Snort 1.8.7 for Windows NT Server / 2000 / XP using IIS, MySQL and Acid to view and graph alerts...


Author: Michael Steele
Technical Snort Support Engineer for Silicon Defense


Revised: May 29, 2002



This documentation will hopefully help you to install Snort on your Windows NT Server, 2000, or Windows XP box. It will also help you install IIS as your  Webserver, Install Snort as a service, install MySQL as a database, and Acid to view your alert file that Snort will create.

This documentation is based on a single sensor, but it is possible to monitor and view multiple sensors from a single alert viewer. In this case it is ACID that we will be using to view and graph the alerts. This documentation is also designed to view the alerts from this sensor only. It is also possible to view the alerts from a remote location.

I found it very confusing with what information was available concerning installing Snort for Windows. Part of this documentation was extracted from the Snort FAQ file for Snort Win32 and other places.

Note: Please download the necessary support files right from our website. This documentation is based on THESE files ONLY.

Download Snort 1.8.7b121 RELEASE (Win32 MySQL Binary!): HERE

Download WinPcap 2.3: HERE

Download MySQL Shareware 3.23.40: HERE

Download PHP 4.1.1: HERE

Download PHPLot 4.4.6: HERE

Download ADODB 1.72: HERE

Download ACID 0.9.6b21: HERE

Download Run As Service Files: HERE

Note: I will be using WinRAR to uncompress any compressed files. You can download WinRAR: HERE


Installing Snort with MySQL

● Create 6 Folders: “C:\snort" - “C:\snort\rules” - “C:\snort\php” "C:\snort\adodb" - "C:\snort\logs" - "C:\snort\docs"

● Uncompress the Snort archive into a temporary folder.

● Move ALL the .rules files and the classification.config file from the temporary folder to the "C:\snort\rules" folder.

● Move ALL the documentation files from the temporary folder to the "C:\snort\docs folder.

● Move the snort.exe and the snort.conf from the temporary folder to the "C:\snort" folder.

● In the temporary folder that you created for Snort, there is a contrib folder. Inside that contrib folder you will need to move the file create_mysql to the "C:\snort" folder.

Note: You can now delete the temporary folder.

● Load your snort.conf file that is located in your "C:\snort" folder into WordPad.

Note: You will need to find and set your HOME_NET variable. If you are working with a unmodified snort.conf 1.8.x file, the variable will be located towards the top of the snort.conf file. The variable you are looking for is "var HOME_NET any" and you will be replacing the any part of that variable with the properly qualified IP address and the subnet you want to monitor.

The IP and Subnet variables in the examples below are purely fictitious and you will need to supply the proper IP and Subnet for your network. You might need to contact your system administrator to get them.

If you want to monitor a single host and your IP and Subnet is:
10.20.30.1/255.255.255.255 then change the any to 10.20.30.1/32

If you have a class C Network and your IP and Subnet is:
10.20.30.0/255.255.255.0 then change the any to 10.20.30.0/24

If you have a class B network and your IP and Subnet1 is:
10.20.0.0/255.255.0.0 then change the any to 10.20.0.0/16

If you have a class A network and your IP and Subnet is:
10.0.0.0/255.0.0.0 then change the any to 10.0.0.0/8

Note: You can just leave the variable set to "var HOME_NET any" and it will monitor your entire network by default.

● Add this line (within the quotes, excluding the quotes) to the snort.conf file. If you search in the snort.conf file you will see a line almost exactly like the one below. You can either remove the # sign in front of it and edit it to read EXACTLY as the line below or paste the line below into he Snort.conf file just above the one it almost matches.

output database: log, mysql, user=snort password=snort dbname=snort host=localhost

● You will find this "var" statement in your snort.conf file:

var RULE_PATH ./

This must be changed to the path of your Rules folder:

var RULE_PATH c:/snort/rules

● You will also need to change an include statement in your snort.conf file:

include classification.config

Change to:

include $RULE_PATH/classification.config


Installing WinPcap (Required Library)

● Install WinPcap23.exe

● Reboot your machine!


Installing MySQL Database

Note: If you are running Terminal Services under Windows 2000 Server or Advanced Server, you MUST install MySQL from the Add/Remove panel, or you can also type from the RUN in the start menu "change user /install" and after you install MySQL type "change user /execute".

● Install MySQL using ALL the default settings, making sure to install into "C:\" folder.

● Open a command window and type; "C:\MySQL\Bin\winmysqladmin" (leave the quotes out). You should be presented with the MySQL admin interface asking for a Username and Password. For the Username type snort and for the Password type snort.

Note: If you have previously installed MySQL you may not be presented with the option to set the username and password. If this is the case then you will need to setup a user called snort with a password of snort with the approperate permissions, discussed in the next section..

