|
This documentation will hopefully help you to install Snort
on your Win32 box. It will also help you install Snort as a
service (Only available on NT4 and 2000), install MySQL as a
database, and Acid to view your alert file that Snort will
create.
I found it very confusing with what information was
available concerning installing Snort for Windows. Parts of
this documentation were extracted from the Snort FAQ file
for Snort Win32 and other places.
I will be installing the Snort service on a Windows 2000
box. There should be no difference if you are using
98/ME/NT4. I will be installing MS IIS5 Web server, MySQL
v1.0, Snort v1.7, PHP 4.0.4pl1 [3,737Kb] - 13 January 2001,
WinPcap.exe v2.1, ADODB v0.93+, and Acid v0.9.6b6. If you
have not downloaded these files, please do so now.
MySQL Download Page:
http://www.mysql.com/downloads/mysql-3.23.html
WinPcap Download Page (Required Driver)
http://netgroup-serv.polito.it/winpcap/install/default.htm
WinPcap Download Page (Required Driver - V2.1 beta 692,137
byte count)
http://www.silicondefense.com/techsupport/download.htm
Snorts Download Page - Snort Win32 version
http://www.snort.org/snort-files.htm
Snort Download Page - Rules
http://www.snort.org/snort-files.htm#Rules
PHP Download Page
http://www.php.net/downloads.php
ADODB Download Page
http://php.weblogs.com/adodb
Acid Download Page
http://www.cert.org/kb/acid/
Installing MySQL Database
- Install MySQL into C:\ drive from the MySQL
documentation. If you are unsure of the type of
installation, then choose “typical”.
Note: If you are running Windows 2000 Server or Advanced
Server, at the command prompt prior to installation, type:
"Change User /install" or install MySQL from the Add/Remove
panel.
Note: After completing the installation of MySQL into the
"C:\" folder, proceed to the "C:\MySQL" folder and read the
"ReadMe" file to complete the installation of the MySQL
database. If installed properly you will see MySQL in the
System Tray with the traffic light illuminated green.
Note: MySQL Version 3.23.36 will not create Icons in the
"Start Menu", as stated in the GUI. If you right mouse click
the MySQL traffic light, select Show Me, select my.ini setup
tab, select "Create Shortcut on Start Menu", and it will
create a shortcut in the Startup folder that will run MySQL
at bootup.
Creating a Win32 MySQL database
- Right mouse click on the MySQL program in the System Tray
and select "Show Me". MySQL will display to the screen.
Choose the Database tab, Right Mouse click on your server
name, Select Create Database, and type your database name
IE: "Snort".
- You will need to create a user at the command prompt.
Navigate to the "C:\MySQL\Bin" directory and type MySQL at
that prompt.
You will be at the Prompt "mysql> " Type: \u mysql; <press
enter> (sets the database to mysql)
Type: grant INSERT,SELECT,CREATE,DELETE on snort.* to
snort@localhost; <press enter>
- To confirm user addition, at the "mysql> " prompt type:
\u mysql <press enter>
(this sets the database to mysql)
At the "mysql> " prompt type: show tables; (you should see
a table’s list with a user entry)
At the "mysql> " prompt type: select * from user; (you
should see the user "snort" listed)
Installing Snort MySQL Version 1.7
- Create 3 Folders: "C:\Snort\” - "C:\Snort\Bin\" -
"C:\Snort\Logs\"
- Install Snort into "C:\Snort\Bin" folder.
- Remove all the rules and snort.conf files from the
C:\Snort\Bin folder. Install the latest FULL set of rules
and snort.conf file into "C:\Snort\Bin" folder.
- You will need to edit the snort.conf file to reflect your
HOME_NET settings.
Note: You must remove the # before the "output database:
log, mysql, user=snort dbname=snort host=localhost" to
activate MySQL.
Note:
With Snort 1.7 you must specify the FULL path to each rule
in the snort.conf file. First place # in front of all rule
files not found or used and then add C:\Snort\Bin\ to the
beginning of each rule in the config file IE: include
C:\Snort\Bin\misc.rules.
- Copy the file called "create_mysql" from the "contrib"
folder of snort.
Note:
Unfortunately there was no "contrib" folder supplied with
version 1.7 of Snort for Win32. You will need to download
the FULL source code for Snort from http://Snort.org and
extract the "create_mysql" from the "contrib" folder and
place the "create_mysql" into the "C:\MySQL\Bin" folder.
- Navigate to "C:\MySQL\Bin" folder from the command shell.
At the "C:\MySQL\Bin> " prompt Type: MySQL -u snort snort <
C:\MySQL\Bin\create_mysql
Installing WinPcap (Required Library)
- Install the latest WinPcap.exe file (Very important to
get the LATEST!)
Note: At this point you should have MySQL working and the
traffic light in the system tray should be green.
