Install Snort IDS in Windows 2000

By Ron Nutter
Intrusion detection systems (IDSs) are critical tools for network security engineers. The Linux/UNIX world offers a number of free tools that are powerful, flexible, and simple to use. Thanks to Silicon Defense, one such tool, Snort, has made the migration from Linux/UNIX to Windows. I’m going to show you how to install and run Snort on Windows 2000.

Getting started
For the purpose of this article, I used Windows 2000 Professional as the platform on which to build the IDS server. When setting up the system, install Windows 2000 Professional and then apply Service Pack 2 and all the updates that the Microsoft Windows Update lists for your system. You’ll also want to install IIS so you can use it later to receive real-time alerts.

Installing IIS
To install IIS on your Windows 2000 server, go to Control Panel, open Add/Remove Programs, click on Add Windows Components, and select the Internet Information Server check box. Click Next and have your Windows 2000 Professional CD at hand; the installation will need the files for IIS unless you already copied the I386 directory to the hard drive, or it’s available over the network.

Once you’ve restarted the workstation, you can start collecting the files you will need for Snort and the required applications to set up real-time alerting.

Getting the files
Snort for Windows requires you to install the following files:
• Snort
• WinPcap
• MySQL
• PHP
• PHPLot
• ADOdb
• ACID
• Run As Service Files
• WinRAR

Note that the WinRAR tool allows you to decompress any compressed files in the list.

Create a temporary directory to hold your downloaded files. I named mine snort_temp. Then, download these files and save them to your temporary directory.

Play it safe
Keep everything in one directory and back it up once you’ve collected all the files. That way, if you need to re-create the IDS system you’re building, you’ll have everything at hand.

Installing Snort
You’ll need to create six new directories for this installation:
• C:\Snort
• C:\Snort\Rules
• C:\Snort\PHP
• C:\Snort\ADOdb
• C:\Snort\Logs
• C:\Snort\Docs

Unzip the Snort binary you downloaded and extract it to your temporary directory. Then, copy the files listed below in the directories specified:
• All the .rules files and the classification.config file go into C:\Snort\Rules.
• All the documentation files should be placed into C:\Snort\Docs.
• The snort.exe and the snort.conf files go into C:\Snort.
• The create_mysql file (located in the Contrib directory within the snort_temp file) goes into C:\Snort.

Editing snort.conf
Next, you’ll need to edit the snort.conf file to tell it where to find the files it’s looking for. First, edit the output database line that tells Snort you’re running MySQL and the user name to log in to the database with. The first line you need to edit is the var HOME_NET any line. Replace the any with a fully qualified IP address and the subnet you want to monitor. For instance, to monitor a single host when your IP is 10.20.30.1 and your subnet is 255.255.255.255, change the any entry to 10.20.30.1/32.

The next line to edit will look like the one shown in Appendix A. Change the variables in Appendix A to point to the MySQL database that you would like to use.

The next line to edit contains the var RULE_PATH ./ directive. Change this directive to var RULE_PATH c:/Snort/Rules.

Finally, change the include that reads include classification.config to include RULE_PATH/classifications.config.

Script tips
Make sure you use the forward slash instead of the backslash. The programs you’re installing were initially written for Linux/UNIX environments, so using anything other than the forward slash will prevent them from working. I ran into this problem, and it took more than two hours on the phone with Silicon Defense trying to figure out why I couldn’t get Snort to run. This rule applies with the exception of the installation of PHP. See the section on installing PHP for more on this.
Also, when you edit the classifications.config line, put a $ in front of the RULE_PATH variable. Although it’s not required for Snort to run under Windows, it helps avoid some script processing problems that have shown up in some installations under Windows.

Installing WinPcap
WinPcap is a device driver that adds packet-filtering capability to versions of Windows from 95 to XP. WinPcap allows you to send and receive data through the network card without requiring a special driver from the vendor. To install WinPcap, just run the executable and reboot the workstation before installing the remaining components. Installing MySQL

MySQL is also easy to install. Create another temporary directory—I called mine mysql_temp. Unpack the .zip file containing MySQL into your temporary directory and run the setup program. By default, it will install onto the C: drive.

After you’ve installed MySQL, you need to create a Win32 MySQL database and MySQL tables for the Analysis Console for Intrusion Databases (ACID). Even if you haven’t worked with SQL before, it’s not difficult to do this. To create a database named snort, follow these steps:
1. Open a command window and type C:\MySQL\Bin\winmysqladmin.
2. From the MySQL Admin tool, choose the Database tab.
3. Right-click on your server name listed in this tab.
4. Select Create Database.
5. Type your database name. (I used snort for this example.)
6. Click the Create The Database button.
7. Click OK.

In the window labeled Databases, you’ll find your new database.

To create a MySQL table that will be used for ACID (a PHP-based analysis engine used by Snort to search and process a database of security events), navigate to the C:\MySQL\Bin folder from the command window. Then, at the C:\MySQL\Bin> prompt, enter the command MySQL -u snort snort < c:\Snort\create_mysql.

You’ll want to set up Snort to start as a service when using it on a WinNT/2K/XP machine. To do this, first decompress the file called ServiceTools.exe into your root folder. Two files are included in the archive—Srvany.exe and Instsrv.exe. These are required to run Snort as a service.

Now open a command prompt window and navigate to your Root folder. At a command prompt, type: INSTRV SRVANY \SRVANY.EXE. At the same prompt, type: INSTSRV.EXE snort \SRVANY.EXE.

