Intrusion detection systems are one of the most critical tools to network security engineers. In the Linux/UNIX world, a number of free tools are available that are powerful, flexible, and simple to use. Thanks to Silicon Defense, one such tool, Snort, has made the migration from Linux/UNIX to Windows.In this Daily Drill Down, I will show you how to get Snort installed and running in Windows 2000.
Getting started
For this article, I used Windows 2000 Professional as the platform on which to build the IDS server. When you set up the system you're going to use, install Windows 2000 Professional, and then apply Service Pack 2 and all updates for your system listed on Microsoft's Windows Update. You'll also want to install IIS so you can use it later to receive real time alerts.
Installing IIS
To install IIS on your Windows 2000 server, go to Control Panel, open Add/Remove Programs, click on Add Windows Components and select the check box for Internet Information Server. Click Next and have your Windows 2000 Professional CD at hand for when the installation needs the files for IIS (unless you already had the I386 directory copied to the drive).
Once you've restarted the workstation, you can start collecting the files you will need for Snort and the required applications to set up real time alerting.
Getting the files
Snort 1.8.6 for Windows requires a number of files to be installed. These necessary files are:
- Snort 1.8.6b105
- WinPcap 2.3
- MySQL Shareware 3.23.40
- PHP 4.1.1
- PHPLot 4.4.6
- ADOdb 1.72
- ACID 0.9.6b21
- Run As Service Files
- WinRAR
Why WinRAR?
The WinRAR tool allows you to decompress any compressed files from the above list.
Create a temporary directory to hold your downloaded files. I named mine snort_temp. Then, download these files and save them to your temporary directory.
Play it safe
Keep everything in one directory and back up this directory once you've collected all the files so that if you need to re-create the IDS system you're building, you'll have everything at hand that you'll need.
Installing Snort
The installation of the Snort application is pretty cut-and-dried. You'll need to create six new directories for this installation:
- C:\Snort
- C:\Snort\Rules
- C:\Snort\PHP
- C:\Snort\ADOdb
- C:\Snort\Logs
- C:\Snort\Docs
Unzip the Snort binary that you downloaded and extract it to your temporary directory. Then copy the files listed below in the directories specified:
- All the .rules files and the classification.config file go into C:\Snort\Rules.
- All the documentation files should be placed into C:\Snort\Docs.
- The snort.exe and the snort.conf go into C:\Snort.
- The create_mysql file (located in the Contrib directory within the snort_temp file) goes into C:\Snort.
Editing snort.conf
Next, you'll need to edit the snort.conf file to tell it where to find the files it's looking for. First, edit the output database line that tells Snort you're running MySQL and the user name to log in to the database with. The first line you need to edit is the var HOME_NET any line. Replace the any with a fully qualified IP address and the subnet you wish to monitor. If you want to monitor a single host when your IP is 10.20.30.1 and your subnet is 255.255.255.255, change the any entry to 10.20.30.1/32.
The next line to edit will look a lot like the one shown in Listing A.
Find the sort.conf line that resembles Listing B and edit it to read exactly as shown in Listing B.
The next line to edit contains the var RULE_PATH ./directive. Change this directive to var RULE_PATH c:/Snort/Rules.
Finally, change the include that reads include classification.config to read include RULE_PATH/classifications.config.
Script tips
Make sure to use the forward slash instead of the backslash. The programs you're installing were initially written for Linux/UNIX environments, so using anything other than the forward slash will cause them not to work. I ran into this problem, and it took over two hours on the phone with Silicon Defense trying to figure out why I couldn't get Snort to run. This rule applies with the exception of the installation of PHP. See the section below on installing PHP for more information.
Also, when you edit the classifications.config line, put a $ in front of the RULE_PATH variable. Although it's not required for Snort to run under Windows, it helps avoid some script processing problems that have shown up in some installations under Windows.
