Snort 1.9.0 b6-228 for Windows NT Server / 2000 / XP...

Database----- MySQL
Webserver--- Apache
Console------- Acid

Author: Michael Steele
Technical Snort Support Engineer for Silicon Defense

Revised: February 4, 2003

Website: http://www.silicondefense.com/

This documentation will help to install Snort on a Windows NT4 Server, 2000 Pro/Server, or XP Pro/Server box. This installation is based on a single sensor, with a single interface, and a Console that will be accessed through localhost (127.0.0.1) only, and using Apache as the webserver.

For this installation I will be installing Snort on an Intel box running Windows XP with all the latest service pack, and all patches. This is a clean install of XP, and the drive has been partitioned into 2 Logical devices; 'C:\ & D:\'.

This installation is based on the installer being logged on as 'Administrator' for the complete procedure, and only using the files downloaded from our website. This installation may NOT work with any other files, either newer versions or lesser versions of the same program.

Suggested Prerequisites:

● Fresh install of Windows
● Hard Drive Partition C - Min 2 Gigabytes
● Hard Drive Partition D - Min 10+ Gigabytes
● All Service Packs and Patches applied

I would strongly suggest a clean install to start this installation, but it's certainly is not required. If this is being installed on a dirty disk then make SURE that, all Service Packs and Patches have been applied, ANY of these programs that are going to be installed, that have been previously installed, are COMPLETELY removed before starting this installation, especially WinPcap.

If you have not downloaded these files, please do so now.

Download Snort 1.9.0 (Build 228) (StdDB w/Service): HERE

Download Apache 2.0.44 W/No SSL: HERE

Download WinPcap 3.0 alpha4: HERE

Download MySQL Shareware 4.0.8 gamma: HERE

Download PHP 4.3.1: HERE

Download ADODB 3.10: HERE

Download PHPLot 4.4.6: HERE

Download JPGraph-1.10.1: HERE

Download ACID 0.9.6b23: HERE

Note: I will be using WinRAR to uncompress any compressed files; Download: HERE


Installing the Windows / Snort IDS System


The support programs for this installation will be installed on drive 'D:'.

● Navigate into the 'D:' drive, and create a folder called 'Applications'. This folder will be the home location for all the support programs for this installation.

● Uncompress 'Snort_1.9.0b6-228_Win32_StdDB_Service_Release.zip' into the 'D:\Applications' folder.

● Navigate into the 'D:\Applications' folder and rename the 'snort-1.9.0' folder to 'snort'.

● Navigate into the folder, 'D:\Applications\snort', and create a folder called 'log'

● Load the file 'D:\Applications\snort\etc\snort.conf' into WordPad. Several variables located in that file will need to be changed. Use the search routine to find and edit them.

Original: var HOME_NET any

The IP and Subnet variables in the examples below are purely fictitious.

To monitor a single host, with an IP of 10.0.0.3:
Change: var HOME_NET 10.0.0.3/32

To monitor a class C Network with an IP of 10.0.0.x, and a subnet of 255.255.255.x:
Change: var HOME_NET 10.0.0.0/24

To monitor a class B network with an IP of 10.0.x.x, and a subnet of 255.255.x.x:
Change: var HOME_NET 10.0.0.0/16

To monitor a class A Network with an IP of 10.x.x.x, and a subnet of 255.x.x.x:
Change: var HOME_NET 10.0.0.0/8

Note: By default Snort will monitor the complete network using 'var HOME_NET any'

Note: There are several other settings that will need to be changed, and these MUST be copied EXACTLY as they are described here. Do a search and replace the like same lines.

Original: var RULE_PATH ../rules
Change: var RULE_PATH d:/applications/snort/rules

Original: # output database: log, mysql, user=root password=test dbname=db host=localhost
Change: output database: log, mysql, user=snort password=123 dbname=snort host=127.0.0.1 port=3306 sensor_name=SENSOR_NAME

Original: # output database: alert, postgresql, user=snort dbname=snort
Change: output database: alert, mysql, user=snort password=123 dbname=snort host=127.0.0.1 port=3306 sensor_name=SENSOR_NAME

Note: In the two output database lines above, there is a sensor_name=SENSOR_NAME. This SENSOR_NAME is usually the hostname of the sensor. This name is displayed in the Acid console when alerts are being viewed.

