Here are the steps you should perform when installing Snort for the first time. Don't overlook the resources and reading materials that will help you understand and get the most from this handy utility.
- Download and read the Snort user’s manual and FAQ (http://www.snort.org). Learn what each command-line parameter, preprocessor, and plugin does; understand the Snort configuration file; and know how to analyze the output that Snort creates.
- Download and read Snort Help documents available on the Internet. Try searching http://www.secadministrator.com and http://www.sans.org for relevant information, as well as performing a few search-engine searches.
- Decide what you want to do with Snort (e.g., packet sniffing, network intrusion detection).
- Decide where you want to install Snort.
- Decide how you want to track Snort's output (e.g., ASCII log files, MySQL, syslog).
- Download and install Silicon Defense’s installer file (swIb10.exe) from http://www.silicondefense.com.
- Download the most current rule sets from http://www.snort.org and other sources? and place them in Snort's rules folder.
- Double-click the IDScenter icon on the desktop, then right-click the IDScenter system tray icon and choose Settings.
- Click Test configuration to test the default installation for errors.
- Configure Snort’s main settings by reviewing each IDScenter area and making any needed changes. Save and test the configuration often between configuration changes.
- Be sure to turn on and off rule sets as needed in your environment.
- To test logging and alerting, create a test rule that any type of TCP traffic will activate, such as
alert tcp any any -> any any (msg: "Test rule-TCP Traffic detected";)Open a TCP session on a monitored machine to create traffic for Snort to sniff (e.g., open an Internet browser session to any external host site), then check the log directory and alert log for activity.
- Consider subscribing to Snort mailing lists to stay up-to-date on the latest Snort versions and bug fixes.