Objective: Master the Snort IDS setup on Windows, learn basic configuration methods, and use IDS to detect and analyze network data flows.
Snort is a powerful lightweight network intrusion detection system based on misuse detection. It has the capability to analyze real-time data flow and log IP network data packets, perform protocol analysis, and search/match content. It can detect various types of attacks and issue real-time alerts for attacks.
Environment: Windows
Steps:
- Install the required software:
- WinPcap (WinPcap_4_1_2.exe): A network packet capture driver library for Windows
- Snort (Snort_2_9_2_2_Installer.zip): Captures data and sends it to the database, Snort rules library can also be downloaded from the official website
- PHPStudy: Integrates Apache, PHP, and MySQL environments, eliminating the need to install these three software separately
- Acid (acid-0.9.6b23.tar.gz): A PHP-based intrusion detection database analysis console. Reads data from the mssql.snort database using Adodb and displays analysis results on a webpage, using jpgraph component for graphical analysis
- Adodb (adodb465.zip): A PHP database connection component
- Jpgraph (jpgraph-3.0.7.tar.gz): Object-Oriented Graphics Library for PHP
- Snortrules (snortrules-snapshot-2923.tar.gz): Snort detection rules library
Detailed steps are as follows:
1. Install phpstudy
After successful installation, the startup page is as follows: 
(Accessible via 127.0.0.1; content does not have to be âhello worldâ) Using PHPStudy can replace the troublesome initial installation of Apache, PHP, and MySQL. Subsequent configurations only require minor modifications.
2. Install WinPcap for Snort IDS setup
Double-click WinPcap_4_1_2.exe and follow the wizard prompts to install.
3. Install Snort
Unzip Snort_2_9_2_2_Installer.zip, use the default installation options, and test the installation using the following command:
c:\snort\bin> snort -W (W is uppercase)
Remember to run the command from the bin directory of your Snort installation, e.g., F:\snort\bin 
Seeing a cute little pig icon indicates successful installation.
4. Install and configure MySQL
Since I chose to use the previously installed PHPStudy, relevant configurations need to be done within PHPStudy.
New users should first configure the MySQL environment variables to directly open MySQL in cmd. Tutorial press ctrl+click to jump to the tutorial.
Upon successful configuration, the effect will look like this: 
Create snort and snort_archive databases in MySQLâs DOS console.
mysql> create database snort;
mysql> create database snort_archive;
mysql> use snort
mysql> source create_mysql (create_mysql file is located in .\Snort\schemas\, copy it to MySQLâs bin directory to use it)
mysql> show tables;
mysql> use snort_archive
mysql> source create_mysql
mysql> show tables;
Create snort and acid accounts for MySQL to allow idscenter or acid to access Snort-related database files.
Use the following commands:
mysql> grant usage on . to âacidâ@âlocalhostâ identified by âacidtestâ;
mysql> grant usage on . to âsnortâ@âlocalhostâ identified by âsnorttestâ;
Then assign relevant permissions to snort and acid accounts, using these commands:
mysql> grant select,insert,update,delete,create,alter on snort.* to âsnortâ@âlocalhostâ;
mysql> grant select,insert,update,delete,create,alter on snort.* to âacidâ@âlocalhostâ;
mysql> grant select,insert,update,delete,create,alter on snort_archive.* to âsnortâ@âlocalhostâ;
mysql> grant select,insert,update,delete,create,alter on snort_archive.* to âacidâ@âlocalhostâ; Set passwords for the acid and snort users mysql> set password for âsnortâ@âlocalhostâ = password(âyour passwordâ); mysql> set password for âacidâ@âlocalhostâ = password(âyour passwordâ);
5. Install Adodb
Unzip adodb465.tgz to D:\phpStudy\PHPTutorial\php\php-5.2.17
Due to the lower PHP version chosen in the original experiment document, using a higher PHP version would cause errors, select the lowest PHP version in PHPStudy.
You can switch PHP versions here, and restart after switching.
6. Install Jpgraph for Snort IDS setup
Unzip jpgraph-x.x.x.tar.gz to D:\phpStudy\PHPTutorial\php\php-5.2.17 
Install Acid
Unzip acid-0.9.6b23.tar.gz to D:\phpStudy\PHPTutorial\WWW\acid directory.
After starting PHPStudy, you can access acid through a browser, similar to this: 
Modify acid_conf.php as follows (open with a text editor).
$DBlib_path = âD:\phpStudy\PHPTutorial\php\php-5.2.17\adodb465\adodbâ;
$DBtype = âmysqlâ
$alert_dbname = âsnortâ;
$alert_host = âlocalhostâ;
$alert_port = ââ;
$alert_user = âsnortâ;
$alert_password = âyour
$archive_port = ââ;
$archive_user = âacidâ;
$archive_password = âyour passwordâ;
$ChartLib_path = âD:\phpStudy\PHPTutorial\php\php-5.2.17\jpgraph-2.3.3â;
The specific path information varies based on individual installation paths, for reference only
Restart the Apache service.
