This documentation will hopefully help you to install Snort on your
Win32 box. It will also help you install Snort as a service (Only
available on NT4 and 2000), install MySQL as a database, and Acid
to view your alert file that Snort will create.
I found it very confusing with what information was available concerning
installing Snort for Windows. Parts of this documentation were extracted
from the Snort FAQ file for Snort Win32 and other places.
I will be installing the Snort service on a Windows 2000 box. There
should be no difference if you are using 98/ME/NT4. I will be installing
MS IIS5 Web server, MySQL v1.0, Snort v1.7, PHP 4.0.4pl1 [3,737Kb]
- 13 January 2001, WinPcap.exe v2.1, ADODB v0.93+, and Acid v0.9.6b6.
If you have not downloaded these files, please do so now.
MySQL Download Page:
http://www.mysql.com/downloads/mysql-3.23.html
WinPcap Download Page (Required Driver)
http://netgroup-serv.polito.it/winpcap/install/default.htm
WinPcap Download Page (Required Driver - V2.1 beta 692,137 byte
count)
http://www.silicondefense.com/techsupport/download.htm
Snorts Download Page - Snort Win32 version
http://www.snort.org/snort-files.htm
Snort Download Page - Rules
http://www.snort.org/snort-files.htm#Rules
PHP Download Page
http://www.php.net/downloads.php
ADODB Download Page
http://php.weblogs.com/adodb
Acid Download Page
http://www.cert.org/kb/acid/
Installing MySQL Database
- Install MySQL into C:\ drive from the MySQL documentation. If you
are unsure of the type of installation, then choose “typical”.
Note: If you are running Windows 2000 Server or Advanced Server, at
the command prompt prior to installation, type: "Change User /install"
or install MySQL from the Add/Remove panel.
Note: After completing the installation of MySQL into the "C:\" folder,
proceed to the "C:\MySQL" folder and read the "ReadMe" file to complete
the installation of the MySQL database. If installed properly you
will see MySQL in the System Tray with the traffic light illuminated
green.
Note: MySQL Version 3.23.36 will not create Icons in the "Start Menu",
as stated in the GUI. If you right mouse click the MySQL traffic light,
select Show Me, select my.ini setup tab, select "Create Shortcut on
Start Menu", and it will create a shortcut in the Startup folder that
will run MySQL at bootup.
Creating a Win32 MySQL database
- Right mouse click on the MySQL program in the System Tray and select
"Show Me". MySQL will display to the screen. Choose the Database tab,
Right Mouse click on your server name, Select Create Database, and
type your database name IE: "Snort".
- You will need to create a user at the command prompt. Navigate to
the "C:\MySQL\Bin" directory and type MySQL at that prompt. You will
be at the Prompt "mysql> " Type: \u mysql; <press enter>
(sets the database to mysql)
Type: grant INSERT,SELECT,CREATE,DELETE on snort.* to snort@localhost;
<press enter>
- To confirm user addition, at the "mysql> " prompt type: \u mysql
<press enter> (this sets the database to mysql)
At the "mysql> " prompt type: show tables; (you should see a table’s
list with a user entry)
At the "mysql> " prompt type: select * from user; (you should see
the user "snort" listed)
Installing Snort MySQL Version 1.7
- Create 3 Folders: "C:\Snort\” - "C:\Snort\Bin\" - "C:\Snort\Logs\"
- Install Snort into "C:\Snort\Bin" folder.
- Remove all the rules and snort.conf files from the C:\Snort\Bin
folder. Install the latest FULL set of rules and snort.conf file into
"C:\Snort\Bin" folder.
- You will need to edit the snort.conf file to reflect your HOME_NET
settings.
Note: You must remove the # before the "output database: log, mysql,
user=snort dbname=snort host=localhost" to activate MySQL.
Note: With Snort 1.7 you must specify the FULL path to each rule in
the snort.conf file. First place # in front of all rule files not
found or used and then add C:\Snort\Bin\ to the beginning of each
rule in the config file IE: include C:\Snort\Bin\misc.rules.
- Copy the file called "create_mysql" from the "contrib" folder of
snort.
Note: Unfortunately there was no "contrib" folder supplied with version
1.7 of Snort for Win32. You will need to download the FULL source
code for Snort from http://Snort.org and extract the "create_mysql"
from the "contrib" folder and place the "create_mysql" into the "C:\MySQL\Bin"
folder.
- Navigate to "C:\MySQL\Bin" folder from the command shell. At the
"C:\MySQL\Bin> " prompt Type: MySQL -u snort snort < C:\MySQL\Bin\create_mysql
Installing WinPcap (Required Library)
- Install the latest WinPcap.exe file (Very important to get the LATEST!)
Note: At this point you should have MySQL working and the traffic
light in the system tray should be green.
