Snort Installation Manual
Contents
1. snort SERVICE INSTALL de c c snort snort conf l c snort logs ix Note ix x is the number of the NIC for Snort to sniff on Note After every snort SERVICE INSTALL be SURE to run the service applet and set the snort entry to Automatic or the service will fail to start at a reboot This will remove snort as a service snort SERVICE UNINSTALL This will display the parameters snort SERVICES SHOW Starting and stopping Snort from a command prompt net stop snort or net start snort Note Snort can be stopped started and restarted from the Service applet Configuring the service e From a command prompt navigate to the D Application snort folder and type snort SERVICE INSTALL c d applications snort etc snort conf D applications snort log ix Note ix x is the number of the NIC for Snort to sniff on Note You should receive a confirmation that the service has successfully installed e Start the Services applet either in the Windows 2000 or Windows XP Control Panel or in the Administrative Tools folder located in the Control Panel e From the Services applet scroll down right click on the entry snort select Properties in the Startup Type select Automatic click the OK button and exit the Services applet Installing and configuring the MySQL databases Note If running Terminal Services then MySQL must be installed from the Add Remove panel or by selecting2. d applications phplot Note It is IMPERATIVE that QUOTES are used in the above modifications or Acid will fail Now save the file and exit Now reboot your new Stand Alone or Master IDS sensor Page 13 of 16 Snort Installation Guide Windows NT4 Server 2000 XP e Start a browser and type hitp localhost acid Index html Note An error stating the underlying database snort local appears to be invalid will appear the first time ACID is run Select the link Setup page when this error appears Then select Create ACID AG button to complete the Acid Alert Group configuration A message stating The underlying Alert DB is configured for usage with Acid will appear and the database is completely configured Now return to a browser and retype hitp localhost acid Index html Note Acid MUST always be initiated using http localhost acid Index html Note It may take a little while to start seeing alerts just let it go and Acid will auto refresh Page 14 of 16 Snort Installation Guide Windows NT4 Server 2000 XP Debugging Installation errors As of Snort V 1 9 0 b229 Snort will now throw FATAL errors to the Event Viewer under the System log tab If there is no traffic moving there are several possibilities e Wrong network card selected using the i switch e Network card may need a driver update e A previously installed WinPcap was not properly removed e No network connection e Snort d
3. applet and select Hide Me Note At this point Snort is configured to run as a service and MySQL is completely configured Now reboot the system Confirming MySQL and Snort are operational e Open Task Manager and snort exe mysqld nt exe and winmysqladmin exe should be listed under Processes Page 10 of 16 Snort Installation Guide Windows NT4 Server 2000 XP e In the System Tray in the bottom right by the clock there should be a MySQL status indicator resembling a traffic light Green indicates MySQL is on Red indicates MySQL is off Installing the Apache webserver Note Apache may fail to execute on Windows NT4 95 98 ME 2000 The MSI installer may be missing and may need to be installed Microsoft furnishes these installers HERE e Install Apache by double clicking on the apache_2 0 44 win32 x86 no_ssl msi file click the Next button tick I accept the terms click the Next button and click the Next button Note In this dialog Server Information window three questions will need to be answered and it is important that all three dialog boxes are completed correctly 1 Network Domain Here enter your domain information 2 Server Name Here enter the hostname of your server 3 Administrator Email Here enter an Emil address for the System Administrator e Tick for all users on port 80 as a service Recommended click the Next button tick Typi
4. should only be a user root listed e At the mysql gt prompt type drop database test e At the mysql gt prompt type show databases Note There should only be a mysqI database listed Creating databases e At the mysql gt prompt type create database snort e At the mysql gt prompt type create database archive e At the mysql gt prompt type show databases Note There should be three databases listed archive mysql and snort Creating database users e At the mysql gt prompt type grant INSERT SELECT on snort to snort localhost identified by 123 e At the mysql gt prompt type show grants for snort localhost Note This should show the privileges for user snort and they should match what was added e At the mysql gt prompt type grant USAGE on to acid localhost identified by 12345 e At the mysql gt prompt type grant SELECT INSERT UPDATE DELETE CREATE ALTER on snort to acid localhost e At the mysql gt prompt type grant SELECT INSERT UPDATE DELETE CREATE on archive to acid localhost e At the mysql gt prompt type show grants for acid localhost Note This should show the privileges for user acid and they should match what was added e At the mysql gt prompt type select from user Note There should be three users listed root acid and snort e At the mysql gt prompt type quit This completes setting up the databa
