Download Snort Rules For Windows [Extra Quality]
Robustiano Dowell
In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
The rules included in this release that protect against the exploitation of many of these vulnerabilities are 61060-61065. For Snort 3, the following rules are also available to protect against these vulnerabilities: 300358-300360.
The issue I'm having is that when attempting to run Snort (snort.exe -v -I), it will capture nothing but I assume this is because I have not set an interface. After running snort.exe -W, I found the interface to use and specified this in the command line but I get the following error - ERROR: Can't set DAQ BPF filter to '2'.
I skipped past this error briefly to try and test Snort with -T and -c to specify the config file but it gives the following error - Missing/incorrect dynamic engine lib specifier. I located this line in the config file and changed it from /usr/local/snort_dynamicengine/libsf_engine.so to c:\Snort\lib\snort_dynamicengine\sf_engine.dll (the correct path and file name) but the error remains.
I know the answer is late, but still, I just ran into this issue and I think a valid answer should be provided. Anyways, the problem is based on paths, all of the snort.conf file are paths relative to linux specific locations. So that's problem number one, the second problem comes with snort parsing whatever path you give it in the -c option and prepending it to all the rules path (I know, weird) this should not happen if you (and most windows users) use absolute paths. So the solution I came up with is:
Always use a proper text editor to edit config file like this because some time when you copy and paste code in notepad and edit so some extra spaces added into the text which cause increase in bytes or altering the code statements.Good thing is some editors provide proper line number so you can easily navigate to the error show by snort in command prompt.
leaving the code statement on the next line which is not correct andthis will be read during execution of snort because this IS NO LONGER A COMMENT since >you took it out from comment section which is marked as # (per line)this is due to white spaces added when you copy and paste code in some poor editors.
My snort invoking string (from a batch file) looks like this: snort.exe -A console -i 15 -c C:\snort\etc\snort.conf -l C:\snort\log -K pcap. -K pcap determines an output format which can be imported by Wireshark and, thus, further analysed. -i 15 is specific for my setting (15 = Wi-Fi) - check that out using snort.exe -W under Microsoft Windows and snort -w under Linux.
A lot of you wont like my advice but please dont try snort in windows as it lead me to a rabbit hole of errors. In windows this guys(the snort company) didnt use the slash path properly and I had to comment out many other things and a lot of files and directories were missing too
I have downloaded snort rules from the website but instead of getting a zipped folder, I get a single file which cannot be opened by windows. I also tried using 7zip to extract the file regardless its a single file but it just replicates itself.
It's a gunzipped tar ball (tar.gz) (reference). You need to unzip it first, you can use 7-zip on windows just right click on it then > 7-zip > Open Archive. The archive will have a .tar file (community-rules.tar) just right click on this and hit Open. This should create a folder "community-rules" with a few files inside. The rules file is the one called "community.rules", all of the rules are in this file. If you open it with wordpad you should be able to see all of the rules.
df19127ead