Testing Snort
Navigate to "C:\Snort\Bin" folder. At the "C:\Snort\Bin> "
prompt Type:
Snort -c C:\Snort\Bin\Snort.conf -l C:\Snort\Logs
Note: If you get the error below, it is most likely a
WinPcap problem.
-> initializing Network Interface
\Device\Packet_{D066D391-D0DA-4315-80F3-9222A4B093DB}
-> ERROR: OpenPcap() device
\Device\Packet_{D066D391-D0DA-4315-80F3-9222A4B093DB} open:
-> Error opening adapter
Note: Uninstall WinPcap and Reinstall WinPcap.exe 2.1 with
a byte count "Size 692,137"
Grab this file from
http://www.silicondefense.com/techsupport/downloads.htm
Note: Snort should now be logging to the MySQL database.
Configuring Snort to run as a Service on NT4 and 2000
- You will need to install the Windows Resource Kit for
your version of Windows.
- Navigate to the root folder of your Resource Kit folder.
- You must install the SRVANY service. At the command
prompt type: INSTSRV SrvAny <PATH TO RESKIT>\srvany.exe
- At that same prompt type: ISTSRV.EXE snort <PATH TO
RESKIT>\SRVANY.EXE
- Now start the Registry Editor From the run box (BACKUP
YOUR REGISTRY!!!!!)
- Locate the following sub key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Snort
and select it.
- From the Edit pull down menu select New, select Key, and
then type: Parameters
- Select the new Parameter key, right mouse click, select
Key, select String Value, and type: Application
- Right Mouse Click the new Application String, select
Modify, and type: C:\Snort\Bin\Snort.exe
- Right Mouse Click the Parameter Key again, select New,
select String Value, and type: AppParameters
- Right Mouse Click the new AppParameters String, select
Modify, and type: -c C:\Snort\Bin\Snort.conf -l
C:\Snort\Logs
- From the Start Menu go to Programs / Administrative Tools
and Open the Services applet in Administrative Tools. Select
Snort from the services window, right click on Snort, choose
Properties, and under startup type select Automatic (this
will allow snort to be active when there is no one logged
on). Finally under Service Status select Run. This will
start the service. To check if Snort is running, go to the
Task Manager and if Snort is listed, it is running.
Note: You will be unable to see Snort running in the Task
Manager if you are remotely installing Snort. The solution
is to edit the C:\Snort\Logs\Alert.ids file. If Snort is
running it will have the file locked (no edit).
Note:
If Snort is not running, return to the Services applet
located in the Administrative Tools folder of the Start
Menu, right click Snort in the Services window, choose
Properties, Stop the service, select the Log On Tab, select
Allow Service to Interact with Desktop. Apply the new
setting. Return to the General Tab and Start the service.
Snort will now start in a command window so you can see
where the problem resides.
Installing the Acid Plug-in
Note: There are five tasks to do in order for Acid to
display. IE: install a Web server, install PHP, install
ADODB v0.93+, edit the 'acid_conf.php' file, and Edit the
'ADODB.INC.PHP' file
- Windows 98/ME/NT and 2000 have a web server available and
this should be installed and operating before continuing.
- Dissolve and move the Acid folder into the root folder of
your default website. IE: C:\Inetpub\wwwroot\
- Go into the Acid folder and read the README file and
install as per instructions.
- Install PHP 4.0.4pl1 into the C:\Snort folder. Configure
PHP according to the installation for IIS 4.0+ (CGI), and do
not edit php.ini (rename and transfer as per instructions).
- Install ADODB v0.93+ into the C:\Snort\ADODB folder. Edit
the ADODB.INC.PHP file to reflect the location of the ADODB
folder IE: $ADODB_DIR = 'C:\Snort\adodb';
- Configure the Acid 'conf.php' file in the Acid folder.
You should only have to edit the variables below
$DBlib_path = "C:\Snort\ADODB";
$alert_dbname = "snort";
$alert_host = "localhost";
$alert_port = "";
$alert_user = "snort";
$alert_password = "";
- Snort should be now be creating alerts, and you should
now be able to view those alerts with Acid by typing
http://<ip address>/Acid/Index.html from your browser.
Conclusion:
You should be able to:
1) Run Snort as a service (NT4 / 2000 Only)
2) Run MySQL and have Snort log to the database
3) Run Acid to view alerts in HTML format
Note: This is a basic setup and you should modify this
installation to your own needs
Note: Please direct all installation problems to:
http://www.snort.org/discuss/forum.asp?forum_id=7&forum_title=Installation
Your comments and criticism are always appreciated. If you
feel there is a mistake or omission please Email me and I
will revise.
My next project will be to get Snortsnarf installed on the
Windows platform and create a step by step installation
file.
Website
http://www.silicondefense.com/
Credits
Author: Michael Steele
Technical Snort Support Engineer for Silicon Defense
Release Date: May 21, 2001 - Rev 1.2
1.866.41.SNORT
Silicon Defense -- www.silicondefense.com
Email: mailto:michaels@silicondefense.com |