic).

You don't really want to overwrite any existing installation of it.  Instead, use Add/Remove to uninstall the existing package, which will uninstall the driver.  Next, download and install the most recent version of WinPCAP.  I would also recommend rebooting your Windows host once the new driver is installed.

To test WinPcap you can download and try WinDump [2].  This is the Windows equivalent of tcpdump.

In terms of rules [3], there are the Talos community rules (free), the Talos commercial rules ($29/year for personal use, see Snort website for commercial fees), Emerging Threats (community sourced rule set), as well as the rules you can write as well.

Your Oinkcode is involved in getting the Talos community rules - I'd start with that.  You must register to receive your Oinkcode.

Keep in mind that you will also need to modify: snort.conf to customize what you are monitoring, what portions of Snort are running, etc.

Daemonlogger is not mandatory.  To start off with I would recommend just parsing the snort log file (or running it as: tail -f log), to test it with some attack traffic and ensure that the rules you want are firing.  You can choose to do logging to a syslog-style implementation on Window, write data to SQL data stores and so forth once you're comfortable with Snort.

HTH,

- J

Sources:
[1] https://www.winpcap.org/default.htm
[2] https://www.winpcap.org/windump/default.htm
[3] https://www.snort.org/downloads/#rule-downloads


More information about the Snort-users mailing list