New Code
   Old Code
   syslog wrapper

   Binary Packages
   Source Code

   Winpcap ( Mirror )
   Windump ( Mirror )
   Analyzer ( Mirror )
    Deja News

Development Projects
   Development Source and Binaries

   Picture Gallery
   My Resume

   Blake Watts WIN32 God
   E-Mail Me ( PGP Key

Powered by

Snort is a lightweight network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plugin architecture. Snort has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user specified file, a UNIX socket, or WinPopup messages to Windows clients using Samba's smbclient.

[ Original Site ]

November 14, 2002

I am planning to pick up my snort port again and help out the snort community. From various product reviews and articles I read and emails I receive everyday, too many people are finding it difficult to compile, configure, tune and manage snort. I wonder how many of those that have downloaded my snort win32 package actually set it up and use it? I get the feeling not enough.

So I am teaming up with joej, I guy I have worked with on a number of projects in the past, to simplify the whole snort process. joej has been doing some good development work, particularly with patching . you can see his work at

We will develop a couple of GPL packages to make snort more user friendly.

We will develop a configuration wizard with default set-up scripts to easily and quickly configure the system for your type of network and uses. We will also distribute precompiled binaries.

Then, we.ll develop a robust management console - one that goes beyond ACID. This is likely will be a non-commercial license (i.e. if you are not a commercial entity you can use it 100% royalty free).

Third, we would like to see the rules a little more standardized. We think at a minimum we need to see a vulnerability identifier, such as CVE, associated with each rule. Even better, we want to automatically download and push the latest rules based on a policy set in the management console, therefore, updating and basic tuning would be a snap.

Lastly, we think people want their IDS to be even more efficient so we will try and help snort minimize false positives and have the ability to remediate the targeted vulnerability. joej tells me his "anti-vulnerability" technology can help with this.

You think these features would make snort easier and better to use? Shoot me an email at and let me know what you think.
February 5, 2001
After expanding RSN to the limits I have released snort-1.7-win32.

* Fixed a bug in which you could not specify the full path for a portscan log to be stored.
* Fixed a "Too many open handles to EventLog" problem.
* Complete rewrite of the snort port.
* -s now sends alerts/logs to a remote syslog server. -E is for EventLog.
* -W lists available interfaces.

Please note the last *. -E sends alerts to the EventLog. -s sends alerts to a remote syslog server.

Also, this release is not 1.7 exactly, but is a CVS from 2 days ago. This means it includes the Spade fixes and any other bug fixes that were in the CVS version.
You can download snort-1.7 from:
Standard snort-1.7-win32 Binary:
snort-1.7-win32 FlexRESP Binary:
snort-1.7-win32 MySQL Binary:
snort-1.7-win32 Source Code:

The snort-1.7-win32 source code now contains all version of snort-win32 and contains all needed header files and libraries. Compilation should be as simple as running 'nmake' in the WIN32-PRJ directory because there is now a WIN32 Makefile present.

I think that covers it.

Any questions or comments please check the WIN32_FAQ located in all the above zip files and then email me.
October 21, 2000
I am releasing a beta of snort-1.6.3-patch2-win32 that has MySQL support compiled in.
[ Development Binary and Source ]
September 15, 2000
Xato Security Group released a front end for snort-win32.
[ Binary (Mirror) ]
September 6, 2000
Due to popular demand I am publicly releasing my Snort-1.6.3-flexresponse code. It uses my OWN version of LibnetNT DLL so you MUST USE THE DLL PROVIDED IN THE BINARY DIRECTORY. The source for the project is all mesed up.
[ Development Binary and Source ]
July 23, 2000
Snort 1.6.3-WIN32 is available! You can download it here. Changes:
* Updated WIN32 port to the new 1.6.3 code base.
* Added the -s bug handling patch into rules.c
* snort actually starts Winsock now because it does a
getprotobynumber() look up, which needs Winsock to be started.
I only ask for Winsock 1.1. That should satisfy the masses.
Everyone should use Winsock 2.0 though.
* Decided to add service code for the -D option int he next version.
I mean it this time.
* Possibly fixed the problem reported on Windows Advanced Server in which
you could not specify the adapter to bind to. I need people to test.
[ Binaries | Source ]
July 10, 2000
Snort is available! You can download it here. Changes:
* Updated WIN32 port to the new code base.
* Added the hack to release the console when going into Deamon mode.
Temporary solution but a good one. Provided by Philip J Mayers
<p.mayers at>. If anyone really wants Deamon mode then
I will write it. I do not think many people do?
* Fixed sp_session.c so if in WIN32 it does not save the session
information with a ':' in the filename.
* Fixed log.c so if in WIN32 snort does not try to open filename
with a ':' in the name. I had original fixed this but made a typo. woops.
[ Binaries | Source ]
July 4, 2000
There will be another release of snort for win32 when snort 1.6.1 is available. Included in the release will be a few bugfixes and a quick hack to do deamon mode. Check back here frequently.
June 6, 2000
I have finished the WIN32 port of snort. You need the winpcap NDIS driver installed to use it.
[ Binaries | Source ]