Snort 1.8.7 for Windows NT Server / 2000 / XP using Apache Webserver , MySQL and Acid to view and graph alerts...


Author: Michael Steele
Technical Snort Support Engineer for Silicon Defense


Revised: May 29, 2002


This documentation will hopefully help you to install Snort on your Windows NT Server, 2000, or Windows XP box. It will also help you install Apache Webserver, Install Snort as a service, install MySQL as a database, and Acid to view your alert file that Snort will create.

This documentation is based on a single sensor, but it is possible to monitor and view multiple sensors from a single alert viewer. In this case it is ACID that we will be using to view and graph the alerts. This documentation is also designed to view the alerts from this sensor only. It is also possible to view the alerts from a remote location.

I found it very confusing with what information was available concerning installing Snort for Windows. Part of this documentation was extracted from the Snort FAQ file for Snort Win32 and other places.


Note: Please download the necessary support files right from our website. This documentation is based on THESE files ONLY.

Download Snort 1.8.7b121 RELEASE (Win32 MySQL Binary!): HERE

Download Apache 1.3.24: HERE

Download WinPcap 2.3: HERE

Download MySQL Shareware 3.23.40: HERE

Download PHP 4.1.1: HERE

Download PHPLot 4.4.6: HERE

Download ADODB 1.72: HERE

Download ACID 0.9.6b21: HERE

Download Run As Service Files: HERE

Download Microsoft MSI Installer for 95 / 98: HERE

Download Microsoft MSI Installer for NT4: HERE

Note: You will not need to download the MSI installer for Windows ME / 2000 / XP as they are built in.

Note: I will be using WinRAR to uncompress any compressed files. You can download WinRAR: HERE


Installing Snort with MySQL

● Create 6 Folders: “C:\snort" - “C:\snort\rules” - “C:\snort\php” "C:\snort\adodb" - "C:\snort\logs" - "C:\snort\docs"

● Uncompress the Snort archive into a temporary folder.

● Move ALL the .rules files and the classification.config file from the temporary folder to the "C:\snort\rules" folder.

● Move ALL the documentation files from the temporary folder to the "C:\snort\rocs folder.

● Move the snort.exe and the snort.conf from the temporary folder to the "C:\snort" folder.

● In the temporary folder that you created for Snort, there is a contrib folder. Inside that contrib folder you will need to move the file create_mysql to the "C:\snort" folder.

Note: You can now delete the temporary folder.

● Load your snort.conf file that is located in your "C:\snort" folder into WordPad.

Note: You will need to find and set your HOME_NET variable. If you are working with a unmodified Snort.conf 1.8.x file, the variable will be located towards the top of the Snort.conf file. The variable you are looking for is "var HOME_NET any" and you will be replacing the any part of that variable with the properly qualified IP address and the subnet you want to monitor.

The IP and Subnet variables in the examples below are purely fictitious and you will need to supply the proper IP and Subnet for your network. You might need to contact your system administrator to get them.

If you want to monitor a single host and your IP and Subnet is:
10.20.30.1/255.255.255.255 then change the any to 10.20.30.1/32

If you have a class C Network and your IP and Subnet is:
10.20.30.0/255.255.255.0 then change the any to 10.20.30.0/24

If you have a class B network and your IP and Subnet1 is:
10.20.0.0/255.255.0.0 then change the any to 10.20.0.0/16

If you have a class A network and your IP and Subnet is:
10.0.0.0/255.0.0.0 then change the any to 10.0.0.0/8

Note: You can just leave the variable set to "var HOME_NET any" and it will monitor your entire network by default.

● Add this line (within the quotes, excluding the quotes) to the Snort.conf file. If you search in the Snort.conf file you will see a line almost exactly like the one below. You can either remove the # sign in front of it and edit it to read EXACTLY as the line below or paste the line below into he Snort.conf file just above the one it almost matches.

output database: log, mysql, user=snort password=snort dbname=snort host=localhost

● You will find this "var" statement in your snort.conf file:

var RULE_PATH ./

This must be changed to the path of your Rules folder:

var RULE_PATH c:/snort/rules

● You will also need to change an include statement in your snort.conf file:

include classification.config

Change to:

include $RULE_PATH/classification.config


Installing WinPcap (Required Library)

● Install WinPcap.exe

● Reboot your machine!


Installing MySQL Database

Note: If you are running Terminal Services under Windows 2000 Server or Advanced Server, you MUST install MySQL from the Add/Remove panel, or you can also type from the RUN in the start menu "change user /install" and after you install MySQL type "change user /execute".

● Install MySQL using ALL the default settings, making sure to install into "C:\" folder.

