Intrusion detection systems are one of the most critical tools to network security engineers. In the Linux/UNIX world, a number of free tools are available that are powerful, flexible, and simple to use. Thanks to Silicon Defense, one such tool, Snort, has made the migration from Linux/UNIX to Windows.
In this Daily Drill Down, I will show you how to get Snort installed and running in Windows 2000.
For this article, I used Windows 2000 Professional as the platform on which to build the IDS server. When you set up the system you're going to use, install Windows 2000 Professional, and then apply Service Pack 2 and all updates for your system listed on Microsoft's Windows Update. You'll also want to install IIS so you can use it later to receive real time alerts.
To install IIS on your Windows 2000 server, go to Control Panel, open Add/Remove Programs, click on Add Windows Components and select the check box for Internet Information Server. Click Next and have your Windows 2000 Professional CD at hand for when the installation needs the files for IIS (unless you already had the I386 directory copied to the drive).
Once you've restarted the workstation, you can start collecting the files you will need for Snort and the required applications to set up real time alerting.
Getting the files
Snort 1.8.6 for Windows requires a number of files to be installed. These necessary files are:
- · Snort 1.8.6b105
- · WinPcap 2.3
- · MySQL Shareware 3.23.40
- · PHP 4.1.1
- · PHPLot 4.4.6
- · ADOdb 1.72
- · ACID 0.9.6b21
- · Run As Service Files
- · WinRAR
The WinRAR tool allows you to decompress any compressed files from the above list.
Create a temporary directory to hold your downloaded files. I named mine snort_temp. Then, download these files and save them to your temporary directory.
Play it safe
Keep everything in one directory and back up this directory once you've collected all the files so that if you need to re-create the IDS system you're building, you'll have everything at hand that you'll need.
The installation of the Snort application is pretty cut-and-dried. You'll need to create six new directories for this installation:
- · C:\Snort
- · C:\Snort\Rules
- · C:\Snort\PHP
- · C:\Snort\ADOdb
- · C:\Snort\Logs
- · C:\Snort\Docs
Unzip the Snort binary that you downloaded and extract it to your temporary directory. Then copy the files listed below in the directories specified:
- · All the .rules files and the classification.config file go into C:\Snort\Rules.
- · All the documentation files should be placed into C:\Snort\Docs.
- · The snort.exe and the snort.conf go into C:\Snort.
- · The create_mysql file (located in the Contrib directory within the snort_temp file) goes into C:\Snort.
Next, you'll need to edit the snort.conf file to tell it where to find the files it's looking for. First, edit the output database line that tells Snort you're running MySQL and the user name to log in to the database with. The first line you need to edit is the var HOME_NET any line. Replace the any with a fully qualified IP address and the subnet you wish to monitor. If you want to monitor a single host when your IP is 10.20.30.1 and your subnet is 255.255.255.255, change the any entry to 10.20.30.1/32.
The next line to edit will look a lot like the one shown in Listing A.
Find the sort.conf line that resembles Listing B and edit it to read exactly as shown in Listing B.
The next line to edit contains the var RULE_PATH ./directive. Change this directive to var RULE_PATH c:/Snort/Rules.
Finally, change the include that reads include classification.config to read include RULE_PATH/classifications.config.
Make sure to use the forward slash instead of the backslash. The programs you're installing were initially written for Linux/UNIX environments, so using anything other than the forward slash will cause them not to work. I ran into this problem, and it took over two hours on the phone with Silicon Defense trying to figure out why I couldn't get Snort to run. This rule applies with the exception of the installation of PHP. See the section below on installing PHP for more information.
Also, when you edit the classifications.config line, put a $ in front of the RULE_PATH variable. Although it's not required for Snort to run under Windows, it helps avoid some script processing problems that have shown up in some installations under Windows.
WinPcap is a device driver that adds packet-filtering capability to versions of Windows from 95 to XP. WinPcap allows you to send and receive data through the network card without requiring a special driver from the vendor. To install WinPcap, just run the executable and reboot the workstation before installing the remaining components.
MySQL is also easy to install. Create another temporary directory—I called mine mysql_temp. Unpack the .zip file containing MySQL into your temporary directory. Then, run the setup program. By default, it will install onto the C: drive. If you keep it on the C: drive, you won't have to make configuration changes to use it from another drive.
After you've installed MySQL, you need to create a Win32 MySQL database and Create MySQL tables for the Analysis Console for Intrusion Databases (ACID). Even if you haven’t worked with SQL before, it's not difficult to do this. To create a database named snort, follow these steps:
- · Open a command window and type C:\MySQL\Bin\winmysqladmin.
- · From the MySQL Admin tool, choose the Database tab.
- · Right-click on your server name listed in this tab.
- · Select Create Database.
- · Type your database name. (I used snort for this example.)
- · Press the Create The Database button.
- · Select OK.
In the left window labeled Databases, you'll find your new database.
To create a MySQL table that will be used for ACID (PHP-based analysis engine used by SNORT to search and process a database of security events), navigate to C:\MySQL\Bin folder from the command window. Then, at the C:\MySQL\Bin> prompt enter the command MySQL -u snort snort < c:\Snort\create_mysql.
