Snort for WinXP Installation Non-Enterprise Network

{LANG_NAVORIGIN} Intrusion Detection Snort
By: Allen K. Yim, 11/15/2004

Introduction

WinSnort is for people who are not knowledgeable in Linux and feel more comfortable using Windows operating system. Also, for organizations that are restricted to using only Windows operating systems. A non-enterprise WinSnort IDS installation is best used on small networks where a database management program and master console to manage different sensors are not required.

This setup procedure basically follows the instructions on www.winsnort.com under Winsnort with Snortsnarf. As we all know all instruction is not complete and always leaves something out and what I have tried here is to clarify and expand on the setup. My goal is to make a simple to follow instruction by outlining each step until the setup is completed. Also, I made some changes in the configuration and added in other components (freesmtp and oinkmaster) to assist the administrator in operating the Winsnort.

In this setup, Snortsnarf will be used for WinSnort interface console to view alert log files and Oinkmaster to manage the rules. For email notification of alerts, a program called EventWatchNT will be used. Also, WinSnort is best used if installed on a computer in a Network IDS (NIDS) mode and if possible do not load other programs besides those mentioned in this document. As we know Windows is known for their appetite for memory and processor space and having a limited number of programs running on the system will help WinSnort and supporting programs to run more efficiently and effectively. In addition, disable services that are not needed, for information on different services in Windows go to http://www.blackviper.com. Finally, setting up the IDS inside or outside the firewall will be up to the administrators desire but remember setting inside the firewall means; you’ll only get traffic that was filtered from the firewall. Outside the firewall, you’ll get all traffic, which means you can see who is trying to get in and plan accordingly. Basically, it boils down to reactive mode for inside and proactive mode for outside the firewall.

Lastly, before we start on this journey, I need to remind you that even though we are working in a Windows environment we will be actually typing in commands in configuration files. Also, executing a majority of the programs will be done through command prompt. If you are unsure of some of the commands take a look at the sample snort.conf and httpd.conf (Apache) or just use the sample and change the IPs and paths.

Source

Winsnort web site: www.winsnort.com

WinSnort 2.2: http://www.snort.org/dl/binaries/win32/

Snortsnarf: http://www.snort.org/dl/contrib/data_ analysis/snortsnarf/

Apache HTTP Server: http://httpd.apache.org/download.cgi

ActivePerl: http://www.activestate.com/

WinPcap: http://winpcap.polito.it/install/default.htm

EventwatchNT: http://www.netikus.net/sof tware/eventwatchnt/EventwatchNT_Readme.htm

Oinkmaster: http://oinkmaster.sourceforge.net/download.sht ml

Freesmtp: http://www.softstack.com/freesmtp.html

Time module: http://cpan.org/

WinXP information: http://www.blackviper.com

Winrar: http://www.rarlab.com/

Acrobat Reader: http://www.adobe.com/products/acrobat/read step2.html

All of the programs and samples are included in the WinSnort Installation for Non-enterprise network V1.1 package.