5. 29 Fatal errors to Event Log Security tools amp information XP Security Checklist http Awww labmice net articles winxpsecuritychecklist htm NSA Securing XP http nsa1 www conxion com winxp guides wxp 1 pdf Michael E Steele System Engineer Support Technician Email Me mailto michaels silicondefense com Commercial Snort Support 1 866 41 SNORT Silicon Defense The Cyber War Defense Company Our Website http Awww silicondefense com Snort Open Source Network IDS http Awww snort org Page 16 of 16
6. Snort Installation Guide Windows NT4 Server 2000 XP Snort Installation Manual Snort MySQL ACID amp Apache Windows NT4 Server 2000 amp XP All Versions Prepared amp Written by Michael E Steele Technical Support Engineer for Silicon Defense michaels silicondefense com http www silicondefense com Document Version 1 1 Revised Date Feb 20 2003 Silicon Defense info silicondefense com Phone 707 445 4355 Fax 707 445 4222 Page of 16 Snort Installation Guide Windows NT4 Server 2000 XP Table of Contents Introduction Copyright Notice Disclaimer Latest documentation amp downloads Comments amp Corrections Conceptual Topology Required Software How to use this guide Suggested prerequisites Installing and configuring Snort Installing WinPcap Testing the Snort installation Configuring Snort to run as a service Explanation of the service options and commands Configuring the service Installing and configuring the MySQL databases Removing default users and databases Creating databases Creating database users Creating ACID tables in the MySQL database Locking MySQL down Confirming MySQL and Snort are operational Installing the Apache webserver Installing PHP the HTML embedded scripting language Configuring PHP extensions for Apache Installing and configuring ADODB Installing and configuring PHPLot Installing and configuring JPGraph Installing the ACID console Debugging Installation errors
7. Websites of interest Revisions amp Updates Security tools amp information Page 2 of 16 Se N NN DD DBA Uw KR HR HR Ww Ww Ww W WH W a ae a a a ee a i i a A Nn BA mH WwW WH NH NHS NHB HR KN OSO Snort Installation Guide Windows NT4 Server 2000 XP Introduction This documentation will not only help understand how to install a Stand Alone or Master sensor using Snort but guide you through the entire process step by step When set out to write this documentation there was very little documentation for installing Snort for Windows have tried to make installing a full blown Intrusion Detection System using Snort in a Windows environment as painless as possible for the novice Windows user and hopefully that is what have done This guide includes all the necessary information and file linking s for installing an Intrusion Detection System using Snort on a Windows box It is imperative that the files in the links below are used in this installation or the procedure may fail Copyright Notice This document is Copyright 2002 2003 Silicon Defense All rights reserved Permission to distribute this document is hereby granted providing that distribution is electronic no money is involved and this copyright notice is maintained Other requests for distribution will be considered Disclaimer Use the information in this document at your own risk Silicon Defense disavows any potential liability of this docume
8. cal click the Next button click the Change button in the Folder Name dialog box type d applications apache click the OK button click the Next button click the Install button let Apache complete the install and click finish Note After installing Apache there will be an Apache status applet in the System Tray e In the System Tray right click the Apache Status indicator select Open Apache Monitor click the Stop button let the Apache server stop and click the OK button e In WordPad edit the D Applications apache apache2 conf httpd conf file and change or add these variables Original Order allow deny Change Order deny allow Original Allow from all Change Deny from all Add Allow from 127 0 0 1 Now reboot the system Installing PHP the HTML embedded scripting language e Uncompress php 4 3 1 Win32 zip into D Applications php e Copy the file D Applications php php4ts dll to your System32 folder Note The System32 folder could be located in C WINDOWS or C WINNT e Copy D Applications php php ini dist to the SYSTEM ROOT Folder and rename it to php ini Note The SYSTEM ROOT folder is usually C WINDOWSY or C WINNT e In WordPad edit the php ini file and change these variables Original max_execution_time 30 Change max_execution_time 60 Page 11 of 16 Snort Installation Guide Windows NT4 Server 2000 XP Original sess
