
Program: snort
Author: Martin Roesch <roesch@clark.net>
Win32 Development: Michael Davis <Mike@eEye.com>
Version: 1.6-WIN32

Some of the functions I used during the port were taken from WinDump.  The authors were contacted and were kind enough to
allow the code to be reused without any licensing implications.

Thanks to:

The WinDump developers including Fulvio Risso, Piero Viano, Loris Degioanni, Jordan Ritter, and Jason Bunyea.  Keep up the good work!

Installation Instructions:

1. Get the NDIS driver for your particular operating system from:

     http://netgroup-serv.polito.it/winpcap/install/Default.htm

2. Follow the instructions on how to install it.  Quick install:
   download driver, extract driver, go to Network Applet in Control
   Panel, Clock Add, select protocol, click Have Disk, specify the
   location you extracted the NDIS driver to. Reboot.  I have found a
   bug on two 95 machines that will cause the NDIS driver not to be
   installed on all Adapters, which it should do by default.  To
   circumvent this bug reboot and add the NDIS driver again.

3. Run through the normal snort setup.  The snort-WIN32 binary is in the WIN32-prj\Release directory. 

Compilation Information:

You do have to do some include file tweaking to get snort to compile correctly.  I recommend using the binary unless you really need to edit the snort source code.

1. Download the winpcap sources from
   http://netgroup-serv.polito.it/winpcap/install/Default.htm

2. Unpack them and in the directory called win32-Include you need to
   edit a few files. Open IP.h in an editor and add near the top add

     #include <netinet/in_systm.h>

   Next open ip_icmp.h and add the same line near the top of the
   file. Place all the Include files in that are in that directory
   into the VC++ include directory, which should be where Visual
   Studio is installed. Usually:

     C:\Program Files\Microsoft Visual Studio\Vc98\Include

3. Download WinDump source from

     http://netgroup-serv.polito.it/windump/install/Default.htm

   and extract it.  Go into the Win32-Include directory and copy
   getopt.h to your Visual Studio Include directory.

4. You need to make sure you have the NDIS Driver installed.  If you
   do not have it installed please install it.  You can download it
   from:

     http://netgroup-serv.polito.it/winpcap/install/Default.htm

5. You should now be able to compile the snort-win32 source code.

     Note:  There are a few warnings, just ignore them for now ;)

New Program Functionality:

   There is a new option '-L'.  This option will list all the interfaces installed on the system.  In snort-WIN32 you
   reference adapters by number not name.  The numbers range from 1 to 9, 0 and 10 are invalid digits.
   
   Furthermore, the default filenames have changed.  The alert file is now named alert.ids.  It has an extension because
   I wanted to associate a text editor with the file.  Also, The packet trace filenames have changed from TCP:63377-21 to
   TCP_63377-21.ids because you cannot use ':' in WIN32 for a filename and because I wanted to associate the file with a
   text editor.
   
   The syslog logging functionality has been modified so that if the program is ran in Windows NT and you specify the -s
   argument all messages that would go to a syslog daemon now go to the Event Log.  Martin mentioned that I should maybe 
   make this functionality a module and not part of the WIN32 port.  What do you guys think?
   
Todo Items:
   With the release of LibnetNT I might make a binary available that has the response code working in it.
   Make a Daemon mode for NT by having snort run as a Service.
   GUI???
   
I believe that is it.  The rest of snort works just like the UNIX version.  I personally have had snort-win32 running for about 2 weeks on a production NT server.  It has not died yet.  It has detected nmap scans, SMB share accesses, everything.
   
Any questions or comments related to the WIN32 port of snort, please
email them to "Michael Davis" <Mike@eEye.com>.  Any questions or comments
related to snort itself, please email the author of snort, "Martin Roesch" <roesch@clark.net>.