Note: If everything installed correctly you should now have a MySQL icon in the system tray.

● Right Click the MySQL icon in the system tray and select Show Me.

● Select the "Create Shortcut on Start Menu" button.

Note: This will create a entry in the startup folder that will run the administration panel when you restart each time.


Creating a Win32 MySQL database

● Choose the Database tab, Right Mouse click on your server name, Select Create Database, and type your database name IE: "snort", and press "Create the Database". The database will be created, then select "OK". In the left window labeled "Databases" you will see your new database called "snort".

● Right click anywhere in the MySQL Admin screen and select "Hide Me", and MySQL will return to the system tray.

● If you were unable to create a user Snort when you installed MySQL then follow this :

Navigate to the "C:\MySQL\Bin" directory from a command window and type "MySQL" (leave out the quotes). You will be at the Prompt "mysql> " Type: \u mysql; <press enter> (this sets the database to MySQL)
Type: grant INSERT,SELECT,CREATE,DELETE on snort.* to snort@localhost identified by "snort";

● To confirm user addition, at the "mysql> " prompt type: \u mysql <press enter> (this sets the database to mysql)
At the "mysql> " prompt type: show tables; (you should see a table’s list with a user entry)
At the "mysql> " prompt type: select * from user; (you should see the user "snort" listed)


Creating Tables into MySQL for Acid

● Navigate to "C:\MySQL\Bin" folder from the command window. At the "C:\MySQL\Bin> " prompt Type: MySQL -u snort snort < C:\snort\create_mysql

Note: To check to make sure the tables were added. Right Click on the MySQL icon in the system tray and choose Show Me. Select the Database tab, then in the Databases window pane select Snort. In the Databases Tables pane you should see some entries under Snort.


Testing Snort

● Navigate to "C:\snort" folder. At the "C:\snort> " prompt Type: snort -W. You will see a list of possible adaptors that you can install your sensor on. They will be numbered IE: 1,2,3,4,5,6 etc.

● At the "C:\snort> " prompt type: snort -v -ix

Note: -ix (x is the number of the NIC to place your Snort sensor on)

Note: Open your browser and generate some web traffic. You should be seeing Snort detecting traffic in your command window. If you do not see any traffic then kill the Snort process and change the -ix to another interface number.

● Kill that instance of Snort from the Task Manager Process tab.

● At that same command prompt type:

snort -c c:\snort\snort.conf -l c:\snort\logs -ix

Note: -ix (x is the number of the NIC to place the Snort sensor on)

Note: If there were no errors produced then Snort should have created an Alert.ids file in the "C:\snort\Logs" folder.

● Kill that instance of Snort from Task Manager Process tab.


Configuring Snort to run as a Service NT4 Server / 2000 / XP

Note: If you used a previous install using INSTSRV to install Snort as a service, you will need to remove that.

● To remove the service that was installed using "INSTSRV.EXE" and "SRVANY.EXE" you will need to stop the snort service.

● From a command prompt type (make sure INSTSRV is in the path):

"instsrv srvany remove"
"instsrv snort remove"

● Start "REGEDIT.EXE" from the run box and Locate and delete the following sub key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Snort

● Reboot the system

● There are three command switches that Snort uses for the Service activation.

/SERVICE /INSTALL
/SERVICE /UNINSTALL
/SERVICE /SHOW

Explanation of Service options:

This will install Snort as a service with the specified parameters:
"snort /SERVICE /INSTALL -de -c c:\snort\snort.conf -l c:\snort\logs -ix"

Note: -ix (x is the number of the NIC to place the Snort sensor on)

This will remove snort as a service:
"snort /SERVICE /UNINSTALL"

This will display the parameters:
"snort /SERVICES /SHOW

● From a command prompt, navigate to the C:\snort folder and type:
snort /SERVICE /INSTALL -c c:\snort\snort.conf -l c:\snort\logs -ix

Note: -ix (x is the number of the NIC to place the Snort sensor on)

● From the Start Menu go to Programs / Administrative Tools  and Open the Services applet in Administrative Tools.  Select Snort from the services window, right click on Snort, choose Properties, and under startup type select Automatic (this will allow snort to be active when there is no one logged on).

Note: If you want to stop or start the service from a command prompt use:

"net stop snort"
"net start snort"

Note: If you want to change the parameters then you must use:

C:\snort.exe /SERVICE /UNINSTALL
C:\snort.exe /SERVICE /INSTALL < NEW PARAMETERS >

● To test the installation of the service you must reboot then go to Task Manager and if you find Snort there, you were successful.