Procedures

1. Requirement
   1. Computer system: Recommends a system with at least 512K RAM 1.5 GHz CPU and minimum of 40 gigabyte hard drive (more the better), NIC card, and sound card if you like to hear sound for alerts. This hardware configuration was selected because in the current market, it would cost less than $500, which I would consider very inexpensive IDS system. Or, if you have an extra system lying around, but do not meet the recommended hardware configuration, try it and see how it works. I have installed and operated on lower hardware configuration and it worked out fine, of course nothing was loaded except WinSnort and supporting programs.
   2. Software: Windows XP pro sp2 for operating system (will work on W2K but only tested on WinXP Pro), WinSnort 2.2, WinPcap 3.0, Snortsnarf 021111.1, Apache HTTP Server 2.0.52 no ssl, ActivePerl 5.6.1.638 (do not use anything above because it won’t work), EventwatchNT, freesmtp, and Oinkmaster 1.1. All software is open-source and free except for the operating system. If you prefer free operating systems, like Linux then you are reading the wrong IDS setup document. For the open-source programs, if possible use the most current version, except for Active Perl. Additional programs that will be helpful are WINRAR, 40 days free trial, to unzip files and Acrobat reader, which is free.
   3. Minimum knowledge on Linux command is helpful because most documents out in the Internet is on Linux Snort, and by knowing some Linux command you’ll be able to decipher some of the command used in Linux Snort for WinSnort. If knowledge on Linux is little to none, don’t worry, I’ll spell everything out for a complete setup.
2. Configuration
   1. Format & Partition: Format the hard drive and partition into two drives (c and d drives). First partition should be at least five gigabyte (c drive) for loading the operating system. The second drive (d drive)should be for whatever space left over and hopefully it is over 10 gigabyte, of course more the better. In the D drive, that is where the WinSnort and all supporting software will be loaded and as you collect alerts from WinSnort, log data will be collected and the size can get quite big if you plan to keep it for history reference, if not delete as you go. If you have questions on formatting and partitioning the drive, don’t worry. When you insert your WinXP CD, click the option for new installation and the process will take you to formatting and partitioning the hard drive. If you need additional help go to http://www.blackviper.com/ that explains step by step in installing Windows operating systems.
      1. After the operating system installation, ensure all service packs and patches are applied to the operating system. For added protection, you can harden the operating system according to your preference or follow the NSA standard. Also, disable or change to manual on services you don’t need. For additional information on security and explanation on different type of services see http://www.blackviper.com/.
      2. Ensure to turn off the built in firewall and pop up blocker, unless you want to customize it to block certain ports, IPs, URL, and etc. If left open, firewall will try to block some of the transmission from going out until you tell it to accept or deny.
   2. Once the above task is done, go to D drive and create a folder called IDS, or whatever you want to called it but for this document it will be labeled IDS. Also, in control panel go to folder options and change the setting in view to read hidden extension, so that you’ll see all the extension for files we’ll be configuring.
   3. Download all the software mentioned in the introduction into the D drive not in the IDS folder. Once that is done start executing the program and configure in following order:
      1. Install winpcap using all default setting and let it load in the C drive.
      2. Install and configure WinSnort according to the following procedure
         1. Double click WinSnort and click “I agree” button for the open source agreement and continue to click “Next” until your reach “Destination folder”.
         2. In the “Destination folder” type D:IDSsnort and than click “Install” and once completed click “Close” button.
         3. Once that is completed go to the D:IDSsnort folder. In the folder, you’ll see several other subfolders. Look for folder labeled “etc”
         4. Open the “etc” folder and look for a file called snort.conf. Snort.conf stands for snort configuration file and it is the brain of snort. This is the file where you tell what snort needs to do as an IDS. Open the file in WordPad, not notepad because it is easier to read in WordPad. Once open, do the following change:
            1. Go to: var Home_NET any and change it to whatever network you are monitoring. For example
               
               To monitor a single host, with an IP of 192.168.50.1 var HOME_NET 192.168.501/32
               
               To monitor a class C Network with an IP of 192.168.50.0 - 255, and a subnet of 255.255.255.0 var HOME_NET 192.168.50.0/24
               
               To monitor a class B network with an IP of 192.168.0.0 – 192.168.255.255, and a subnet of 255.255.0.0 var HOME_NET 192.168.0.0/16
               
               To monitor a class A Network with an IP of 192.0.0.0 – 192.255.255.255 and a subnet of 255.0.0.0 var HOME_NET 192.0.0.0/8
               
