One of the goals of any security conscious network administrator is to keep intruders off your network. You should be able to accomplish this goal through good security practices, such as restrictive policies and frequent software updates. If an intruder ever does manage to slip past your security though, you need to know about it. This is where an intrusion detection system (IDS) comes into play. An IDS alerts you when someone has penetrated your defenses (or in some cases when someone is attempting to penetrate your defenses).
Fortunately, you don't have to pay big bucks for an IDS. Snort is an open source IDS that you can download for free. Best of all, there is a Windows version available for those of us who don't use Linux. By implementing Snort, you can keep much better tabs on your network's security. In this article I'll show you how to download, install, configure, and run Snort.
Snort is available from the company's download center. The program is primarily intended to run in a UNIX/Linux environment, but there is a precompiled Windows build available on the site. You can find it in the binaries section of the Web site. The download consists of a 1.94-MB self-extracting executable file.
Download Snort to an empty folder on your hard disk and then double-click on the SNORT-2_1_3.EXE file that you've downloaded. When you do, you may see a security warning stating that the file's publisher could not be verified. Click the Run button to tell the program it is OK to run this file. When you do, you'll see the software's license agreement displayed. Click the I Agree button to accept the license agreement.
At this point, the software will ask you which type of database you plan to use for logging intrusion detection information. Snort has built-in support for MySQL and ODBC databases. There is also an option to log the information to a SQL server, but to use this option, the machine on which you are installing Snort must already have the SQL Server client software installed. The final option on this screen is logging to an Oracle database. Again, if you want to use this option, your computer must already have the Oracle client software installed. Make your selection and click the Next button to continue.
The next screen asks you which components you would like to install. Obviously you'll want to install the Snort component, since it contains the core intruder detection application. You'll also have the option of installing the documentation and a module called Contrib. The Contrib module is a collection of user-contributed add-on modules for Snort. I recommend installing all available modules, since a full-blown installation only consumes 8.7 MB of hard disk space.
Click the Next button and you'll be asked for the destination folder that you would like to install Snort into. Make your selection, click Install, and the Setup program will begin copying all of the necessary files. When the file copy process completes, click Close. When you do, you'll see a message stating that Snort has been installed successfully. Before you get too excited, though, read the rest of the message. It indicates that there are a couple of other components that you'll have to download and install.
One of those modules is WinPcap version 2.3. You can download this module from the WinPcap Web site. WinPcap is basically a network sniffer—it performs the packet capturing necessary for intruder detection to work. Although Snort requires WinPcap 2.3, I recommend downloading version 3.0 since it is the most recent.
The download consists of a 430-KB self-extracting executable file. This file contains the WinPcap setup program, the driver, and the necessary DLL files. To install WinPcap, download it to an empty folder and then double-click the WinPcap_3_0.exe file. When you do, you may see a Windows Security Warning screen indicating that the software's publisher could not be verified. Ignore this warning and click the Run button.
At this point, Windows will launch the WinPcap 3.0 setup program. Click Next to bypass the setup program's Welcome screen and you'll see the program's license agreement. Accept the license agreement, then click the Next button for the necessary files to be installed. When installation completes, you'll see a warning message telling you that if an old version of WinPcap was installed on the system, you'll need to reboot. Click the Next button, followed by OK to complete the WinPcap installation process.
Although the setup program doesn't tell you, you'll also need to download and install the LibnetNT driver. Technically, Snort will run without this driver, but certain functionality will be disabled.
Now that Snort is installed, the next step is to test it to make sure that it is functioning properly. Since Snort is a command line application, you should begin the process by opening a command prompt window and navigating to the folder that you installed snort into. The snort executable itself is stored in a subfolder called bin. Therefore, if you installed Snort into C:\SNORT, you'd have to enter the CD\SNORT\BIN command to access Snort.
At this point, enter the command SNORT –W (the W is case sensitive). When you do, you should see a list of your computer's network interfaces. This will be your indication that the WinPcap module is working correctly and that Snort is able to communicate with it. The next step in the process is to enter the SNORT -V command (the V is case sensitive). When you do, Snort will report back the version number that you are running. If Snort is able to report back a version number, enter the following command:
SNORT –v –n3 –I 2
In this command, all of the parameters are case sensitive. The number 2 should be replaced with the interface number as displayed when you ran the SNORT –W command. The –n3 parameter tells Snort that you want to display the headers of the first three packets that are captured. Therefore, the command should capture and display three packets. If this works, then Snort is working.
After Snort is installed and tested, you need to configure it to detect intruders. Fortunately, most of the work has already been done for you. As you may know, many intrusion detection systems are rule based. The systems are designed to look for specific conditions and then the rules tell the intrusion detection system how to react when the given situation is detected.
If you were using the Linux/UNIX version of Snort, you would have to download the appropriate set of rules for your version from the Snort Web site. Fortunately, the latest set of rules are built into the Windows version. These rules are stored in the \RULES folder within the main Snort folder. Although the rules files are present, you'll have to configure Snort to use them. Additionally, you'll also have to tell Snort what the IP address range is of your internal network and that any addresses outside that range are not a part of your network. To do so, you'll have to modify the SNORT.CONF file, which is located in the \ETC folder. The configuration file is in .doc format, so you'll have to open it in Microsoft Word for editing.
The first step in modifying the configuration file is to change the var HOME_NET line. Initially, this line of the configuration file points to the 10.1.1.0/24 address range, so you'll have to change it to reflect your own address range. For example, my private IP address range is 18.104.22.168 to 22.214.171.124. Therefore, I would enter this IP address range as 126.96.36.199/150. There are other configuration options that you can set at this point as well, but they are optional. For example, you can enter the addresses of your SMTP, HTTP, and DNS servers.
Next, you may want to set the external IP address range. This is done through the var EXTERNAL_NET command line. By default, this variable is set to a value of any, which should work fine in most cases, but you can enter specific IP addresses if necessary.
The last step of the configuration process is to enter the path to the rules files into the var RULE_PATH section. The default entry is /rules. This should work fine unless you have moved the rules to a different location.
Now that Snort is configured, it is time to run the program. To do so, open a Command Prompt window and enter the following case-sensitive command:
Snort –c "C:\snort\etc\snort.conf" –l "C:\snort\Log"
–A full –I 2 –d –e –X
The –c "C:\snort\etc\snort.conf" portion of this command tells snort that it should be run using the snort.conf file that you have just modified. The –l "C:\snort\Log" portion of the command tells Snort that if any packets match the specified rules, they should be dumped to the snort\Log folder. The –A full portion of the command tells Snort that you want to set the alert mode to full. The –I 2 portion of the command tells Snort to listen on the second network interface. The –d switch tells Snort to dump the application layer, while the –e switch specifies that Snort should display the second layer of header information. Finally, the –X switch tells Snort to dump the raw packet data starting at the link layer.
Finally, when you run this command Snort will not return you to a command prompt unless you press [Ctrl][Break]. There are also many other command line switches available for you to use with Snort. You can view these switches by simply entering the Snort command with no switches.