Free Network Intrusion Detection & Prevention System for Windows PC

Snort

Snort

  -  3.2 MB  -  Open Source
  • Latest Version

    Snort 3.5.2.0 LATEST

  • Review by

    Daniel Leblanc

  • Operating System

    Windows 7 64 / Windows 8 64 / Windows 10 64 / Windows 11

  • User Rating

    Click to vote
  • Author / Product

    Cisco Systems, Inc. / External Link

  • Filename

    snort3-3.5.2.0.tar.gz

Snort is an advanced network monitoring tool that can allow seasoned PC users with a wide array of security and network-intrusion detection and prevention tools for protecting home PCs, networks, and network usage of standalone apps.

It comes bundled with a wide array of rule-based procedures that quickly and reliably can detect abnormal usages of network bandwidth and help you detect intrusions and suspicious packet traffic coming from both inside and outside your local network. Because of its lightweight package, reliable usage, and proven results, ithas become one of the most widely IDS / IPS software applications, used regularly by advanced PC users, networking managers and security experts from all around the world.

Cisco Snort for Windows 11/10 is capable of easily detecting anomalous packet usage by running real-time diagnostics on your networking traffic, using highly sophisticated anomaly-based scanning and detection of particular database signatures. It provides not only real-time alerts but also fully-featured analytics.

For proper integration into your local network, before starting using Snort on your PC you first need to install WinPcap, a popular application for unlocking direct packet access and an ability to read raw network data without any overhead.

The app is most commonly used as a real-time traffic monitoring tool, packet tracker/sniffer, TCP/IP packet logger, security tool, intrusion detector, network analyzing tool, and one early-warning alarm for new and undiscovered network events, exploits and vulnerabilities.

Installation

Because of its enterprise-focus and the requirement of having low-level access to network monitoring, It does not feature a flashy user interface. It comes in a small sub-5 MB installation package that installs the application on your local hard drive quickly. To access the app, you first need to open your CMD (DOS-like) interface and load the app manually. Upon the first use, we recommend loading up the help listing of all available commands by simply typing “snort.exe -h” in your CMD line.

To successfully take full advantage of Snort’s capabilities, you will need to learn to use these commands lines and let them help you detect any anomalous network traffic usage.

Get Started

Download and install the source code

git clone https://github.com/snort3/snort3.git

There are separate extras packages for cmake that provide additional features and demonstrate how to build plugins.

Sign up and get your Oinkcode - a unique identifier that must be entered into your Snort instance that will automatically pull in Snort rules. All users have access to the Registered Rule Set. In order to get the latest detections (Subscriber Rule Set) you can upgrade your subscription at any time.

Highlights
  • World-renowned network intrusion, prevention, and detection tool.
  • Real-time analysis of networking traffic and sent packets.
  • Rule-based traffic analysis and logging.
  • One of the most deployed IDS / IPS software in the world.
  • Supports packet recording into directory or database (MySQL, Oracle, Microsoft SQL Server, and ODBC)
  • Lightweight and fast.
  • Reliable and flexible.
  • Optimized for all versions of Windows OS.
  • 100% FREE!
Features

Real-time Packet Analysis: It captures and analyzes network packets as they traverse your network, allowing it to detect threats as they occur.

Extensive Rule-Based Detection: It relies on a vast library of pre-defined rules to identify known and emerging threats. Users can also create custom rules to suit their specific security needs.

Protocol Support: It supports a wide range of network protocols, including TCP/IP, HTTP, FTP, DNS, and more, making it highly adaptable to diverse network environments.

Logging and Alerting: It logs detected threats and can send alerts via email, syslog, or other custom actions, ensuring that administrators are promptly notified of potential security incidents.

Advanced Threat Detection: Snort's flexibility allows for advanced detection techniques, such as anomaly-based detection, which can help identify previously unknown threats.

Community and Commercial Versions: It offers both a free community version and a commercial version called "Snort Subscriber Rule Set," which provides more comprehensive protection with regularly updated rules.

User Interface

It primarily operates through the command-line interface (CLI), which may require some familiarity with Linux or Unix-like systems. Additionally, users can leverage various graphical front-ends and third-party management tools to simplify configuration and monitoring. While the CLI is powerful, a more user-friendly graphical interface would be a welcome addition for less experienced users.