Start the Registry Editor from the Run box. Make sure that you back up your registry. Locate and select this subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Snort

From the Edit drop-down menu, select New | Key and then type Parameters. Right-click on the new Parameter key, select NEW | String Value, and type Application. Right-click on the new Application string, select Modify, and type C:\Snort\Snort.exe. Right-click on the Parameter key again, select New | String Value, and type AppParameters. Right-click on the new AppParameters string and select Modify and then type -c C:\Snort\Snort.conf -l C:\Snort\Logs -ix.

Right-click on the Parameter Key one more time, select New | String Value, and type AppDirectory. Then, right-click on the new AppDirectory String, select Modify, and type: C:\Snort.

From the Start Menu, go to Programs | Administrative Tools and open the Services applet. Select Snort from the services window, right-click on Snort, and choose Properties. Under Startup Type, select Automatic. This will allow Snort to be active when no one is logged on.

Testing Snort
You’ll want to test Snort to be sure that it’s configured correctly and to verify that it can talk to the newly created database. To test it, first navigate to the C:\Snort folder at the command line. At the C:\Snort> prompt, enter the command Snort -W to see a list of possible adaptors that the sensor is installed on.

Again at the C:\Snort> prompt, type the command snort -v -iX (where X is the number of the network adapter to place the Snort sensor on). Open a browser and generate some traffic by navigating to various Web sites. Snort should detect the traffic. Kill Snort from the Task Manager Process tab. At the same C:\Snort> command prompt, enter Snort -c C:\Snort\Snort.conf -l C:\Snort\Logs -ix (where X is the number of the network adapter to place the Snort sensor on).

When the last command has been executed, any errors that show up must be resolved before you can continue. The most common errors result from using the wrong username for Snort to log in to the SQL database, using the wrong database name for Snort to log in to, or using the wrong adapter number when running the tests.

Installing PHP, ADOdb, PHPLot, and ACID
The last part of the process goes pretty fast. To install PHP, do the following:
1. Decompress PHP into the C:\Snort\PHP folder.
2. Copy C:\Snort\PHP\php4ts.dll to your System32 folder.
3. Copy the file C:\Snort\PHP\php.ini-dist to your ROOT folder and rename it php.ini.
4. Edit the variables from the php.ini file as shown in Appendix B.

When installing PHP, use the forward slash to specify the path for the session.save_path parameter, and use the backslash for the drive and path for the extension_dir parameter.

Also, when installing PHP, the term ROOT refers to the path where Windows 2000 is installed; it’s typically C:\WINNT.

To install ADOdb, simply:
1. Decompress ADOdb into the C:\Snort\ADOdb folder.
2. Navigate to the C:\Snort\ADOdb folder and edit the ADODB.INC.PHP file to reflect the location of the ADOdb folder by typing $ADODB_Database = ‘C:\Snort\adodb’.
Installing PHPLot just requires you to decompress PHPLot into the C:\Snort folder.
To install the ACID alert viewer, you need to decompress and move the ACID folder into the root folder of your default Web site (typically C:\Inetpub\wwwroot\). Then, configure the ACID acid_conf.php file in the Acid folder as shown in Appendix C. Next, reboot your machine, start your browser, and type http://localhost/Acid/Index.html. You’ll see an error indicating that the underlying database is incomplete the first time you run ACID. Select Setup Page when this error appears. Select Create ACID AG to complete the Acid Alert Group configuration and then go back to your browser and retype http://localhost/Acid/Index.html.

Congratulations, you’ve installed Snort
Once everything is installed and working properly, it may take a few minutes before alerts start showing up. To make sure that things are okay, verify that the Services applet shows Snort as started and that it also shows up as a running process under the Task Manager.

If Snort doesn’t show up under Task Manager, there is a problem with the service automatically starting using the srvany file. Try deleting the services you created with instsrv, rebooting the workstation, and re-creating the services. You’ll have a problem if you delete the services and then try to re-create them without rebooting the workstation.

From the application side, closely watch the information that Snort reports before hitting the panic button. Some of the items Snort will report are actually normal NT-to-NT communications, but some could be hacking attempts if either the source or destination address in the alert is not coming from your network. As with reporting software, Snort will be only as good as the version of rules you’re using to find hacking attempts. Visit the Snort Web site periodically to make sure you have the latest rules installed.

Getting more help
Keep in mind that you have a basic install of Snort; additional features can be enabled. For more information on the details of configuring the various packages used with Snort, take a look at these sites:
Snort
WinPcap
MySQL
PHPLot
ADOdb
ACID

In addition to the above sites, you can subscribe to the Snort Users mailing list on the Snort Web site. This mailing list offers more specific help for your Snort installation. Another option for commercial-level Snort support is the Silicon Defense Web.

Appendix A

output database: log, mysql, user=snort dbname=snort host=localhost

Appendix B

max_execution_time = 60
session.save_path = “/Temp” folder
remove the ; in front of “; extension=php_gd.dll”
extension_dir = c:\snort\php\extensions

Appendix C

$DBlib_path = “C:\Snort\ADODB”;
$alert_dbname = “snort”;
$alert_host = “localhost”;
$alert_port = “”;
$alert_user = “snort”;
$alert_password = “snort”;

/* Archive DB connection parameters */

$archive_dbname = “snort”;
$archive_host = “localhost”;
$archive_port = “”;
$archive_user = “snort”;
$archive_password = “snort”;

$ChartLib_path = “C:\Snort\phplot”