- at the command prompt start in c:\snort\bin (options)
- checking available interfaces c:\snort\bin snort -W example
- capturing and viewing packets: c:\snort\bin snort -dev (press Control-C to stop the capture) example
- capturing and saving in log file: c:\snort\bin snort -de -K ascii -l c:\snort\log examples: tcp arp
- log the Snort alert messages to the Windows Even Viewer, Applications c:\snort\bin snort -E - l c:\snort\log -c c:\snort\etc\snort.confsee example of running in IDS mode and events in Event viewer.
Modifying and creating rules
- creating rules: experts only, download updates and read them.
- modifying not a problem: typically many false positives are eliminatedexample: I got many false positives as “MISC UPnP malformed advertisement [Classification: Misc Attack] “ I looked for misc.rules and edited rule as follows:# alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"MISC UPnP malformed advertisement"; content:"NOTIFY * "; nocase; In the example I just commented out the rule: added # in front of the line.