Testing Snort
Navigate to "C:\Snort\Bin" folder. At the "C:\Snort\Bin> " prompt
Type:
Snort -c C:\Snort\Bin\Snort.conf -l C:\Snort\Logs
Note: If you get the error below, it is most likely a WinPcap problem.
-> initializing Network Interface \Device\Packet_{D066D391-D0DA-4315-80F3-9222A4B093DB}
-> ERROR: OpenPcap() device \Device\Packet_{D066D391-D0DA-4315-80F3-9222A4B093DB}
open:
-> Error opening adapter
Note: Uninstall WinPcap and Reinstall WinPcap.exe 2.1 with a byte
count "Size 692,137"
Grab this file from http://www.silicondefense.com/techsupport/downloads.htm
Note: Snort should now be logging to the MySQL database.
Configuring Snort to run as a Service on NT4 and 2000
- You will need to install the Windows Resource Kit for your version
of Windows.
- Navigate to the root folder of your Resource Kit folder.
- You must install the SRVANY service. At the command prompt type:
INSTSRV SrvAny <PATH TO RESKIT>\srvany.exe
- At that same prompt type: ISTSRV.EXE snort <PATH TO RESKIT>\SRVANY.EXE
- Now start the Registry Editor From the run box (BACKUP YOUR REGISTRY!!!!!)
- Locate the following sub key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Snort
and select it.
- From the Edit pull down menu select New, select Key, and then type:
Parameters
- Select the new Parameter key, right mouse click, select Key, select
String Value, and type: Application
- Right Mouse Click the new Application String, select Modify, and
type: C:\Snort\Bin\Snort.exe
- Right Mouse Click the Parameter Key again, select New, select String
Value, and type: AppParameters
- Right Mouse Click the new AppParameters String, select Modify, and
type: -c C:\Snort\Bin\Snort.conf -l C:\Snort\Logs
- From the Start Menu go to Programs / Administrative Tools and Open
the Services applet in Administrative Tools. Select Snort from the
services window, right click on Snort, choose Properties, and under
startup type select Automatic (this will allow snort to be active
when there is no one logged on). Finally under Service Status select
Run. This will start the service. To check if Snort is running, go
to the Task Manager and if Snort is listed, it is running.
Note: You will be unable to see Snort running in the Task Manager
if you are remotely installing Snort. The solution is to edit the
C:\Snort\Logs\Alert.ids file. If Snort is running it will have the
file locked (no edit).
Note: If Snort is not running, return to the Services applet located
in the Administrative Tools folder of the Start Menu, right click
Snort in the Services window, choose Properties, Stop the service,
select the Log On Tab, select Allow Service to Interact with Desktop.
Apply the new setting. Return to the General Tab and Start the service.
Snort will now start in a command window so you can see where the
problem resides.
Installing the Acid Plug-in
Note: There are five tasks to do in order for Acid to display. IE:
install a Web server, install PHP, install ADODB v0.93+, edit the
'acid_conf.php' file, and Edit the 'ADODB.INC.PHP' file
- Windows 98/ME/NT and 2000 have a web server available and this should
be installed and operating before continuing.
- Dissolve and move the Acid folder into the root folder of your default
website. IE: C:\Inetpub\wwwroot\
- Go into the Acid folder and read the README file and install as
per instructions.
- Install PHP 4.0.4pl1 into the C:\Snort folder. Configure PHP according
to the installation for IIS 4.0+ (CGI), and do not edit php.ini (rename
and transfer as per instructions).
- Install ADODB v0.93+ into the C:\Snort\ADODB folder. Edit the ADODB.INC.PHP
file to reflect the location of the ADODB folder IE: $ADODB_DIR =
'C:\Snort\adodb';
- Configure the Acid 'conf.php' file in the Acid folder. You should
only have to edit the variables below
$DBlib_path = "C:\Snort\ADODB";
$alert_dbname = "snort";
$alert_host = "localhost";
$alert_port = "";
$alert_user = "snort";
$alert_password = "";
- Snort should be now be creating alerts, and you should now be able
to view those alerts with Acid by typing http://<ip address>/Acid/Index.html
from your browser.
Conclusion:
You should be able to:
1) Run Snort as a service (NT4 / 2000 Only)
2) Run MySQL and have Snort log to the database
3) Run Acid to view alerts in HTML format
Note: This is a basic setup and you should modify this installation
to your own needs
Note: Please direct all installation problems to:
http://www.snort.org/discuss/forum.asp?forum_id=7&forum_title=Installation
Your comments and criticism are always appreciated. If you feel there
is a mistake or omission please Email me and I will revise.
My next project will be to get Snortsnarf installed on the Windows
platform and create a step by step installation file.
|
|