Open the browser to http://host IP address/acid/acid_db_setup.php to establish the necessary database for running ACID. Click on create ACID AG
7. Configure Snort
For files that are not present in the Snort folder, you can find them in the two other Snort files in the data package, simply copy them over
After installing Snort, you need to configure the snort.conf file located in the etc directory.
Modifications required for the snort.conf file in Windows:
Original: var RULE_PATH ../rules Change to: var RULE_PATH F:\Snort\rules
Original: #dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ Change to: dynamicpreprocessor directory F:\Snort\lib\snort_dynamicpreprocessor (make sure there is no trailing /)
Original: #dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so Change to: dynamicengine F:\Snort\lib\snort_dynamicengine\sf_engine.dll
Original: #dynamicdetection directory /usr/local/lib/snort_dynamicrules Change to: dynamicdetection directory F:\Snort\lib\snort_dynamicrules
Then copy all the files from F:\Snort\so_rules\precompiled\FC-12\i386\2.9.0.1 to F:\Snort\lib\snort_dynamicrules //The FC-12 above might not be correct, you can try it out depending on your system.
Original: include classification.config Change to: include F:\Snort\etc\classification.config
Original: include reference.config Change to: include F:\Snort\etc\reference.config
Original: # include threshold.conf Change to: include F:\Snort\etc\threshold.conf
Original: # Does nothing in IDS mode #preprocessor normalize_ip4 #preprocessor normalize_tcp: ips ecn stream #preprocessor normalize_icmp4 #preprocessor normalize_ip6 #preprocessor normalize_icmp6 Add # before each line to comment them out.
Original: preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535 Change to: preprocessor http_inspect: global iis_unicode_map C:\Snort\etc\unicode.map 1252 compress_depth 65535 decompress_depth 65535 because in windows, the unicode.map file is in the etc folder.
When modifying the configuration file, you need to configure the database by yourself, which is not written in the experimental document Under #database, make modifications and un-comment, such as:
output database: log, mysql, user=snort password=snort dbname=snort host=127.0.0.1 port=3306
output database: alert, mysql, user=snort password=snort dbname=snort host=127.0.0.1 port=3306
After configuring, save the file.
Download and import the rules library
The default Snort installation on Windows does not include the rules library, you need to download it yourself. Import the rules file library by extracting the downloaded snort-2.9.0.3.tar.zip to get four folders. Copy the files in these folders to the corresponding directories in the Snort installation directory.
Set up preprocessors (optional)
You can configure some detection preprocessors directly within snort.conf, for example:
To set up port scan detection preprocessor, uncomment the second line and add a log file at the end. # Portscan detection. For more information, see README.sfportscan # preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } logfile { postscan.log }
To set up ARP spoofing detection preprocessor, similarly, un-comment the line and change the IP and MAC addresses to your own values. # preprocessor arpspoof # preprocessor arpspoof_detect_host: 192.168.1.76 BC:AE:C5:81:BE:95
Other preprocessor settings are similar.
Set up output
Under this section, configure your output. Uncomment the corresponding lines based on what you need to output. ################################################### # Step #6: Configure output plugins # For more information, see Snort Manual, Configuring Snort â Output Modules ###################################################
For example: # syslog # output alert_syslog: LOG_AUTH LOG_ALERT
# pcap # output log_tcpdump: tcpdump.log
Add output alert_fast: alert.ids (to output alerts in fast mode)
Select network interface:
Enter the command line, navigate to the directory where snort.exe is located and use snort -W to view the available network interfaces on the system. Note the number of the network interface you want to monitor, for example, if it is 2, use -i 2 in subsequent commands to select that network interface.
Install Snort as a system service (optional)
C:\Snort\bin> snort /SERVICE /INSTALL -c âŠ/etc/snort.conf -i 2 -l âŠ/snort/log -de
[SNORT_SERVICE] Successfully added the Snort service to the Services database. If you see the above prompt, it indicates success.
Before testing, add the following statement to the local.rules document:
alert ip any any -> any any (msg: âIP Packet detectedâ; sid:1000000;)
After completing, start snort in IDS mode through the command
snort -i2 -de -l âŠ/log -c âŠ/etc/snort.conf.
The DOS interface after command execution looks like the following: 
When Commencing packet processing appears, you can successfully monitor. If it doesnât run successfully, it might be due to insufficient permissions. Open PowerShell as an administrator using win+x.
At this point, input http://127.0.0.1/acid/acid-0.9.6b23/acid/acid_main.php in the browser and a similar intrusion detection database analysis console interface will appear:
Any questions can be discussed in the comment section~