9. in the Acid console when alerts are being viewed Original output alert_syslog LOG AUTH LOG ALERT Change output alert_syslog LOG AUTH LOG ALERT Note This will allow Snort to send alerts to the Application log located in the Event Viewer If logging to the Application Log is not important then leave the hash mark in Page 5 of 16 Snort Installation Guide Windows NT4 Server 2000 XP Original include classification config Change include d applications snort etc classification config Original include reference config Change include d applications snort etc reference config Now save the file and exit Installing WinPcap e Double click on the WinPcap_3 0 a4 exe file and install using all defaults Testing the Snort installation Navigate to D Application snort e At the command prompt gt type snort W Note If WinPcap is operating properly and snort has been installed correctly there will be a list of possible sniffing interfaces shown by a number The correct interface MUST be selected or Snort will not detect traffic Note The interface number that was derived using the Snort W switch will be used throughout the next several exercises The switch for designating a particular interface is ix and x will always be the interface number that was derived by using the Snort W switch e At the command prompt gt type snort v ix Note This will run Snort in verbose mode v on a
10. ion save_path tmp Change session save_path C WINDOWS Temp Note Make SURE the session save_path variable is pointing to the correct and existing Temp or Tmp folder and everyone has permissions to use Original cgi force_redirect 1 Change cgi force_redirect 0 Original extension php_gd dll Change extension php_gd dll Original doc_root Change doc_root d applications apache apache2 htdocs acid Original extension_dir Change extension_dir d applications php extensions Now save the file and exit Configuring PHP extensions for Apache e In WordPad edit the D Applications apache apache2 conf httpd conf file e Do a search for AddType there should be two active listing just above the first entry create a new open line and insert this next line there Addtype application x httpd php php phtml e Do a search for Dynamic Shared Object DSO Support this section contains the LoadModule support lines Just above the first entry insert this next line there LoadModule php4_module d applications php sapi php4apache2 dll Now save the file and exit Installing and configuring ADODB e Uncompress adodb310 zip into D Applications adodb e In WordPad edit the D Applications adodb adodb inc php file and change these variables Original SADODB_ database Change ADODB _database d applications adodb Now save the file and exit Installing and config
11. is installation is based on the installer being logged on as Administrator for the entire installation Only the files downloaded from our website will be used This installation may NOT work with either newer versions or lesser versions of the same program Suggested prerequisites e Fresh install of Windows e Hard Drive Partition C Min 2 Gigabytes e Hard Drive Partition D Min 10 Gigabytes e All Service Packs and Patches applied would strongly suggest a clean install to start this installation but it s certainly is not required If this is being installed on a dirty disk then make SURE that all Service Packs and Patches have been applied ANY of these programs that are going to be installed that have been previously installed are COMPLETELY removed before starting this installation especially WinPcap Page 4 of 16 Snort Installation Guide Windows NT4 Server 2000 XP Installing and configuring Snort e Navigate into the D drive and create a folder called Applications This folder will be the home location for all the support programs for this installation e Uncompress Snort_1 9 0b6 229 Win32_StdDB_Service_Release zip into the D Applications folder e Navigate into the folder D Applications snort and create a folder called log e Load the file D Applications snort etc snort conf into WordPad Several variables located in that file will need to be changed Use the search routine to find a
12. nd edit them Original var HOME_NET any Note The IP and Subnet variables in the examples below are purely fictitious To monitor a single host with an IP of 10 0 0 3 Change var HOME_NET 10 0 0 3 32 To monitor a class C Network with an IP of 10 0 0 x and a subnet of 255 255 255 x Change var HOME_NET 10 0 0 0 24 To monitor a class B network with an IP of 10 0 x x and a subnet of 255 255 x x Change var HOME_NET 10 0 0 0 16 To monitor a class A Network with an IP of 10 x x x and a subnet of 255 x x x Change var HOME_NET 10 0 0 0 8 Note By default Snort will monitor the complete network using var HOME_NET any Note There are several other settings that will need to be changed and these MUST be copied EXACTLY as they are described here Do a search and replace the like same lines Original var RULE_PATH rules Change var RULE_PATH d applications snort rules Original output database log mysql user root password test dobname db host localhost Change output database log mysql user snort password 123 dbname snort host 127 0 0 1 port 3306 sensor_name SENSOR_NAME Original output database alert postgresql user snort dbname snort Change output database alert mysql user snort password 123 dbname snort host 127 0 0 1 port 3306 sensor_name SENSOR_NAME Note In the two output database lines above there is a sensor name SENSOR_NAME This SENSOR_NAME is usually the hostname of the sensor This name is displayed
