开源ids snort （windows版）

Snort-IPS-on-Windows-main资源-CSDN文库

GitHub - eldoktor1/Snort-IPS-on-Windows: A comprehensive guide to installing and configuring Snort IPS on Windows, ensuring robust network security

 

手动打造Snort+barnyard2+BASE可视化告警平台 - FreeBuf网络安全行业门户

解压后安装

npcap-1.75.exe

Snort_2_9_20_Installer.x64.exe

安装后cmd

C:\Snort\bin>snort.exe -W

查看哪个是正在使用的网卡

-i 后的数字改成正在使用的物理网卡号

C:\Snort\bin>snort.exe -dve -i7 -h 192.168.1.0/24 -l c:\Snort\log -K ascii

C:\Snort\bin>snort.exe -dve -i7 -h 192.168.1.0/24 > c:\Snort\log\192.168.1.024.log

C:\Snort\bin>snort.exe -W,,_     -*> Snort! <*-o"  )~   Version 2.9.20-WIN64 GRE (Build 82)''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#teamCopyright (C) 2014-2022 Cisco and/or its affiliates. All rights reserved.Copyright (C) 1998-2013 Sourcefire, Inc., et al.Using PCRE version: 8.10 2010-06-25Using ZLIB version: 1.2.11Index   Physical Address        IP Address      Device Name     Description
-----   ----------------        ----------      -----------     -----------

C:\Snort\bin>snort.exe -ev -i7
Running in packet dump mode--== Initializing Snort ==--
Initializing Output Plugins!
pcap DAQ configured to passive.
The DAQ version does not support reload.
Acquiring network traffic from "\Device\NPF_{AAD821DC-6F1F-4814-87A2-0D2EA49E304F}".
Decoding Ethernet--== Initialization Complete ==--,,_     -*> Snort! <*-o"  )~   Version 2.9.20-WIN64 GRE (Build 82)''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#teamCopyright (C) 2014-2022 Cisco and/or its affiliates. All rights reserved.Copyright (C) 1998-2013 Sourcefire, Inc., et al.Using PCRE version: 8.10 2010-06-25Using ZLIB version: 1.2.11Commencing packet processing (pid=960)
WARNING: No preprocessors configured for policy 0.

===============================================================================
Run time for packet processing was 3.69000 seconds
Snort processed 46 packets.
Snort ran for 0 days 0 hours 0 minutes 3 secondsPkts/sec:           15
===============================================================================
Packet I/O Totals:Received:           69Analyzed:           46 ( 66.667%)Dropped:            0 (  0.000%)Filtered:            0 (  0.000%)
Outstanding:           23 ( 33.333%)Injected:            0
===============================================================================
Breakdown by protocol (includes rebuilt packets):Eth:           46 (100.000%)VLAN:            0 (  0.000%)IP4:           45 ( 97.826%)Frag:            0 (  0.000%)ICMP:            0 (  0.000%)UDP:            1 (  2.174%)TCP:           44 ( 95.652%)IP6:            0 (  0.000%)IP6 Ext:            0 (  0.000%)IP6 Opts:            0 (  0.000%)Frag6:            0 (  0.000%)ICMP6:            0 (  0.000%)UDP6:            0 (  0.000%)TCP6:            0 (  0.000%)Teredo:            0 (  0.000%)ICMP-IP:            0 (  0.000%)EAPOL:            0 (  0.000%)IP4/IP4:            0 (  0.000%)IP4/IP6:            0 (  0.000%)IP6/IP4:            0 (  0.000%)IP6/IP6:            0 (  0.000%)GRE:            0 (  0.000%)GRE Eth:            0 (  0.000%)GRE VLAN:            0 (  0.000%)GRE IP4:            0 (  0.000%)GRE IP6:            0 (  0.000%)
GRE IP6 Ext:            0 (  0.000%)GRE PPTP:            0 (  0.000%)GRE ARP:            0 (  0.000%)GRE IPX:            0 (  0.000%)GRE Loop:            0 (  0.000%)MPLS:            0 (  0.000%)ARP:            1 (  2.174%)IPX:            0 (  0.000%)Eth Loop:            0 (  0.000%)Eth Disc:            0 (  0.000%)IP4 Disc:            0 (  0.000%)IP6 Disc:            0 (  0.000%)TCP Disc:            0 (  0.000%)UDP Disc:            0 (  0.000%)ICMP Disc:            0 (  0.000%)
All Discard:            0 (  0.000%)Other:            0 (  0.000%)
Bad Chk Sum:           23 ( 50.000%)Bad TTL:            0 (  0.000%)S5 G 1:            0 (  0.000%)S5 G 2:            0 (  0.000%)Total:           46
===============================================================================Memory Statistics for File at:Mon Sep 23 09:11:25 2024Total buffers allocated:           0
Total buffers freed:               0
Total buffers released:            0
Total file mempool:                0
Total allocated file mempool:      0
Total freed file mempool:          0
Total released file mempool:       0Heap Statistics of file:Total Statistics:Memory in use:              0 bytesNo of allocs:              0No of frees:              0
===============================================================================
Snort exiting

