Windows下安裝Snort（2）

全面且官方的WinIDS Installation Guide：http://wenku.baidu.com/view/e676414f2b160b4e767fcf29.html 

這個WINIDS以snort mysQL等為基礎，在windows下搭建了一個IDS系統。

這個是他的說明文檔中關于Snort安裝和配置的部分，值得參考。

Install and configure Snort

Navigate to the 'd:\tmp' folder, double left-click on the 'Snort...' file to start the installer, left-click the 'I Agree' button, left-click 'Next' (leave default), left-click 'Next', in the 'Destination Folder' dialog box, type 'd:\winids\snort' (less the outside quotes), left-click 'Next' allowing Snort to install, left-click the 'Close' button, and finally left-click 'OK'.

Navigate to the 'd:\tmp' folder and dissolve the 'snortrules-snapshot-CURRENT.zip' file into 'd:\winids\snort'.

Navigate to the 'd:\winids\snort\etc' folder, right-click on the 'snort.conf' file and open with 'WordPad'.

Note: Use the Find in WordPad to locate and change the variables below.

The home network variable below defines the network you wish to monitor, like the local LAN segment for instance It is set by specifying one or more networks in the form of aCIDR.

Note: The IP address below is fictitious and must be changed to the correct IP Address and CIDR that reflects the actual network that the IDS is monitoring.

Original: var HOME_NET any

Change: var HOME_NET 192.168.1.0/24

The external network below specifies one or more networks where you believe threats or attacks will originate. Thevar EXTERNAL_NET variable below can also be set by specifying a CIDR, or you can make use of the home network variable we've specified below.

Original: var EXTERNAL_NET any

Change: var EXTERNAL_NET !$HOME_NET

Original: var RULE_PATH ../rules

Change: var RULE_PATH d:\winids\snort\rules

Original: dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_dcerpc_preproc.so

Change: dynamicpreprocessor file d:\winids\snort\lib\snort_dynamicpreprocessor\sf_dcerpc.dll

Original: dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so

Change: dynamicpreprocessor file d:\winids\snort\lib\snort_dynamicpreprocessor\sf_dns.dll

Original: dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so

Change: dynamicpreprocessor file d:\winids\snort\lib\snort_dynamicpreprocessor\sf_ftptelnet.dll

Original: dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so

Change: dynamicpreprocessor file d:\winids\snort\lib\snort_dynamicpreprocessor\sf_smtp.dll

Original: dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so

Change: dynamicpreprocessor file d:\winids\snort\lib\snort_dynamicpreprocessor\sf_ssh.dll

Original: dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so

Change: dynamicengine d:\winids\snort\lib\snort_dynamicengine\sf_engine.dll

Note: Find the line entr1es below and change the next lines.

Original:

# preprocessor sfportscan: proto  { all } \

#                                    memcap { 10000000 } \

#                                    sense_level { low }

Change:

preprocessor sfportscan: proto { all } \

                                    memcap { 10000000 } \

                                    sense_level { low } \

                                    logfile { portscan.log }

Note: Just below '# output log_tcpdump: tcpdump.log' insert this next line:

output alert_fast: alert.ids

Original: # output database: log, mysql, user=root password=test dbname=db host=localhost

Change: output database: log, mysql, user=snort password=l0gg3r dbname=snort host=localhost sensor_name=WinIDS

Original: include classification.config

Change: include d:\winids\snort\etc\classification.config

Original: include reference.config

Change: include d:\winids\snort\etc\reference.config

Original: # include threshold.conf

Change: include d:\winids\snort\etc\threshold.conf

Now save the file and eXit WordPad.