13. nt Use of the concepts examples and or other content of this document are entirely at your own risk This guide is written in the hope that it will be useful but without any warranty without even the implied warranty of merchantability or fitness for a particular purpose All copyrights are owned by their owners unless specifically noted otherwise Third party trademarks or brand names are the property of their owners Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark Naming of particular products or brands should not be seen as endorsements Latest documentation amp downloads Latest up to date docs and files http www silicondefense com support windows Comments amp Corrections If any errors that may be found or you would just like to make a comment please send them to michaels silicondefense com Conceptual Topology There are four primary software packages that produce this topology The Apache web server MySQL database server ACID and Snort Below is a brief description of each of the packages and there purpose in the topology Apache Web Server This is the web server of choice for the majority of websites that are accessed on the Internet The sole purpose of Apache is for hosting the ACID web based console Page 3 of 16 Snort Installation Guide Windows NT4 Server 2000 XP MySQL Server MySQL is a SQL based database server for a variety of
14. oes not operate on duel processors e Snort does not operate on a PPOE connection e f connected to a switch the ports must be mirrored e Ethernet card or cable not secure or bad If there is a MySQL connection refused error there are several possibilities e The Snort run line may be incorrect make SURE l is a lowercase L Page 15 of 16 Snort Installation Guide Windows NT4 Server 2000 XP Websites of interest Snort Home Page http www snort org Snort FAQ http www snort org docs fag html Snort Users Manual http www snort org docs writing rules Usenet Groups Snort announcehttp lists sourceforge net mailman listinfo snort announce Snort users http lists sourceforge net mailman listinfo snort users Snort sigs http lists sourceforge net mailman listinfo snort sigs Snort devel http lists sourceforge net mailman listinfo snort devel Snort cvsinfo _http lists sourceforge net mailman listinfo snort cvsinfo Snort CVS tree http cvs sourceforge net cgi bin viewcvs cqgi snort snort ACID Home Page http acidlab sourceforge net MySQL Home Page http www mysql com Apache Home Page http httpd apache org PHP Home Page http www php net WinPcap Home Page _shitp winpcap polito it Revisions amp Updates V1 0 Feb 4 2003 Initial 1 9 x document in HTML format V1 1 Feb 20 2003 Initial 1 9 x document converted to PDF Update PHP security Fixes Update MySQL to 4 0 10 minor Update Snort to b2
15. on Show Me Select the Start Check tab and the first line should be There is a my ini file and to the right of that it should say yes Note If there are any errors then reboot and check them again prior to proceeding e Select the my ini Setup tab and make sure the Base Dir is set to D Applications mysql and also the mysaqld file has a tick next to the mysqld nt e Click the Save Modifications button click the Yes button click the OK button click Create Shortcut on Start Menu button and click OK Note By clicking the Create Shortcut on Start Menu this will place a shortcut into the Startup folder for the winmysqladmin exe file which will allow it to auto run the administration panel and status indicator when the sensor is restarted e Right click anywhere in the MySQL Administration panel and select Hide Me Removing default users and databases From a command prompt Navigate to the D Applications mysq l bin folder e At the command prompt gt type mysql u root e Note It is IMPERATIVE that a semicolon is added as shown in the commands below Page 8 of 16 Snort Installation Guide Windows NT4 Server 2000 XP e At the mysql gt prompt type use mysql e At the mysql gt prompt type delete from user where host e At the mysaql gt prompt type delete from user where user e At the mysql gt prompt type select from user Note There
16. platforms and is the most supported platform for storing Snort alerts All of the IDS alerts that are triggered from our sensors are stored in the MySQL database Analysis Console for Intrusion Databases ACID ACID is a web based application for viewing firewall logs and or IDS alerts This is where all the sensor information is consolidated for viewing Snort Snort is a lightweight network intrusion detection system capable of performing real time traffic analysis and packet logging on IP networks This is the software package that is used to gather information form the network Required Software Some of the files included with this installation are UNIX specific but will work with Windows if all the installation procedures are followed as prescribed Snort 1 9 0 Build 229 StdDB w Service Apache 2 0 44 W No SSL WinPcap 3 0 alpha4 Download r MySQL Shareware 4 0 10 gamma PHP 4 3 1 ADODB 3 10 PHPLot 4 4 6 JPGraph 1 10 1 ACID 0 9 6b23 Note We will be using WinRAR to uncompress any compressed files How to use this guide This installation is based on a single sensor with a single interface a Console that will be accessed through localhost 127 0 0 1 and using Apache as the webserver For this installation we started with a fresh install of XP with a single drive partitioned into 2 primary partitions C amp D All programs and their subsystems will be installed on Drive D Th