Installing Internet Information Services (IIS) Webserver

Note: For NT Server 4.0, the Internet Information Services is included with the Windows NT 4.0 Option Pack together with other tools and services. The Option Pack setup wizard makes it easy to setup and install the Web services and the various components that are part of the Windows NT 4.0 Option Pack. You simply check the items that you want to install, answer a few questions, and the installation wizard installs the desired configuration on the target machine. If you are installing IIS4 skip this section, but  only after you have installed IIS4.

Note: If you have installed a 2000 or XP server product and chose the default installation, then IIS will have been installed by default and you can skip this section.

Note: If you are using Windows 2000 or XP Professional you will need your CD.

● Place your 2000 or XP Professional CD into your CD player.

● In your Control Panel go to your Add/Remove Programs.

● Select Add/Remove Windows Components

● When your Windows Components Wizard appears double click the "Internet Information Services (IIS)"

● Select "FrontPage 2000 Server Extensions".

● Select "Personal Web Manager".

Note: Several options will be auto selected, leave them selected.

● Select "OK", Select "next" and this will install Internet Information Services (IIS).

● Select "Finish" and your done installing IIS.


Installing PHP the HTML embedded scripting language

● Uncompress PHP into the C:\snort\php folder.

● Copy "C:\snort\php\php4ts.dll" to your "System32" folder.

Note: Our System32 folder is located in "C:\WINNT\"

● Copy the file "C:\snort\php\php.ini-dist" to your ROOT Folder and rename it to "php.ini".

Note: Our root folder is "C:\WINNT", but yours might be "C:\WINDOWS", or "C:\WINNT4".

● In WordPad edit the "php.ini" file and do a search for these variables and edit to reflect the new settings below:

max_execution_time = 60
session.save_path = "<Full path to your ROOT>/Temp" folder
remove the ; in front of "; extension=php_gd.dll"
extension_dir = c:\snort\php\extensions

Note: Our root folder is "C:\WINNT", but yours might be "C:\WINDOWS", or "C:\WINNT4".


Configure PHP extensions for NT Server / 2000 / XP running IIS 4/5

● Start the Microsoft Management Console (may appear as 'Internet Services Manager', either in your Windows 2000 or Windows XP Control Panel in Administrative Tools).

● Double click the server name and you should see your webserver and ftp server.

● Right click on your Web server node (this will most probably appear as 'Default Web Server'), and select 'Properties'.

● Under 'Home Directory', 'Virtual Directory', or 'Directory', click on the 'Configuration' button, and then enter the Applications Mappings tab.

● Click Add, and in the Executable box, type: C:\snort\php\php.exe

●In the Extension box, type: .php

Leave 'Method exclusions' blank if there is one

Check the Script engine checkbox.

You may also like to check the 'check that file exists' box - for a small performance penalty, IIS will check that the script file exists and sort out authentication before firing up php. This means that you will get sensible 404 style error messages instead of cgi errors complaining that php did not output any data.

Click "OK" then "Apply" then "OK"


Install ADODB - A high quality database library

● Uncompress ADODB into the C:\snort\adodb folder.

 ● Navigate to the "C:\snort\adodb" folder and Edit the "ADODB.INC.PHP" file to reflect the location of the ADODB folder:
 $ADODB_Database = 'c:\snort\adodb';


Installing PHPLot - Graphing library for charts

 ● Uncompress PHPLot into the "C:\snort" folder


Installing the Acid Alert Viewer

● Uncompress and move the Acid folder into the root folder of your default website. IE: C:\Inetpub\wwwroot\

● Configure the Acid 'acid_conf.php' file in the Acid folder. You should only have to edit the variables below:

$DBlib_path = "c:\snort\adodb";
$alert_dbname = "snort";
$alert_host = "localhost";
$alert_port = "";
$alert_user = "snort";
$alert_password = "snort";

/* Archive DB connection parameters */

$archive_dbname = "snort";
$archive_host = "localhost";
$archive_port = "";
$archive_user = "snort";
$archive_password = "snort";

$ChartLib_path = "c:\snort\phplot"

● Reboot your machine!

● Start your browser and type: http://localhost/Acid/Index.html

Note: You will receive a configuration error the first time you run Acid

● Select to go to the Setup Page when this error appears, then select "Create ACID AG" to complete the Acid Alert Group configuration.

● Return to your browser and retype http://localhost/Acid/Index.html

Note: It may take a while to start seeing alerts, just let it go and Acid will auto refresh.


Conclusion:

You should be able to:

1)Run Snort as a service
2) Run MySQL and have Snort log to the database
3) Run Acid to view and graph alerts in HTML format

Note: This is a basic setup and you should modify this installation to your own needs.

Note: It is advisable for you to install Microsoft's Baseline Security Analyzer: HERE