How to Use
  • Install Snort on your chosen Linux distribution following the provided documentation.
  • Configure network interfaces that Snort will monitor and analyze.
  • Create or download rule sets tailored to your network's security requirements.
  • Start Snort with the chosen configuration.
  • Monitor alerts and logs generated by Snort to identify potential threats.
  • Regularly update rule sets to stay protected against new threats.
FAQ

Is Snort suitable for both small and large networks?
Yes, Snort is scalable and can be configured to protect networks of all sizes, from small home networks to large enterprise environments.

How often are Snort's detection rules updated?
Snort's community rules are updated frequently, while the Snort Subscriber Rule Set is updated even more regularly, ensuring up-to-date threat detection.

Can I use Snort on Windows?
While Snort is primarily designed for Unix-like systems, there are Windows ports available, although the Linux-based version is more commonly used.

Does Snort offer any form of real-time reporting or visualization?
Snort itself focuses on detection and alerting. Users often integrate it with other tools, such as SIEM (Security Information and Event Management) solutions, for advanced reporting and visualization.

Is Snort easy to learn for someone without extensive IT experience?
It may have a learning curve for newcomers, but resources like tutorials and community support can help users get started.

Alternatives

Suricata: An open-source NIDS similar to this app with support for multi-threading and a user-friendly interface.

Zeek (formerly Bro): Another powerful open-source network analysis framework with scripting capabilities.

Security Onion: A full-fledged security monitoring distribution based on Ubuntu that includes Snort, Suricata, and other essential tools.

Pricing

It offers a free community version with extensive features. For more advanced features and commercial support, the Subscriber Rule Set is available at various pricing tiers based on network size and needs. Pricing details can be found on the official Cisco website.

System Requirements
  • Operating System: Windows, Linux or Unix-like system (e.g., Ubuntu, CentOS)
  • CPU: 2 GHz or higher
  • RAM: 2 GB or more
  • Storage: 20 GB or more for rule sets and logs
  • Network Interfaces: One or more interfaces for monitoring traffic
PROS
  • Effective intrusion detection with a wide range of detection methods.
  • Extensive rule library for detecting known threats.
  • Scalable for networks of all sizes.
  • Active community support and regular rule updates.
  • Offers both a free community version and a commercial subscription.
CONS
  • Command-line interface may be intimidating for beginners.
  • Installation and initial setup can be complex.
  • Lacks built-in real-time reporting and visualization tools.
  • Custom rule creation requires a good understanding of network protocols.
  • The commercial version may be costly for larger enterprises.
Conclusion

Cisco Snort is a powerful and versatile open-source network intrusion detection system that excels at identifying and mitigating security threats. Its extensive rule library and active community support make it a valuable addition to any network security strategy.

While it may require some technical expertise to set up and use effectively, the benefits in terms of enhanced network security and threat detection are well worth the effort. Consider using Snort in conjunction with other security tools and monitoring solutions to create a robust defense against cyber threats.

Note: Requires WinPcap.

What's new in this version:

Snort 3.5.2.0
Dependencies:
- Same as 3.5.1.0

Changes in this release since 3.5.1.0:
- decompress: handle ZIP central directory
- doc: add extractor logging feature
- extractor: add ftp service implementation
- extractor: add imaginary transaction event to FTP
- extractor: add user field
- extractor: enable logging for FTP aggregated event
- extractor: event handlers subscribe by themselves
- extractor: fix memory management
- extractor: include type support header explicitly
- extractor: introduce flow data
- extractor: log on last response
- extractor: move extractor event out of snort namespace
- extractor: refactor code
- extractor: update dev_notes.txt
- file_api: add helper methods to unset filename and reset sha
- ftp: reset cmd_size when reset cmd_str
- sip: parse all the SIP methods defined
- stream_tcp: initialize the daq_instance field in the Packet instance allocated for a meta-ack to the value from the wire packet
- thread: get_relative_instance_number now zero-based