You'll want to set up Snort to start as a service when using it on a WinNT/2k/XP machine. To do this, first decompress the file called ServiceTools.exe into your root folder. There are two files included in the archive—one is called Srvany.exe and another is called Instsrv.exe. These are required to run Snort as a service.
Now open a command prompt window and navigate to your Root folder. At a command prompt type: INSTRV SRVANY <PATH TO ROOT folder>\SRVANY.EXE . At the same prompt type: INSTSRV.EXE snort <PATH TO ROOT FOLDER>\SRVANY.EXE.
Start the Registry Editor From the Run box. Make sure you back up your registry. Locate the sub key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Snort and select it. From the Edit drop-down menu, select New | Key and then type Parameters. Right-click the new Parameter key, select NEW | String Value, and type Application. Right-click the new Application string, select Modify, and type C:\Snort\Snort.exe. Right-click the Parameter Key again, select New | String Value, and type AppParameters. Right-click the new AppParameters string and select Modify. Type -c C:\Snort\Snort.conf -l C:\Snort\Logs -ix.
Right-click the Parameter Key again, select New | String Value, and type AppDirectory. Right-click the new AppDirectory String and select Modify. Type: C:\Snort.
From the Start Menu, go to Programs | Administrative Tools and open the Services applet. Select Snort from the services window, right-click on Snort, and choose Properties. Under Startup Type select Automatic. This will allow Snort to be active when no one is logged on.
You'll want to test Snort to be sure it's configured correctly and to verify that it can talk to the newly created database. To test it, first navigate to the C:\Snort folder at the command line. At the C:\Snort> prompt, enter the command Snort -W to see a list of possible adaptors that the sensor is installed on.
Again at the C:\Snort> prompt, type the command snort -v -iX (where X is the number of the network adapter to place the Snort sensor on). Open a browser and generate some traffic by navigating to various Web sites. Snort should detect the traffic. Kill Snort from the Task Manager Process tab. At the same C:\Snort> command prompt, enter Snort -c C:\Snort\Snort.conf -l C:\Snort\Logs -ix (where X is the number of the network adapter to place the Snort sensor on).
When the last command has been executed, any errors that show up must be resolved before you can continue. The most common errors result from using the wrong username for Snort to log in to the SQL database, using the wrong database name for Snort to log in to, or using the wrong adapter number when running the tests.
Installing PHP, ADOdb, PHPLOT and ACID
The last part of the process goes pretty fast. To install PHP, do the following:
- 1. Decompress PHP into the C:\Snort\PHP folder.
- 2. Copy C:\Snort\PHP\php4ts.dll to your System32 folder.
- 3. Copy the file C:\Snort\PHP\php.ini-dist to your ROOT Folder and rename it to php.ini.
- 4. Edit the variables from the php.ini file as shown in Listing B.
When installing PHP, use the forward slash to specify the path for the session.save_path parameter and use the backslash for the drive and path for the extension_dir parameter.
Also, when installing PHP, the term ROOT refers to the path where Windows 2000 is installed; it's typically C:\WINNT.
To install ADOdb, simply:
- 1. Decompress ADOdb into the C:\Snort\ADOdb folder.
- 2. Navigate to the C:\Snort\ADOdb folder and edit the ADODB.INC.PHP file to reflect the location of the ADOdb folder by typing $ADODB_Database = 'C:\Snort\adodb'.
Installing PHPLOT only requires you to decompress PHPLot into the C:\Snort folder.
To install the ACID alert viewer, you need to decompress and move the ACID folder into the root folder of your default Web site (typically C:\Inetpub\wwwroot\). Then, configure the ACID acid_conf.php file in the Acid folder as shown in Listing C. Next, reboot your machine, start your browser, and type: http://localhost/Acid/Index.html. You'll see an error indicating that the underlying database is incomplete the first time you run ACID. Select Setup Page when this error appears. Select Create ACID AG to complete the Acid Alert Group configuration, and then go back to your browser and retype http://localhost/Acid/Index.html.
Congratulations, you've installed Snort
Once everything is installed and working properly, it may take a few minutes before alerts show up. To make sure things are okay, verify that the Services applet shows Snort as started and that it also shows up as a running process under the Task Manager.
If Snort doesn’t show under Task Manager, there is a problem with the service automatically starting using the srvany file. Try deleting the services you created with instsrv, rebooting the workstation, and recreating the services. You'll have a problem if you delete the services and then try to re-create them without rebooting the workstation.
From the application side, watch the information that Snort reports closely before hitting the panic button. Some of the items Snort will report are actually normal NT-to-NT communications, but some could be hacking attempts if either the source or destination address in the alert is not coming from your network. As with reporting software, Snort will be only as good as the version of rules you're using to find hacking attempts. Visit the Snort Web site periodically to make sure you have the latest rules install.
Getting more help
Keep in mind that you have a basic install of Snort; additional features can be enabled. For more information on the details of configuring the various packages used with Snort, take a look at these sites:
In addition to the above sites, you can subscribe to the Snort Users mailing list on the Snort Web site. This mailing list offers more specific help for your Snort installation. Another option for commercial-level support for Snort would be the Silicon Defense Web.