Original: # output alert_syslog: LOG_AUTH LOG_ALERT
Change: output alert_syslog: LOG_AUTH LOG_ALERT

Note: This will allow Snort to send alerts to the Application log located in the Event Viewer. If logging to the Application Log is not important, then leave the hash mark (#) in.

Original: include classification.config
Change: include d:/applications/snort/etc/classification.config

Original: include reference.config
Change: include d:/applications/snort/etc/reference.config

● Save the file and exit!


Installing WinPcap:

● Double click on the 'WinPcap_3_0_a4.exe' file, and install using the default settings.


Testing the Snort Install:

Navigate to 'D:\Application\snort'

● At the command prompt '>' type: snort -W

Note: If WinPcap is operating properly, and snort has been installed correctly, there will be a list of possible sniffing interfaces shown by a number. The correct interface MUST be selected or Snort will not detect traffic.

Note: The interface number that was derived using the 'Snort -W' switch, will be used throughout the next several exercises. The switch for designating a particular interface, is '-ix', and 'x' will always be the interface number that was derived by using the 'Snort -W' switch.

● At the command prompt '>' type: snort -v -ix

Note: This will run Snort in verbose mode (-v) on a specific interface (-ix). The 'x' in '-ix' is the number of the Network Interface Card that Snort will sniff on. If Snort is operating properly then packets should be streaming by in the command window, but if not, open a browser and surf the web and generate some traffic.

Possible No Traffic Problems:

● Selected the wrong  Network Card.
● Network card may need a driver update.
● A previously installed 'WinPcap' was not properly removed.
● No network connection.
● Snort does not operate on duel processors.
● Snort does not operate on a PPOE connection.
● If connected to a switch the ports must be mirrored.
● Ethernet cable not secure, or bad.

● At the command prompt '>' press the 'CTRL/C' keys to exit

Note: All errors must be resolve before continuing!


Enabling Snort to Run as a Service:

Note: If a Snort service was previously installed using the 'INSTSRV.exe' program, then that service MUST me removed, otherwise the built-in service installer for Snort will fail.

● To remove the service that was installed using "INSTSRV.EXE" and "SRVANY.EXE" you will need to stop the snort service.

● From a command prompt type (make sure INSTSRV is in the path):

"instsrv srvany remove"
"instsrv snort remove"

● Start "REGEDIT.EXE" from the run box and Locate and delete the following sub key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Snort

● Reboot the system

Explanation of the Service Options and Commands:

● There are three command switches that Snort uses for the Service activation.

Note: It is IMPERATIVE that these commands ALWAYS be executed in the same folder as Snort.
Note: It is IMPERATIVE that these commands ALWAYS be executed in the same folder as Snort.
Note: It is IMPERATIVE that these commands ALWAYS be executed in the same folder as Snort.

/SERVICE /INSTALL
/SERVICE /UNINSTALL
/SERVICE /SHOW

This will install Snort as a service with the specified parameters:
snort /SERVICE /INSTALL -de -c c:/snort/snort.conf -l c:/snort/logs -ix

Note: -ix (x is the number of the NIC for Snort to sniff on)

Note: After every 'snort /SERVICE /INSTALL', be SURE to run the service applet, and set the 'snort' entry to 'Automatic', or the service will fail to start at a reboot.

This will remove snort as a service:
snort /SERVICE /UNINSTALL

This will display the parameters:
snort /SERVICES /SHOW

Starting and stopping Snort from a command prompt:

net stop snort
net start snort

Note: Snort can be stopped, started, and restarted from the Service applet.

Configuring the Snort Service:

● From a command prompt, navigate to the 'D:\Application\snort folder and type:
snort /SERVICE /INSTALL -c d:/applications/snort/etc/snort.conf -l d:/applications/snort/log -ix

Note: -ix (x is the number of the NIC for Snort to sniff on)

Note: You should receive a confirmation that the service has successfully installed.

● Start the Services applet, either in the Windows 2000 or Windows XP Control Panel, or in the Administrative Tools folder located in the Control Panel.

● From the Services applet, scroll down, right click on the entry 'snort', select 'Properties', in the 'Startup Type' select 'Automatic', click the 'OK' button, and exit the Services applet.

Note: This will allow snort to start at a reboot.


Installing the MySQL Databases:

Note: If Terminal Services are running, then MySQL must be installed from the Add/Remove panel, or by selecting the RUN dialog box in the start menu and typing: 'change user /install' and after MySQL has installed then type: 'change user /execute' to revert back to user execution mode.