Snort 3.5.1.0
Dependencies:
- Same as 3.5.0.0

Changes in this release since 3.5.0.0:
- appid: add new api to check if service is over quic
- appid: add tls_version capture in appid_session
- appid: implement an API that allows users to specify values for data items used in lua detectors
- appid: unit-test added for is_service_over_quic
- doc: add details regarding RTN evaluation
- flow: new allowlist LRU
- http2_inspect: handle multiple cookie header fields
- js_norm: add cross-PDU PDF token reassembly
- side_channel: fix compiler warning in side channel formatting test
- smtp: fixing the processing of SMTP response in case of encrypted traffic
- stream: add thread instance number to dump_flows control command output
- stream_tcp: pass tracker and seglist to TcpReassembler* as refs, define dummy tracker & seglist for use by TcpReassemblerIgnore
- stream_tcp: when queue limit thresholds are exceeded in IDS mode on asymmetric connections only skip a hole at the beginning of the seglist before flushing


Snort 3.5.0
Dependencies:
- Libdaq v3.0.17

Changes in this release since 3.4.0.0:
- connectors: fix tsan warning in tcp connector
- framework: update connector interface
- main: move connectors initialization from SideChannel
- managers: update connector manager

Changes in this release since 3.3.7.0:
- appid: reading and loading only required lua detectors for regtests
- extractor: add support for body length, info_code/msg, filename, proxied
- file_api,http_inspect: extract and set hostname for file processing
- ftp_telnet: add filename for ftp file processing
- ips: ignore proto when service supersedes ports
- js_norm: allow processing complex nested PDF objects
- main: change help command to print in alphabetical order
- main: implement function to grab relative process id
- main: suppress cppcheck issue
- packet_io: set the flow state to block when forcing the session block
- perf_monitor,latency: avoid data race when latency is enabled during flow ip profiling
- pub_sub: add request and response FTP events
- snort: bump minor version for MPSE API change
- snort, search_engine: remove --dump-rule-databases
- stream: recheck flow eligibility if session times out
- stream_tcp: implement flush on asymmetric flows in IDS mode when queued bytes exceeds configure threshold
- stream_tcp: implement ignore flush policy reassembler as a singleton to improve performance,
- stream_tcp: move require_3whs to stream to avoid undesired flow creation
- stream_tcp: streamline allocation and release of reassemblers, tweak ips flush_on_data process
- tcp_pdu: new inspector for simple length based flushing


Snort 3.3.7
- appid: dns sinkhole support for edns
- appid: early SSH detection brute-force fix
- appid: fixes for one definiton rule violation
- binder: change binding to have single service
- extractor: flush data on unlocking a writer
- extractor: notify handler whether it is a fixed-width formatting
- extractor: refactor data pipe between an inspector and extractor's logger
- extractor: rewrite std writer to use text_log utility
- extractor: update logger with an internal set of fields for logging
- ftp_telnet: adding fallback functionality for ftp
- http2_inspect: add IPS options for frame header and data
- memory: add shell commands for jemalloc heap profiling
- process: skip vDSO frame on aarch64
- ssh: added abort session in streamsplitter
- stream: fix to dump all flows
- stream_tcp: add assert to verify configured normalizer policy is valid
- stream_tcp: do not overwrite global normalizer policy config option when proxy mode is enabled


Snort 3.3.5
Dependencies:
- No new dependencies

Changes in this release since 3.3.4.0:
- appid: added new logs for reload third party
- extractor: add field name to logging function
- extractor: add json logger
- extractor: add unit tests for enum types
- extractor: fix guard-macro names
- extractor: fix local variable
- extractor: mention a field in initialization list
- extractor: remove unused headers
- extractor: take a note of FIXIT-P in key points
- file_api: set file name for file processing
- http_inspect: when cutting chunks check for MAX_OCTETS too
- packet_tracer: add tcp window size, options and meta-ack info


Snort 3.3.4
- appid: notify binder on service change
- appid: replaced hsessions vector of raw pointers into vector of smart pointers
- ftp_telnet: refactoring ftp-data
- latency, dce, stream_ip: fix max pegs incorrectly declared sum
- telnet: avoid flush when cr or lf is between commands


Snort 3.3.3
- control: code cleanup
- control: handle control commands after packet threads are fully initialised
- daq: add outstanding packets counter
- extractor: add flow hash key
- file_api: max depth is set as part of initial config
- file: remove unused variable in FileFlows destructor
- filters: update dev_notes.txt with details for event_filter
- flow: optimize timeout handling for different packet type
- http_inspect: add peg counts for gzip, known-not-supported, and unknown
- http_inspect: log normalized URI in extra data
- ips_options: separate main thread pcre counts from packet threads stats
- memory: account memory for profiler only when packet thread is involved
- src: resolve various warnings
- stream_tcp: make sure ports are correctly swapped when filling a meta-ACK packet


