Snort-IPS-on-Windows-main资源-CSDN文库
GitHub - eldoktor1/Snort-IPS-on-Windows: A comprehensive guide to installing and configuring Snort IPS on Windows, ensuring robust network security
解压后安装
npcap-1.75.exe
Snort_2_9_20_Installer.x64.exe
安装后cmd
C:\Snort\bin>snort.exe -W
查看哪个是正在使用的网卡
-i 后的数字改成正在使用的物理网卡号
C:\Snort\bin>snort.exe -dve -i7 -h 192.168.1.0/24 -l c:\Snort\log -K ascii
C:\Snort\bin>snort.exe -dve -i7 -h 192.168.1.0/24 > c:\Snort\log\192.168.1.024.log
C:\Snort\bin>snort.exe -W,,_ -*> Snort! <*-o" )~ Version 2.9.20-WIN64 GRE (Build 82)'''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#teamCopyright (C) 2014-2022 Cisco and/or its affiliates. All rights reserved.Copyright (C) 1998-2013 Sourcefire, Inc., et al.Using PCRE version: 8.10 2010-06-25Using ZLIB version: 1.2.11Index Physical Address IP Address Device Name Description
----- ---------------- ---------- ----------- -----------C:\Snort\bin>snort.exe -ev -i7
Running in packet dump mode--== Initializing Snort ==--
Initializing Output Plugins!
pcap DAQ configured to passive.
The DAQ version does not support reload.
Acquiring network traffic from "\Device\NPF_{AAD821DC-6F1F-4814-87A2-0D2EA49E304F}".
Decoding Ethernet--== Initialization Complete ==--,,_ -*> Snort! <*-o" )~ Version 2.9.20-WIN64 GRE (Build 82)'''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#teamCopyright (C) 2014-2022 Cisco and/or its affiliates. All rights reserved.Copyright (C) 1998-2013 Sourcefire, Inc., et al.Using PCRE version: 8.10 2010-06-25Using ZLIB version: 1.2.11Commencing packet processing (pid=960)
WARNING: No preprocessors configured for policy 0.===============================================================================
Run time for packet processing was 3.69000 seconds
Snort processed 46 packets.
Snort ran for 0 days 0 hours 0 minutes 3 secondsPkts/sec: 15
===============================================================================
Packet I/O Totals:Received: 69Analyzed: 46 ( 66.667%)Dropped: 0 ( 0.000%)Filtered: 0 ( 0.000%)
Outstanding: 23 ( 33.333%)Injected: 0
===============================================================================
Breakdown by protocol (includes rebuilt packets):Eth: 46 (100.000%)VLAN: 0 ( 0.000%)IP4: 45 ( 97.826%)Frag: 0 ( 0.000%)ICMP: 0 ( 0.000%)UDP: 1 ( 2.174%)TCP: 44 ( 95.652%)IP6: 0 ( 0.000%)IP6 Ext: 0 ( 0.000%)IP6 Opts: 0 ( 0.000%)Frag6: 0 ( 0.000%)ICMP6: 0 ( 0.000%)UDP6: 0 ( 0.000%)TCP6: 0 ( 0.000%)Teredo: 0 ( 0.000%)ICMP-IP: 0 ( 0.000%)EAPOL: 0 ( 0.000%)IP4/IP4: 0 ( 0.000%)IP4/IP6: 0 ( 0.000%)IP6/IP4: 0 ( 0.000%)IP6/IP6: 0 ( 0.000%)GRE: 0 ( 0.000%)GRE Eth: 0 ( 0.000%)GRE VLAN: 0 ( 0.000%)GRE IP4: 0 ( 0.000%)GRE IP6: 0 ( 0.000%)
GRE IP6 Ext: 0 ( 0.000%)GRE PPTP: 0 ( 0.000%)GRE ARP: 0 ( 0.000%)GRE IPX: 0 ( 0.000%)GRE Loop: 0 ( 0.000%)MPLS: 0 ( 0.000%)ARP: 1 ( 2.174%)IPX: 0 ( 0.000%)Eth Loop: 0 ( 0.000%)Eth Disc: 0 ( 0.000%)IP4 Disc: 0 ( 0.000%)IP6 Disc: 0 ( 0.000%)TCP Disc: 0 ( 0.000%)UDP Disc: 0 ( 0.000%)ICMP Disc: 0 ( 0.000%)
All Discard: 0 ( 0.000%)Other: 0 ( 0.000%)
Bad Chk Sum: 23 ( 50.000%)Bad TTL: 0 ( 0.000%)S5 G 1: 0 ( 0.000%)S5 G 2: 0 ( 0.000%)Total: 46
===============================================================================Memory Statistics for File at:Mon Sep 23 09:11:25 2024Total buffers allocated: 0
Total buffers freed: 0
Total buffers released: 0
Total file mempool: 0
Total allocated file mempool: 0
Total freed file mempool: 0
Total released file mempool: 0Heap Statistics of file:Total Statistics:Memory in use: 0 bytesNo of allocs: 0No of frees: 0
===============================================================================
Snort exitingsnort.exe -h
snort.exe: option requires an argument -- h,,_ -*> Snort! <*-o" )~ Version 2.9.20-WIN64 GRE (Build 82)'''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#teamCopyright (C) 2014-2022 Cisco and/or its affiliates. All rights reserved.Copyright (C) 1998-2013 Sourcefire, Inc., et al.Using PCRE version: 8.10 2010-06-25Using ZLIB version: 1.2.11USAGE: snort.exe [-options] <filter options>snort.exe /SERVICE /INSTALL [-options] <filter options>snort.exe /SERVICE /UNINSTALLsnort.exe /SERVICE /SHOW