● From WordPad place the lines between the '>----- CUT -----<' in a new file, and save it as '>ROOT FOLDER>\my.ini'. The Root Folder could be 'C:\WINDOWS', so we would save it as 'C:\WINDOWS\my.ini'.

>----- CUT -----<
[mysqld]
basedir=D:/Applications/mysql
bind-address=127.0.0.1
datadir=D:/Applications/mysql/data
port=3306
set-variable=key_buffer=64M

[WinMySQLadmin]
server=D:/Applications/mysql/bin/mysqld-nt.exe
#user=root
#password=0100
>----- CUT -----<

● Save the file and exit!

● Uncompress 'mysql-4.0.8-gamma-win.zip' into a temp folder, and navigate to that folder.

● Install MySQL by double clicking on the setup.exe file, click 'Next', click 'Next', click 'Browse' type d:\applications\mysql into the dialog box, click 'OK', click 'Next', tick 'Typical', click 'Next', let the install complete, and select finish.

● The temp storage folder for MySQL can be deleted.

● Navigate into, and execute the 'D:\Application\mysql\bin\winmysqladmin.exe'.

Note: If MySQL has installed properly, an icon that resembles a traffic light will be in the system tray. This is a indicator for the status of MySQL, green indicates running, and red indicates stopped.

● Right Click the MySQL icon in the system tray and click on 'Show Me'.

● Select the 'Start Check' tab and the first line should be 'There is a my.ini file' and to the right of that it should say 'yes'.

Note: If there are any errors then reboot and check them again prior to proceeding.

● Select the 'my.ini Setup' tab and make sure the Base Dir is set to 'D:\Applications\mysql', and also the 'mysqld file' has a tick next to the 'mysqld-nt'.

● Click the 'Save Modifications' button, click the 'Yes' button, click the 'OK' button, ckick 'Create Shortcut on Start Menu' button, and click 'OK'

Note: By clicking the 'Create Shortcut on Start Menu' this will place a shortcut into the Startup folder for the 'winmysqladmin.exe' file, which will allow it to auto run the administration panel, and status indicator when the sensor is restarted.

● Right click anywhere in the MySQL Administration panel and select 'Hide Me'.

Removing Default Users & Databases:

From a command prompt Navigate to the 'D:\Applications\mysql\bin' folder.

● At the command prompt '>' type: mysql -u root

● Note: It is IMPERATIVE that a semicolon is added as shown in the commands below. MySQL relies on this semicolon as a line terminator.

● At the 'mysql>' prompt type: use mysql;

● At the 'mysql>' prompt type: delete from user where host = "%";

● At the 'mysql>' prompt type: delete from user where user = "";

● At the 'mysql>' prompt type: select * from user;

Note: There should only be a user 'root' listed.

● At the 'mysql>' prompt type: drop database test;

● At the 'mysql>' prompt type: show databases;

Note: There should only be a 'mysql' database listed.

Creating Databases:

● At the 'mysql>' prompt type: create database snort;

● At the 'mysql>' prompt type: create database archive;

● At the 'mysql>' prompt type: show databases;

Note: There should be three databases listed, 'archive', 'mysql', and 'snort'.

Creating Database Users:

● At the 'mysql>' prompt type: grant INSERT,SELECT on snort.* to snort@localhost identified by "123";

● At the 'mysql>' prompt type: show grants for snort@localhost;

Note: This should show the privileges for user 'snort', and they should match what was added.

● At the 'mysql>' prompt type: grant USAGE on *.* to acid@localhost identified by "12345";

● At the 'mysql>' prompt type: grant INSERT,SELECT,CREATE,DELETE,ALTER on snort.* to acid@localhost;

● At the 'mysql>' prompt type: grant INSERT,SELECT,CREATE,DELETE,ALTER on archive.* to acid@localhost;

● At the 'mysql>' prompt type: show grants for acid@localhost;

Note: This should show the privileges for user 'acid', and they should match what was added.

● At the 'mysql>' prompt type: select * from user;

Note: There should be three users listed, 'root', 'acid', and 'snort'.

● At the 'mysql>' prompt type: quit;

This completes setting up the databases, and users.