Snort 3.3.2
Dependencies:
- Libdaq: v3.0.15
- Libml: 1.1.0 (Optional)

Changed:
- appid: fixing cpp warnings and cosmetic changes for appid cpu profiler
- appid: removing trailing whitespaces
- daq: added outstanding packets counter
- doc: builtin rule documentation updates
- flow: added compile-time option to disable tenant_id
- flow: clear deferred trust after the flow is trusted to stop repeated trusting
- js_norm: address pdf tokenizer issues
- kaizen: fix verbose mode output for unlimited options
- main: fix coverage
- sip: fallback functionality for sip inspector
- stream: refactor paf logic into a c++ class
- stream_tcp: delete lws_init, it was redundant with tcp_init; delete FIXITs that are no longer relevant
- stream_tcp: improve variable and function names for overlap processing
- stream_tcp: integrate and streamline setting of flush policy and splitter
- stream_tcp: merge TcpStreamSession into TcpSession
- stream_tcp: refactor segment nodes to implement reassembly cursor and eliminate tracking variables
- stream_tcp: refactor TcpReassembler into a virtual base class and subclasses for each mode: ignore, IPS and IDS
- stream_tcp: refactor to move alert functions to their own class
- stream_tcp: refactor to move tcp overlap processing out of reassembly class


Snort 3.3.1
- appid: restructure the appid code to make it easier to follow and maintain
- appid: updating appid cpu profiler cli
- dce_rpc: correct the session counters post the upgrade to smb v2 from v1
- detection: include OPT_TREE traces in release build
- detection: make print of fast pattern as a trace module
- extractor: support trans_depth, origin and referrer fields
- file: fixing file context reuse
- flow: clear flow stash when freeing the flow data
- flow: handle significant groups with unknown group value as non-group flow keys
- http_inspect: add origin header
- parser: do not skip symbols while expanding variables
- perf_monitor: introducing new parameters for ip flow profiling
- stream_tcp: move prev_norm object from TcpNormalizer to TcpNormalizerState
- stream_tcp: set daq_msg field in meta-ack pseudo-packet header to the value from the wire packet.
- stream_tcp: support tracing without compilation flags
- wizard: expand MMS curse


Snort 3.3.0
- appid: display rows limit of table and totals
- appid: using different api for picking appids for appid cpu profiler
- build: bump version to 3.2.0
- codecs: add handling of NDP types
- dns: set Flow timeout after getting DNS response
- extractor: add protocol logging for HTTP
- framework: add new Cursor Action Type
- http_inspect: set CAT_SET_SUB_SECTION for buffer with a sub-selector configured
- js_norm: fix prerequisites for FlexLexer includes
- main: add CLI command to show snort cpu percentage
- stream_tcp: use default size atomsplitter on fallback
- utils: remove duplication of definition


Snort 3.2.2
Dependencies:
- Libdaq: v3.0.15

Changes in this release since 3.2.1.0:
- appid: appid cpu profiler max columns
- appid: re-enabling appid cpu profiler making it thread safe
- appid: store and retrieve only SNI in AppIdSession
- appid: updating file_magic.rules with some new file types added to the VDB
- dce_smb: do not prune from LRU cache during file tracker update
- doc: fix formatting in dev_notes.txt
- flow: add the newly-created flow to p->flow to avoid segv
- js_norm: stop PDF processing on syntax error
- main: apply loaded configuration only once
- packet_capture: make sure packet_capture executed before detection
- service_inspectors: fix get_buf handling
- sip: flow clean-up based on lina configured timeout
- src: remove repetitive words. Thanks @gopherorg for finding those typos
- src: udpate to resolve new issues
- stream_tcp: don't attempt to verify or process keep-alive probes with data
- stream_tcp: fix infinite recursion cases. Thanks to scloder-ut-iso for helping with debug information that uncovered a case of infinite recursion
- utils: add explicit include


Snort 3.1.84
- appid: enhanced appid config parsing
- appid: remove locks from peg counts
- appid: separate main thread and packet thread appid_pub_id
- dce_smb: fixing an ASAN memory corruption issue
- detection: handle policy changes in continuation
- framework: add correct cast from double to unsigned
- http_inspect: add file_data to buffer list
- packet_capture: include cstdint in a header file
- xhash: fixed typo