● Open a command window and type; "C:\MySQL\Bin\winmysqladmin" (leave the quotes out). You should be presented with the MySQL admin interface asking for a Username and Password. For the Username type snort and for the Password type snort.

Note: If you have previously installed MySQL you may not be presented with the option to set the username and password. If this is the case then you will need to setup a user called snort with a password of snort with the approperate permissions, discussed in the next section..

Note: If everything installed correctly you should now have a MySQL icon in the system tray.

● Right Click the MySQL icon in the system tray and select Show Me.

● Select the "Create Shortcut on Start Menu" button.

Note: This will create a entry in the startup folder that will run the administration panel when you restart each time.


Creating a Win32 MySQL database

● Choose the Database tab, Right Mouse click on your server name, Select Create Database, and type your database name IE: "snort", and press "Create the Database". The database will be created, then select "OK". In the left window labeled "Databases" you will see your new database called "snort".

● Right click anywhere in the MySQL Admin screen and select "Hide Me", and MySQL will return to the system tray.

● If you were unable to create a user Snort when you installed MySQL then follow this :

Navigate to the "C:\MySQL\Bin" directory from a command window and type "MySQL" (leave out the quotes). You will be at the Prompt "mysql> " Type: \u mysql; <press enter> (this sets the database to MySQL)
Type: grant INSERT,SELECT,CREATE,DELETE on snort.* to snort@localhost identified by "snort";

● To confirm user addition, at the "mysql> " prompt type: \u mysql <press enter> (this sets the database to mysql)
At the "mysql> " prompt type: show tables; (you should see a table’s list with a user entry)
At the "mysql> " prompt type: select * from user; (you should see the user "snort" listed)


Creating Tables into MySQL for Acid

● Navigate to "C:\MySQL\Bin" folder from the command window. At the "C:\MySQL\Bin> " prompt Type: MySQL -u snort snort < C:\snort\create_mysql

Note: To check to make sure the tables were added. Right Click on the MySQL icon in the system tray and choose Show Me. Select the Database tab, then in the Databases window pane select Snort. In the Databases Tables pane you should see some entries under Snort.


Testing Snort

● Navigate to "C:\snort" folder. At the "C:\snort> " prompt Type: snort -W. You will see a list of possible adaptors that you can install your sensor on. They will be numbered IE: 1,2,3,4,5,6 etc.

● At the "C:\snort> " prompt type: snort -v -ix

Note: -ix (x is the number of the NIC to place your Snort sensor on)

Note: Open your browser and generate some web traffic. You should be seeing Snort detecting traffic in your command window. If you do not see any traffic then kill the Snort process and change the -ix to another interface number.

● Kill that instance of Snort from the Task Manager Process tab.

● At that same command prompt type:

snort -c c:\snort\snort.conf -l c:\snort\logs -ix

Note: -ix (x is the number of the NIC to place the Snort sensor on)

Note: If there were no errors produced then Snort should have created an Alert.ids file in the "C:\snort\logs" folder.

● Kill that instance of Snort from Task Manager Process tab.


Configuring Snort to run as a Service NT4 Server / 2000 / XP

Note: If you used a previous install using INSTSRV to install Snort as a service, you will need to remove that.

● To remove the service that was installed using "INSTSRV.EXE" and "SRVANY.EXE" you will need to stop the snort service.

● From a command prompt type (make sure INSTSRV is in the path):

"instsrv srvany remove"
"instsrv snort remove"

● Start "REGEDIT.EXE" from the run box and Locate and delete the following sub key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Snort

● Reboot the system

● There are three command switches that Snort uses for the Service activation.

/SERVICE /INSTALL
/SERVICE /UNINSTALL
/SERVICE /SHOW

Explanation of Service options:

This will install Snort as a service with the specified parameters:
"snort /SERVICE /INSTALL -de -c C:\snort\snort.conf -l C:\snort\logs -ix"

Note: -ix (x is the number of the NIC to place the Snort sensor on)

This will remove snort as a service:
"snort /SERVICE /UNINSTALL"

This will display the parameters:
"snort /SERVICES /SHOW

● From a command prompt, navigate to the C:\snort folder and type:
snort /SERVICE /INSTALL -c C:\snort\snort.conf -l C:\snort\logs -ix

Note: -ix (x is the number of the NIC to place the Snort sensor on)

● From the Start Menu go to Programs / Administrative Tools  and Open the Services applet in Administrative Tools.  Select Snort from the services window, right click on Snort, choose Properties, and under startup type select Automatic (this will allow snort to be active when there is no one logged on).