17. ses and users Page 9 of 16 Snort Installation Guide Windows NT4 Server 2000 XP Creating ACID tables in the MySQL database e At the command prompt gt type mysql u root snort lt D Applications snort contrib create_mysql e At the command prompt gt type mysql u root archive lt D Applications snort contrib create_mysaql e At the command prompt gt type mysql u root e At the mysql gt prompt gt type use snort e At the mysql gt prompt gt type show tables Note If the snort database has been populated there will be table listings e At the mysqIl gt prompt gt type use archive e At the mysql gt prompt gt type show tables Note If the archive database has been populated there will be table listings Locking MySQL down e At the mysql gt prompt gt type set password for root localhost password 0100 e At the mysql gt prompt gt type quit Note In order do any manual maintenance user root will need to be used along with its assigned password to gain access to the MySQL database e Right click on the MySQL Admin module in the system tray and select Show Me e Select the my ini Setup tab e Just below the server entry edit these two lines Original user root Change user root Original password 0100 Change password 0100 e Click the Save Modification button click Yes and click OK e Right click anywhere in the MySQL Admin
18. specific interface ix The x in ix is the number of the Network Interface Card that Snort will sniff on If Snort is operating properly then packets should be streaming by in the command window but if not open a browser and surf the web and generate some traffic e At the command prompt gt press the CTRL C keys to exit Note All errors must be resolve before continuing see debugging installation errors Configuring Snort to run as a service Note If a Snort service was previously installed using the INSTSRV exe program then that service MUST me removed otherwise the built in service installer for Snort will fail e To remove the service that was installed using INSTSRV EXE and SRVANY EXE you will need to stop the snort service e From a command prompt type make sure INSTSRV is in the path instsrv srvany remove instsrv snort remove e Start REGEDIT EXE from the run box and Locate and delete the following sub key HKEY LOCAL _MACHINE SYSTEM CurrentControlSet Services Snort Now reboot the system Page 6 of 16 Snort Installation Guide Windows NT4 Server 2000 XP Explanation of the service options and commands e There are three command switches that Snort uses for the Service activation Note It is IMPERATIVE these commands ALWAYS be executed in the same folder as Snort SERVICE INSTALL SERVICE UNINSTALL SERVICE SHOW This will install Snort as a service with the specified parameters
19. the RUN dialog box in the start menu and typing change user install and after MySQL has installed then type change user execute to revert back to user execution mode e From WordPad place the lines between the gt CUT lt in a new file and save it as my ini in the Root Folder which could be C WINDOWS or C WINNTY Page 7 of 16 Snort Installation Guide Windows NT4 Server 2000 XP mysqld basedir D Applications mysql bind address 127 0 0 1 datadir D Applications mysql data port 3306 set variable key_buffer 64M WinMySQLadmin server D Applications mysql bin mysqld nt exe user root password 0100 gt CUT lt Now save the file and exit e Uncompress mysql 4 0 10 gamma win zip into a temp folder and navigate to that folder e Install MySQL by double clicking on the setup exe file click Next click Next click Browse type d applications mysq into the dialog box click OK click Next tick Typical click Next let the install complete and select finish e The temp storage folder for MySQL can be deleted e Navigate into and execute the D Application mysql bin winmysqladmin exe Note If MySQL has installed properly an icon that resembles a traffic light will be in the system tray This is a status indicator for MySQL green indicates running and red indicates stopped e Right Click the MySQL icon in the system tray and click
20. uring PHPLot e Uncompress phplot 4 4 6 zip into D Applications e Navigate into the D Applications folder and rename the phplot 4 4 6 folder to phplot Page 12 of 16 Snort Installation Guide Windows NT4 Server 2000 XP Installing and configuring JPGraph e Uncompress jpgraph 1 10 1 zip into D Applications e Navigate into the D Applications jpgraph 1 10 1 src folder and copy all the php files into D Applications phplot then delete the folder jpgraph 1 10 1 Installing the ACID console e Uncompress acid 0 9 6b23 zip into D Applications apache Apache2 htdocs e In WordPad edit the D Applications apache Apache2 htdocs acid_conf php file and change these variables Original SDBlib_ path Change DBlib_path d applications adodb Original galert_dbname snort_log alert_host localhost alert_ port galert_user root alert_password mypassword Change galert_ dbname snort galert_host localhost alert_port 3306 galert_user acid alert_password 12345 Original archive dbname snort_archive archive host localhost g archive port archive_user root archive_password mypassword Change garchive dbname archive archive host localhost archive port 3306 archive_user acid archive_password 12345 Original ChartLib_ path Change ChartLib_ path
Download Pdf Manuals
Related Search