Snort 3.1.83
- detection: use correct packet in trace logs
- doc: add libml to optional dependencies
- flow: add filter to dump flows
- flow: fix UT
- hash: exception handling for random device
- packet_capture: fixed wrong dlt in pcap header when nfq is used
- stream: count retransmits when we disable content rules
- trace: replace colon delimiter for tenant with whitespace in the trace_logger output


Snort 3.1.82
Optional dependencies:
- To use Snort ML(snort_ml inspector), please download libML and Snort Rules (Talos_LightSPD) from version 2024-03-13-001 onwards

Changed:
- appid: broadcast commands with ctrlcon
- appid: change eve pattern matching logic
- appid: replaced warning log with logging api for CBD
- file_api: do not clear the file capture and user file data pointers when updating the verdict from the cache
- filters: updated dyn array with vector
- flow: updated flow_data linklist with STL container
- framework: validate parameter of number type in a string form
- kaizen: rename to Snort ML
- main: clear lua stack when registering commands in a shell
- main: reset main-thread stats from the main thread
- main: update limits help
- packet_capture: add packet capturing per tenant
- sfip: remove references to unused mode feature
- sfip: zero out var/node pointers after operations to remedy heap-use-after-free on reload
- smb: fix for improper session cache destruction in tterm during config reload
- snort2lua: change deprecated use of ptr_fn to lambda
- stats: fix timing stats
- stats: perf improvement changes
- stream: remove splitter from session before inspectors
- stream_tcp: add reasons for drops due to trims
- stream_tcp: implement support for proxy mode normalization behavior
- stream_tcp: update documentation for stream TCP alerts to include the new 129:21 and 129:22 alerts
- trace: add tenants logging


Snort 3.1.81
- appid: check tenant_match() if required
- appid: log error message instead of fatal error if appid stats logfile is not accessible
- appid: Lowering max packet count before service fail
- control: Adds counting to ctrlcon blocked to allow for nested commands
- detection: add c'tors, use new instead of snort_calloc
- detection: copy ip var name in dup_rtn
- flow: added ips event suppression flags
- host_cache: fixed update_stats to remove race_condition
- http_inspect: recreate JSNorm if reload takes place inside transaction
- ips_context: add lazy-allocation of alt buffer
- kaizen: provide an option to enable Kaizen's mock
- kaizen: remove redundant semicolon and add explicit cast
- kaizen: rename modules
- lua: improve spell of wizard for HTTP
- memory: prevent data race between main and packet threads
- service_inspectors: add check for JSNorm config actuality
- stream_tcp: add alerts for exceeding thresholds for max queued bytes or segments
- stream_tcp: add check to verify seglist head is not nullptr and only initialize PAF when it is not
- utils: add macro for setting thread name


Snort 3.1.78
- appid: print odp version and odp detector count on startup
- copyright: update year to 2024
- doc: update arg list for "generate_builtin.sh". Add parity to "generate_" scripts arg list
- main: fix inconsistent lua variables assignment
- parser: fix --dump-rule-meta for negated ports


Snort 3.1.77
- appid: add http3 to the list of ssl protocols as http3 will always be inside quic and encrypted
- appid: do not delete hsession for http3
- appid: fix coverity issues
- appid: lua logging doc update
- build: arm compilation support
- catch: add boost software license for catch.hpp
- detection: adjust built-in GID range to 40-999
- detection: collect matched buffers on IpsContext
- flow: add tenant ID to FlowKey
- host_cache: fix race condition on peg counts
- http_inspect: publish HTTP/1 request bodies, track MIME boundary
- main: fix reload_id data race
- parser: add CWD to conf search order
- profiler: change time tracking for "rule_time (%)" field in rule_profiler output
- profiler: dump memory profiler stats at frequent interval
- pub_sub: add get_client_body and is_mime methods
- ssl: stopping inspection once client or server app packet is found
- utils: add get_file_size


3.1.76.0
- appid: added missed cppcheck warning
- appid: adding support for memory profiling of third party lib
- appid: additional check for lua logging
- appid: fixing coverity issues
- dns: fix parsing 'additionals' section in dns response
- flow_cache: added new protocol base counters
- pegs: make add_peg_count and set_peg_count protected to be available for the derived class
- perf_mon: fix variable name issue reported by cppcheck