Creating Acid Tables in MySQL:

● At the command prompt '>' type: mysql -u root snort < D:\Applications\snort\contrib\create_mysql

● At the command prompt '>' type: mysql -u root archive < D:\Applications\snort\contrib\create_mysql

● At the command prompt '>' type: mysql -u root

● At the 'mysql>' prompt '>' type: use snort;

● At the 'mysql>' prompt '>' type: show tables;

Note: If the snort database has been populated, there will be table listings.

● At the 'mysql>' prompt '>' type: use archive;

● At the 'mysql>' prompt '>' type: show tables;

Note: If the archive database has been populated, there will be table listings.


Locking MySQL Down:

● At the 'mysql>' prompt '>' type: set password for root@localhost = password("0100");

● At the 'mysql>' prompt '>' type: quit;

Note: In order do any manual maintenance; user 'root will need to be used along with its assigned password to gain access to the MySQL database.

● Right click on the MySQL Admin module in the system tray and select 'Show Me'

● Select the 'my.ini Setup' tab

● Just below the 'server=' entry edit these two lines:

Original: #user=root
Change: user=root

Original: #password=0100
Change: password=0100

● Click the 'Save Modification' button, click 'Yes', and click 'OK'.

● Right click anywhere in the MySQL Admin applet, and select 'Hide Me'.

Note: At this point Snort is configured to run as a service, and MySQL has been completely configured.

Now restart the sensor...


Confirming MySQL and Snort are Running:

● Open 'Task Manager' and 'snort.exe'. 'mysqld-nt.exe', and 'winmysqladmin.exe' should be listed under 'Processes'.

● In the System Tray in the bottom right, by the clock, there should be an icon resembling a traffic light. If the indicator is green, then MySQL is running. If the indicator is red then MySQL is not running.


Installing Apache Webserver:

Note: Apache may fail to execute on Windows NT4/95/98/ME/2000. If this happens then the MSI installer may be missing, and may need to be installed. Microsoft furnishes these installers HERE.

● Install Apache by double clicking on the 'apache_2.0.44-win32-x86-no_ssl.msi' file, click the 'Next' button, tick 'I accept the terms', click the 'Next' button, and click the 'Next' button.

Note: In this dialog 'Server Information' window, three questions will need to be answered, and it is important that all three dialog boxes are completed correctly.

1. 'Network Domain': Here, enter your domain information.
2. 'Server Name': Here, enter the hostname of your server.
3. 'Administrator Email': Here, enter an Emil address for the System Administrator.

● Tick 'for all users, on port 80, as a service - Recommended, click the 'Next' button, tick 'Typical', click the 'Next' button, click the 'Change' button, in the 'Folder Name' dialog box type 'd:\applications\apache', click the 'OK' button, click the 'Next' button, click the 'Install' button, let Apache complete the install, and click finish

Note: After installing Apache there will be a Apache status applet in the System Tray.

● In the System Tray right click the Apache Status indicator, select 'Open Apache Monitor', click the 'Stop' button, let the Apache server stop, and click the 'OK' button.

● In WordPad edit the 'D:\Applications\apache\apache2\conf\httpd.conf' file and change or add these variables:

Original:     Order allow,deny
Change:     Order deny,allow

Original:     Allow from all
Change:     Deny from all
Add       :     Allow from 127.0.0.1

● Restart the sensor...


Installing PHP the HTML embedded scripting language:

● Uncompress 'php-4.3.0-Win32.zip' into 'D:\Applications\php'.

● Copy the file 'D:\Applications\php\php4ts.dll' to your "System32" folder.

Note: The 'System32' folder could be  located in 'C:\WINDOWS\', or 'C:\WINNT'.

● Copy the file, 'D:\Applications\php\php.ini-dist to the 'SYSTEM ROOT' Folder, and rename it to php.ini.

Note: The 'SYSTEM ROOT' folder is usually 'C:\WINDOWS\', or 'C:\WINNT'.

● In WordPad edit the 'php.ini' file and change these variables:

Original: max_execution_time = 30
Change: max_execution_time = 60

Original: session.save_path = /tmp
Change: session.save_path = C:\WINDOWS\Temp

Note: Make SURE the The 'session.save_path =' variable is pointing to the correct and existing 'Temp' or 'Tmp' folder.

