Installing WinPcap
WinPcap is a device driver that adds packet-filtering capability to versions of Windows from 95 to XP. WinPcap allows you to send and receive data through the network card without requiring a special driver from the vendor. To install WinPcap, just run the executable and reboot the workstation before installing the remaining components.
Installing MySQL
MySQL is also easy to install. Create another temporary directory—I called mine mysql_temp. Unpack the .zip file containing MySQL into your temporary directory. Then, run the setup program. By default, it will install onto the C: drive. If you keep it on the C: drive, you won't have to make configuration changes to use it from another drive.
After you've installed MySQL, you need to create a Win32 MySQL database and Create MySQL tables for the Analysis Console for Intrusion Databases (ACID). Even if you haven’t worked with SQL before, it's not difficult to do this. To create a database named snort, follow these steps:
- Open a command window and type C:\MySQL\Bin\winmysqladmin.
- From the MySQL Admin tool, choose the Database tab.
- Right-click on your server name listed in this tab.
- Select Create Database.
- Type your database name. (I used snort for this example.)
- Press the Create The Database button.
- Select OK.
In the left window labeled Databases, you'll find your new database.
To create a MySQL table that will be used for ACID (PHP-based analysis engine used by SNORT to search and process a database of security events), navigate to C:\MySQL\Bin folder from the command window. Then, at the C:\MySQL\Bin> prompt enter the command MySQL -u snort snort < c:\Snort\create_mysql.
You'll want to set up Snort to start as a service when using it on a WinNT/2k/XP machine. To do this, first decompress the file called ServiceTools.exe into your root folder. There are two files included in the archive—one is called Srvany.exe and another is called Instsrv.exe. These are required to run Snort as a service.
Now open a command prompt window and navigate to your Root folder. At a command prompt type: INSTRV SRVANY <PATH TO ROOT folder>\SRVANY.EXE . At the same prompt type: INSTSRV.EXE snort <PATH TO ROOT FOLDER>\SRVANY.EXE.
Start the Registry Editor From the Run box. Make sure you back up your registry. Locate the sub key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Snort and select it. From the Edit drop-down menu, select New | Key and then type Parameters. Right-click the new Parameter key, select NEW | String Value, and type Application. Right-click the new Application string, select Modify, and type C:\Snort\Snort.exe. Right-click the Parameter Key again, select New | String Value, and type AppParameters. Right-click the new AppParameters string and select Modify. Type -c C:\Snort\Snort.conf -l C:\Snort\Logs -ix.
Right-click the Parameter Key again, select New | String Value, and type AppDirectory. Right-click the new AppDirectory String and select Modify. Type: C:\Snort.
From the Start Menu, go to Programs | Administrative Tools and open the Services applet. Select Snort from the services window, right-click on Snort, and choose Properties. Under Startup Type select Automatic. This will allow Snort to be active when no one is logged on.
Testing Snort
You'll want to test Snort to be sure it's configured correctly and to verify that it can talk to the newly created database. To test it, first navigate to the C:\Snort folder at the command line. At the C:\Snort> prompt, enter the command Snort -W to see a list of possible adaptors that the sensor is installed on.
Again at the C:\Snort> prompt, type the command snort -v -iX (where X is the number of the network adapter to place the Snort sensor on). Open a browser and generate some traffic by navigating to various Web sites. Snort should detect the traffic. Kill Snort from the Task Manager Process tab. At the same C:\Snort> command prompt, enter Snort -c C:\Snort\Snort.conf -l C:\Snort\Logs -ix (where X is the number of the network adapter to place the Snort sensor on).
When the last command has been executed, any errors that show up must be resolved before you can continue. The most common errors result from using the wrong username for Snort to log in to the SQL database, using the wrong database name for Snort to log in to, or using the wrong adapter number when running the tests.
Installing PHP, ADOdb, PHPLOT and ACID
The last part of the process goes pretty fast. To install PHP, do the following:
- Decompress PHP into the C:\Snort\PHP folder.
- Copy C:\Snort\PHP\php4ts.dll to your System32 folder.
- Copy the file C:\Snort\PHP\php.ini-dist to your ROOT Folder and rename it to php.ini.
- Edit the variables from the php.ini file as shown in Listing B.
When installing PHP, use the forward slash to specify the path for the session.save_path parameter and use the backslash for the drive and path for the extension_dir parameter.
Also, when installing PHP, the term ROOT refers to the path where Windows 2000 is installed; it's typically C:\WINNT.
To install ADOdb, simply:
- Decompress ADOdb into the C:\Snort\ADOdb folder.
- Navigate to the C:\Snort\ADOdb folder and edit the ADODB.INC.PHP file to reflect the location of the ADOdb folder by typing $ADODB_Database = 'C:\Snort\adodb'.
Installing PHPLOT only requires you to decompress PHPLot into the C:\Snort folder.
