One of the goals of any security conscious network
administrator is to keep intruders off your network. You should be able to
accomplish this goal through good security practices, such as restrictive
policies and frequent software updates. If an intruder ever does manage to slip
past your security though, you need to know about it. This is where an
intrusion detection system (IDS) comes into play. An IDS
alerts you when someone has penetrated your defenses (or in some cases when
someone is attempting to penetrate
your defenses).

Fortunately, you don’t have to pay big bucks for an IDS. Snort
is an open source IDS that you can download for free. Best of all, there is a
Windows version available for those of us who don’t use Linux. By implementing
Snort, you can keep much better tabs on your network’s security. In this
article I’ll show you how to download, install, configure, and run Snort.

Acquiring Snort

Snort is available from the company’s download center. The program is
primarily intended to run in a UNIX/Linux environment, but there is a
precompiled Windows build available on the site. You can find it in the binaries section
of the Web site. The download consists of a 1.94-MB self-extracting executable
file.

Installing Snort

Download Snort to an empty folder on your hard disk and then
double-click on the SNORT-2_1_3.EXE file that you’ve downloaded. When you do,
you may see a security warning stating that the file’s publisher could not be
verified. Click the Run button to tell the program it is OK to run this file.
When you do, you’ll see the software’s license agreement displayed. Click the I
Agree button to accept the license agreement.

At this point, the software will ask you which type of
database you plan to use for logging intrusion detection information. Snort has
built-in support for MySQL and ODBC databases. There is also an option to log
the information to a SQL server, but to use this option,
the machine on which you are installing Snort must already have the SQL Server
client software installed. The final option on this screen is logging to an
Oracle database. Again, if you want to use this option, your computer must
already have the Oracle client software installed. Make your selection and
click the Next button to continue.

The next screen asks you which components you would like to
install. Obviously you’ll want to install the Snort component, since it
contains the core intruder detection application. You’ll also have the option
of installing the documentation and a module called Contrib. The Contrib module
is a collection of user-contributed add-on modules for Snort. I recommend
installing all available modules, since a full-blown installation only consumes
8.7 MB of hard disk space.

Click the Next button and you’ll be asked for the
destination folder that you would like to install Snort into. Make your
selection, click Install, and the Setup program will begin copying all of the
necessary files. When the file copy process completes, click Close. When you
do, you’ll see a message stating that Snort has been installed successfully.
Before you get too excited, though, read the rest of the message. It indicates
that there are a couple of other components that you’ll have to download and
install.

WinPcap

One of those modules is WinPcap version 2.3. You can
download this module from the WinPcap
Web site
. WinPcap is basically a network sniffer—it performs the packet
capturing necessary for intruder detection to work. Although Snort requires
WinPcap 2.3, I recommend downloading version 3.0 since it is the most recent.

The download consists of a 430-KB self-extracting executable
file. This file contains the WinPcap setup program, the driver, and the
necessary DLL files. To install WinPcap, download it to an empty folder and
then double-click the WinPcap_3_0.exe file. When you do, you may see a Windows
Security Warning screen indicating that the software’s publisher could not be
verified. Ignore this warning and click the Run button.

At this point, Windows will launch the WinPcap 3.0 setup
program. Click Next to bypass the setup program’s Welcome screen and you’ll see
the program’s license agreement. Accept the license agreement, then click the Next button for the necessary files to be
installed. When installation completes, you’ll see a warning message telling
you that if an old version of WinPcap was installed on the system, you’ll need
to reboot. Click the Next button, followed by OK to complete the WinPcap
installation process.

LibnetNT Drivers

Although the setup program doesn’t tell you, you’ll also
need to download and install the LibnetNT driver. Technically, Snort will run
without this driver, but certain functionality will be disabled.

Testing Snort

Now that Snort is installed, the next step is to test it to
make sure that it is functioning properly. Since Snort is a command line
application, you should begin the process by opening a command prompt window
and navigating to the folder that you installed snort into. The snort
executable itself is stored in a subfolder called bin. Therefore, if you installed Snort into C:\SNORT, you’d have to
enter the CD\SNORT\BIN command to
access Snort.

At this point, enter the command SNORT –W (the W is case sensitive). When you do, you should see a
list of your computer’s network interfaces. This will be your indication that
the WinPcap module is working correctly and that Snort is able to communicate
with it. The next step in the process is to enter the SNORT -V command (the V is case sensitive). When you do, Snort will
report back the version number that you are running. If Snort is able to report
back a version number, enter the following command:

SNORT –v –n3 –I 2

In this command, all of the parameters are case sensitive.
The number 2 should be replaced with
the interface number as displayed when you ran the SNORT –W command. The –n3
parameter tells Snort that you want to display the headers of the first three
packets that are captured. Therefore, the command should capture and display
three packets. If this works, then Snort is working.

Configuring Snort

After Snort is installed and tested, you need to configure
it to detect intruders. Fortunately, most of the work has already been done for
you. As you may know, many intrusion detection systems are rule based. The
systems are designed to look for specific conditions and then the rules tell
the intrusion detection system how to react when the given situation is
detected.

If you were using the Linux/UNIX version of Snort, you would
have to download the appropriate set of rules for your version from the Snort Web site. Fortunately,
the latest set of rules are built into the Windows
version. These rules are stored in the \RULES folder within the main Snort
folder. Although the rules files are present, you’ll have to configure Snort to
use them. Additionally, you’ll also have to tell Snort what the IP address
range is of your internal network and that any addresses outside that range are
not a part of your network. To do so, you’ll have to modify the SNORT.CONF
file, which is located in the \ETC folder. The configuration file is in .doc
format, so you’ll have to open it in Microsoft Word for editing.

The first step in modifying the configuration file is to
change the var HOME_NET line.
Initially, this line of the configuration file points to the 10.1.1.0/24
address range, so you’ll have to change it to reflect your own address range.
For example, my private IP address range is 147.100.100.1 to 147.100.100.150.
Therefore, I would enter this IP address range as 147.100.100.1/150. There are
other configuration options that you can set at this point as well, but they
are optional. For example, you can enter the addresses of your SMTP, HTTP, and
DNS servers.

Next, you may want to set the external IP address range.
This is done through the var EXTERNAL_NET
command line. By default, this variable is set to a value of any, which should
work fine in most cases, but you can enter specific IP addresses if necessary.

The last step of the configuration process is to enter the
path to the rules files into the var
RULE_PATH
section. The default entry is /rules.
This should work fine unless you have moved the rules to a different location.

Running Snort

Now that Snort is configured, it is time to run the program.
To do so, open a Command Prompt window and enter the following case-sensitive
command:

Snort –c "C:\snort\etc\snort.conf" –l "C:\snort\Log" 
–A full –I 2 –d –e –X

The –c “C:\snort\etc\snort.conf”
portion of this command tells snort that it should be run using the snort.conf
file that you have just modified. The –l “C:\snort\Log”
portion of the command tells Snort that if any packets match the specified
rules, they should be dumped to the snort\Log folder. The –A full portion of the command tells Snort that you want to set the
alert mode to full. The –I 2 portion
of the command tells Snort to listen on the second network interface. The –d switch tells Snort to dump the
application layer, while the –e switch
specifies that Snort should display the second layer of header information.
Finally, the –X switch tells Snort to
dump the raw packet data starting at the link layer.

Stopping Snort

Finally, when you run this command Snort will not return you
to a command prompt unless you press [Ctrl][Break].
There are also many other command line switches available for you to use with
Snort. You can view these switches by simply entering the Snort command with no
switches.