Original: ; cgi.force_redirect = 1
Change: cgi.force_redirect = 0

Original: ; extension=php_gd.dll
Change: extension=php_gd.dll

Original: doc_root =
Change: doc_root = d:\applications\apache\apache2\htdocs\acid

Original: extension_dir = ./
Change: extension_dir = d:\applications\php\extensions

● Save the file and exit!


Configure PHP extensions for Apache:

● In WordPad edit the 'D:\Applications\apache\apache2\conf\httpd.conf' file.

● Do a search for 'AddType', there should be two active listing, just above the first entry create a new open line, and insert this next line there.

Addtype application/x-httpd-php .php .phtml

● Do a search for 'Dynamic Shared Object (DSO) Support', this section contains the 'LoadModule' support lines. Just above the first entry create a new open line, and insert this next line there.

LoadModule php4_module d:/applications/php/sapi/php4apache2.dll

● Save the file and exit!


Install ADODB (A high quality database library):

● Uncompress 'adodb310.zip' into 'D:\Applications\adodb'.

● In WordPad edit the 'D:\Applications\adodb\adodb.inc.php' file and change these variables:

Original: $ADODB_database = '';
Change: $ADODB_database = 'd:\applications\adodb';

● Save the file and exit!


Installing PHPLot (Graphing):

● Uncompress 'phplot-4.4.6.zip' into 'D:\Applications'.

● Navigate into the 'D:\Applications' folder and rename the 'phplot-4.4.6' folder to 'phplot'.


Installing JPGraph (Graphing):

● Uncompress 'jpgraph-1.10.1.zip' into 'D:\Applications'.

● Navigate into the 'D:\Applications\jpgraph-1.10.1\src' folder, and copy all the *.php files into 'D:\Applications\phplot'.

● The folder 'jpgraph-1.10.1' can be deleted.


Installing the Acid Alert Viewer:

● Uncompress 'acid-0.9.6b23.zip' into 'D:\Applications\apache\Apache2\htdocs'.

● In WordPad edit the 'D:\Applications\apache\Apache2\htdocs\acid_conf.php' file and change these variables:

Original: $DBlib_path = "";
Change: $DBlib_path = "d:\applications\adodb";

Original:
$alert_dbname   = "snort_log";
$alert_host     = "localhost";
$alert_port     = "";
$alert_user     = "root";
$alert_password = "mypassword";

Change:
$alert_dbname   = "snort";
$alert_host     = "localhost";
$alert_port     = "3306";
$alert_user     = "acid";
$alert_password = "12345";

Original:
$archive_dbname   = "snort_archive";
$archive_host     = "localhost";
$archive_port     = "";
$archive_user     = "root";
$archive_password = "mypassword";

Change:
$archive_dbname   = "archive";
$archive_host     = "localhost";
$archive_port     = "3306";
$archive_user     = "acid";
$archive_password = "12345";

Original: $ChartLib_path = "";
Change: $ChartLib_path = "d:\applications\phplot";

Note: It is IMPERATIVE that QUOTES are used in the above modifications or Acid will fail.

● Save the file and exit!

● Reboot your new IDS Sensor!

● Start a browser and type: http://localhost/acid/Index.html

Note: An error stating 'the underlying database snort@local appears to be invalid' will appear the first time ACID is ran. Select the link 'Setup page' when this error appears. Then select 'Create ACID AG' button to complete the Acid Alert Group configuration. A message stating 'The underlying Alert DB is configured for usage with Acid' will appear, and the database is completely configured.

● Return to a browser and retype: http://localhost/acid/Index.html

Note: Acid MUST always be initiated using: http://localhost/acid/Index.html

Note: It may take a little while to start seeing alerts, just let it go, and Acid will auto refresh.

Caution: Apache has NOT been securely locked down. Please take the necessary precautions to do this. I will have documentation on this in the near future.


Conclusion:

The IDS should be able to:

1) Run Snort as a service
2) Run MySQL and have Snort log to the database
3) Run Acid to view alerts in HTML format

Note: This is a basic setup and should be modify to reflect your own needs.

Note: It is advisable to install and execute Microsoft's Baseline Security Analyzer: HERE

Your comments and criticism are always appreciated. If a mistake or omission has been made, please eMail me and I will revise.

Michael Steele | System Engineer / Support Technician
Email Me: mailto:michaels@silicondefense.com
Silicon Defense: IDS solutions - http://www.silicondefense.com/
Snort: Open Source Network IDS - http://www.snort.org/