Note: If you want to stop or start the service from a command prompt use:

"net stop snort"
"net start snort"

Note: If you want to change the parameters then you must use:

C:\snort.exe /SERVICE /UNINSTALL
C:\snort.exe /SERVICE /INSTALL < NEW PARAMETERS >

● To test the installation of the service you must reboot then go to Task Manager and if you find Snort there, you were successful.


Installing Apache Webserver

● If you do not have the MSI installer installed, you will need to install it now. If you are not sure if one is already installed then go ahead and install the appropriate MSI installer for your version of Windows.

● Install Apache, and during the installation process you will need to answer several configuration questions. In some instances the boxes will contain the information required. Do not change them unless you are sure that they need to be changed.

1. Server Information; Here you will enter your domain information
2. Server; Here you will enter the name of your server
3. Administrator Email; Here you will enter an Emil address for the System Administrator

● Be sure to pick "Run As Service for All Users -- Recommended"

● Select Next

● Select Complete

● Select Next

● Install path should be "C:\Program Files\Apache Group\"

● Select Next

● Select Install

● Select Finish

● From WordPad navigate to the "C:\Program Files\Apache Group\Apache\Conf" folder and select "httpd.conf".

● Search for a AddModules list and add the line below to the bottom of the list:

AddModule mod_php4.c

● Search for "AddType" (do not include the quotes), and you will find several in a row. Just below the last "AddType", insert the line below:

Addtype application/x-httpd-php .php .phtml

● Just below where you added the "Addtype application/x-httpd-php .php .phtml" line, insert the line below:

LoadModule php4_module "modules/php4apache.dll"

● Search for "Controls who can get stuff from this server" (do not include the quotes)

● Just below the line you found, there will be two lines:
Order allow,deny
Allow from all

● Replace those two lines, and add one as shown below:
Order deny,allow
Deny from all
Allow from 127.0.0.1

● Restart your server or workstation


Installing PHP the HTML embedded scripting language

● Uncompress PHP into the C:\snort\php folder.

● Copy "C:\snort\php\php4ts.dll" to your "System32" folder.

Note: Our System32 folder is located in "C:\WINNT\"

● Copy "C:\snort\PHP\sapi\php4apache4.dll" to "C:\Program Files\Apache Group\Apache\Modules"

● Copy the file "C:\snort\php\php.ini-dist" to your ROOT Folder and rename it to "php.ini".

Note: Our root folder is "C:\WINNT", but yours might be "C:\WINDOWS", or "C:\WINNT4".

● In WordPad edit the "php.ini" file and do a search for these variables and edit to reflect the new settings below:

max_execution_time = 60
session.save_path = "<Full path to your ROOT>/Temp" folder
remove the ; in front of "; extension=php_gd.dll"
doc_root = c:\program files\apache group\apache\htdocs\acid
extension_dir = c:\snort\php\extensions


Installing ADODB - A high quality database library

● Uncompress ADODB into the C:\snort\adodbB folder.

● Navigate to the "C:\snort\adodb" folder and Edit the "ADODB.INC.PHP" file to reflect the location of the ADODB folder:
$ADODB_Database = 'C:\snort\adodb';


Installing PHPLot - Graphing library for charts

● Uncompress PHPLot into the "C:\snort" folder


Installing ACID - Alert Viewer

● Uncompress Acid and move the Acid folder into the "C:\Program Files\Apache Group\Apache\htdocs" folder.

● With WordPad, navigate to the "C:\Program Files\Apache Group\Apache\htdocs\Acid" folder and choose "acid_conf.php" to edit. You will only need to edit the variables below:

$DBlib_path = "c:\snort\adodb";
$alert_dbname = "snort";
$alert_host = "localhost";
$alert_port = "";
$alert_user = "snort";
$alert_password = "snort";

/* Archive DB connection parameters */

$archive_dbname = "snort";
$archive_host = "localhost";
$archive_port = "";
$archive_user = "snort";
$archive_password = "snort";

$ChartLib_path = "c:\snort\phplot"

● Reboot your machine!

● Start your browser and type: http://localhost/Acid/Index.html

Note: You will receive a configuration error the first time you run Acid

● Select to go to the Setup Page when this error appears, then select "Create ACID AG" to complete the Acid Alert Group configuration.

● Return to your browser and retype http://localhost/Acid/Index.html

Note: Alert data graphing has not been converted to the windows platform, yet.

Note: It may take a while to start seeing alerts, just let it go and Acid will auto refresh.


Conclusion:

You should be able to:

1)Run Snort as a service
2) Run MySQL and have Snort log to the database
3) Run Acid to view and graph alerts in HTML format

Note: This is a basic setup and you should modify this installation to your own needs

Note: It is advisable for you to install Microsoft's Baseline Security Analyzer: HERE