snort.exe -h
snort.exe: option requires an argument -- h,,_     -*> Snort! <*-o"  )~   Version 2.9.20-WIN64 GRE (Build 82)''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#teamCopyright (C) 2014-2022 Cisco and/or its affiliates. All rights reserved.Copyright (C) 1998-2013 Sourcefire, Inc., et al.Using PCRE version: 8.10 2010-06-25Using ZLIB version: 1.2.11USAGE: snort.exe [-options] <filter options>snort.exe /SERVICE /INSTALL [-options] <filter options>snort.exe /SERVICE /UNINSTALLsnort.exe /SERVICE /SHOW
Options:-A         Set alert mode: fast, full, console, test or none  (alert file alerts only)-b         Log packets in tcpdump format (much faster!)-B <mask>  Obfuscated IP addresses in alerts and packet dumps using CIDR mask-c <rules> Use Rules File <rules>-C         Print out payloads with character data only (no hex)-d         Dump the Application Layer-e         Display the second layer header info-E         Log alert messages to NT Eventlog. (Win32 only)-f         Turn off fflush() calls after binary log writes-F <bpf>   Read BPF filters from file <bpf>-G <0xid>  Log Identifier (to uniquely id events for multiple snorts)-h <hn>    Set home network = <hn>(for use with -l or -B, does NOT change $HOME_NET in IDS mode)-H         Make hash tables deterministic.-i <if>    Listen on interface <if>-I         Add Interface name to alert output-k <mode>  Checksum mode (all,noip,notcp,noudp,noicmp,none)-K <mode>  Logging mode (pcap[default],ascii,none)-l <ld>    Log to directory <ld>-L <file>  Log to this tcpdump file-n <cnt>   Exit after receiving <cnt> packets-N         Turn off logging (alerts still work)-O         Obfuscate the logged IP addresses-p         Disable promiscuous mode sniffing-P <snap>  Set explicit snaplen of packet (default: 1514)-q         Quiet. Don't show banner and status report-r <tf>    Read and process tcpdump file <tf>-R <id>    Include 'id' in snort_intf<id>.pid file name-s         Log alert messages to syslog-S <n=v>   Set rules file variable n equal to value v-T         Test and report on the current Snort configuration-U         Use UTC for timestamps-v         Be verbose-V         Show version number-W         Lists available interfaces. (Win32 only)-X         Dump the raw packet data starting at the link layer-x         Exit if Snort configuration problems occur-y         Include year in timestamp in the alert and log files-z <file>  Set the preproc_memstats file path and name-Z <file>  Set the performonitor preprocessor file path and name-?         Show this information
<Filter Options> are standard BPF options, as seen in TCPDump
Longname options and their corresponding single char version--logid <0xid>                  Same as -G--perfmon-file <file>           Same as -Z--pid-path <dir>                Specify the directory for the Snort PID file--snaplen <snap>                Same as -P--help                          Same as -?--version                       Same as -V--alert-before-pass             Process alert, drop, sdrop, or reject before pass, default is pass before alert, drop,...--treat-drop-as-alert           Converts drop, sdrop, and reject rules into alert rules during startup--treat-drop-as-ignore          Use drop, sdrop, and reject rules to ignore session traffic when not inline.--process-all-events            Process all queued events (drop, alert,...), default stops after 1st action group--enable-inline-test            Enable Inline-Test Mode Operation--dynamic-engine-lib <file>     Load a dynamic detection engine--dynamic-engine-lib-dir <path> Load all dynamic engines from directory--dynamic-detection-lib <file>  Load a dynamic rules library--dynamic-detection-lib-dir <path> Load all dynamic rules libraries from directory--dump-dynamic-rules <path>     Creates stub rule files of all loaded rules libraries--dynamic-preprocessor-lib <file>  Load a dynamic preprocessor library--dynamic-preprocessor-lib-dir <path> Load all dynamic preprocessor libraries from directory--dynamic-output-lib <file>  Load a dynamic output library--dynamic-output-lib-dir <path> Load all dynamic output libraries from directory--pcap-single <tf>              Same as -r.--pcap-file <file>              file that contains a list of pcaps to read - read mode is implied.--pcap-list "<list>"            a space separated list of pcaps to read - read mode is implied.--pcap-loop <count>             this option will read the pcaps specified on command line continuously.for <count> times.  A value of 0 will read until Snort is terminated.--pcap-reset                    if reading multiple pcaps, reset snort to post-configuration state before reading next pcap.--pcap-show                     print a line saying what pcap is currently being read.--exit-check <count>            Signal termination after <count> callbacks from DAQ_Acquire(), showing the time ittakes from signaling until DAQ_Stop() is called.--conf-error-out                Same as -x--enable-mpls-multicast         Allow multicast MPLS--enable-mpls-overlapping-ip    Handle overlapping IPs within MPLS clouds--max-mpls-labelchain-len       Specify the max MPLS label chain--mpls-payload-type             Specify the protocol (ipv4, ipv6, ethernet) that is encapsulated by MPLS--require-rule-sid              Require that all snort rules have SID specified.--daq <type>                    Select packet acquisition module (default is pcap).--daq-mode <mode>               Select the DAQ operating mode.--daq-var <name=value>          Specify extra DAQ configuration variable.--daq-dir <dir>                 Tell snort where to find desired DAQ.--daq-list[=<dir>]              List packet acquisition modules available in dir.  Default is static modules only.--dirty-pig                     Don't flush packets and release memory on shutdown.--cs-dir <dir>                  Directory to use for control socket.--ha-peer                       Activate live high-availability state sharing with peer.--ha-out <file>                 Write high-availability events to this file.--ha-in <file>                  Read high-availability events from this file on startup (warm-start).--suppress-config-log           Suppress configuration information output.