Options:-A Set alert mode: fast, full, console, test or none (alert file alerts only)-b Log packets in tcpdump format (much faster!)-B <mask> Obfuscated IP addresses in alerts and packet dumps using CIDR mask-c <rules> Use Rules File <rules>-C Print out payloads with character data only (no hex)-d Dump the Application Layer-e Display the second layer header info-E Log alert messages to NT Eventlog. (Win32 only)-f Turn off fflush() calls after binary log writes-F <bpf> Read BPF filters from file <bpf>-G <0xid> Log Identifier (to uniquely id events for multiple snorts)-h <hn> Set home network = <hn>(for use with -l or -B, does NOT change $HOME_NET in IDS mode)-H Make hash tables deterministic.-i <if> Listen on interface <if>-I Add Interface name to alert output-k <mode> Checksum mode (all,noip,notcp,noudp,noicmp,none)-K <mode> Logging mode (pcap[default],ascii,none)-l <ld> Log to directory <ld>-L <file> Log to this tcpdump file-n <cnt> Exit after receiving <cnt> packets-N Turn off logging (alerts still work)-O Obfuscate the logged IP addresses-p Disable promiscuous mode sniffing-P <snap> Set explicit snaplen of packet (default: 1514)-q Quiet. Don't show banner and status report-r <tf> Read and process tcpdump file <tf>-R <id> Include 'id' in snort_intf<id>.pid file name-s Log alert messages to syslog-S <n=v> Set rules file variable n equal to value v-T Test and report on the current Snort configuration-U Use UTC for timestamps-v Be verbose-V Show version number-W Lists available interfaces. (Win32 only)-X Dump the raw packet data starting at the link layer-x Exit if Snort configuration problems occur-y Include year in timestamp in the alert and log files-z <file> Set the preproc_memstats file path and name-Z <file> Set the performonitor preprocessor file path and name-? Show this information
<Filter Options> are standard BPF options, as seen in TCPDump
Longname options and their corresponding single char version--logid <0xid> Same as -G--perfmon-file <file> Same as -Z--pid-path <dir> Specify the directory for the Snort PID file--snaplen <snap> Same as -P--help Same as -?--version Same as -V--alert-before-pass Process alert, drop, sdrop, or reject before pass, default is pass before alert, drop,...--treat-drop-as-alert Converts drop, sdrop, and reject rules into alert rules during startup--treat-drop-as-ignore Use drop, sdrop, and reject rules to ignore session traffic when not inline.--process-all-events Process all queued events (drop, alert,...), default stops after 1st action group--enable-inline-test Enable Inline-Test Mode Operation--dynamic-engine-lib <file> Load a dynamic detection engine--dynamic-engine-lib-dir <path> Load all dynamic engines from directory--dynamic-detection-lib <file> Load a dynamic rules library--dynamic-detection-lib-dir <path> Load all dynamic rules libraries from directory--dump-dynamic-rules <path> Creates stub rule files of all loaded rules libraries--dynamic-preprocessor-lib <file> Load a dynamic preprocessor library--dynamic-preprocessor-lib-dir <path> Load all dynamic preprocessor libraries from directory--dynamic-output-lib <file> Load a dynamic output library--dynamic-output-lib-dir <path> Load all dynamic output libraries from directory--pcap-single <tf> Same as -r.--pcap-file <file> file that contains a list of pcaps to read - read mode is implied.--pcap-list "<list>" a space separated list of pcaps to read - read mode is implied.--pcap-loop <count> this option will read the pcaps specified on command line continuously.for <count> times. A value of 0 will read until Snort is terminated.--pcap-reset if reading multiple pcaps, reset snort to post-configuration state before reading next pcap.--pcap-show print a line saying what pcap is currently being read.--exit-check <count> Signal termination after <count> callbacks from DAQ_Acquire(), showing the time ittakes from signaling until DAQ_Stop() is called.--conf-error-out Same as -x--enable-mpls-multicast Allow multicast MPLS--enable-mpls-overlapping-ip Handle overlapping IPs within MPLS clouds--max-mpls-labelchain-len Specify the max MPLS label chain--mpls-payload-type Specify the protocol (ipv4, ipv6, ethernet) that is encapsulated by MPLS--require-rule-sid Require that all snort rules have SID specified.--daq <type> Select packet acquisition module (default is pcap).--daq-mode <mode> Select the DAQ operating mode.--daq-var <name=value> Specify extra DAQ configuration variable.--daq-dir <dir> Tell snort where to find desired DAQ.--daq-list[=<dir>] List packet acquisition modules available in dir. Default is static modules only.--dirty-pig Don't flush packets and release memory on shutdown.--cs-dir <dir> Directory to use for control socket.--ha-peer Activate live high-availability state sharing with peer.--ha-out <file> Write high-availability events to this file.--ha-in <file> Read high-availability events from this file on startup (warm-start).--suppress-config-log Suppress configuration information output.