               Note: By default Snort will monitor the complete network using var HOME_NET any
            2. Go to: var RULE_PATH ../rules and change it to read: var RULE_PATH d:IDSsnortrules
               1. This change tells snort to go to the D directory and look for snort rules in snort subfolder called rules
               2. Ensure you type it exactly as shown
            3. Go to: # output log_tcpdump: tcpdump.log and change it to read: output alert_fast: alert.ids
               1. This tell snort to log any traffic that meet the rules that is turned on in alert.ids file instead of tcpdump.log
               2. The # sign tell snort to ignore the command, if the sign is taken out than it will read the command
            4. Go to: # arpspoof section and add a new command at the end of the section. Type in: preprocessor portscan: $HOME_NET 4 3 d:IDSapacheapache2htdocslogportscan.log
               1. This command will tell snort to log all portscan in the apache log file called portscan.log
               2. For portscan to be seen on Snortsnarf, it needs to be in the apache log folder
            5. Go to: include classification.config and change it to read: include d:IDSsnortetcclassification.config
               1. This tell snort where to find the classification.config
               2. Classification.config is basically telling snort how to classify and prioritize alerts
            6. Go to: include reference.config and change to read: include d:IDSsnortetcreference.config
               1. This tell snort where to find the reference.config
               2. Reference.config is basically tell snort where to find reference on rule in the Internet. You can add in new source by typing in the URL in the reference.config.
            7. You have completed the snort.conf configuration. I hope you noticed all changes we made were mainly to accommodate Windows operating system by making it an absolute path. Also, the snort.conf has wealth of information in the file, so when you have times read it and try to understand it. Now, save the snort.conf and let’s move on.
         5. Turning on service in your WinXP.
            1. Open your command window and from your command prompt, Go to D drive.
            2. From D drive, type cd IDSsnortbin and enter.
            3. Now, you should be in the Snort bin folder. From the prompt type: snort /service /install –c d:idssnortetcsnort.conf –l d:idsapacheapache2htdocslog –i1 and enter.
               1. –i is interface and 1 represent one NIC in the system, if two than replace one with two and so on.
               2. After pressing enter, you should receive a message that the service has successfully installed.
            4. Go to your control panel to Administrative Tool to Service icon and open it up. Find snort and change startup type from manual to automatic and click start. If this is not done than snort service has to be started manually every time you boot up your system.
            5. Basic service command. Ensure the command is given from d:IDSsnortbin.
               1. To uninstall snort service, type: snort /service /uninstall
               2. To show what service is running for snort, type: snort /service /show
               3. Also, you can start and stop snort service from command prompt by typing net stop snort and net start snort.
            6. Testing Snort and WinPcap.
               1. To ensure WinPcap is running properly from the command line go to d:idssnortbin and enter. From the prompt type: snort -W and enter, it should list the number of interface in your system. Ensure to select the correct interface number when typing in snort command. If error, trouble shoot and correct.
               2. To ensure Snort is running correctly from command line go to d:idssnortbin and enter. From the prompt type –v –ix (x is interface number). Enter and Snort should be sniffing the interface and information should be showing up. If error, trouble shoot and correct.
      3. Install and configure Apache HTTP server according to the following procedures.
         1. Double click apache file and click “I accept the terms”, and click the next button and again.
         2. Once you get to the server information window, there are three questions, this needs to be filled out correctly.
            1. Network Domain: Enter you domain information, if none make one up.
            2. Server Name: Enter server name, if none make one up.
            3. Administrator Email: Enter email address of the sysadmin
         3. Also, in the server information window do the following.
            1. Check “for all users, on port 80, as a service – Recommended”
            2. Click Next button and check “Typical” and click next button
            3. Click “Change” button and in the folder name type: d:IDSapache and click OK button
            4. Click “Next” button and click “Install” button and once done installing click finish.
            5. Once done installing, there will be an Apache icon in the system tray. Go to the icon and click it and click “stop”, so we can make some changes in the httpd.conf file.
         4. Go to d:idsapacheapache2conf and open file httpd.conf in word pad.
            1. Go to: #AddHandler cgi-script .cgi and change it to read: AddHandler cgi-script .cgi basically take out the # sign, so Apache can read it.
            2. Go to: “Control who” and change the following:
               Read:   Order allow,deny
               Change: ;Order deny,allow
               
               Read:   Allow from all
               Change: ;Deny from all
               Add:   Allow from 127.0.0.1
               Add:   Allow from IP of other system you want to view the Snortsnarf
            3. Save
         5. Go to d:idsapacheapache2htdocs and create a folder call log and cgi.
      4. Install and configure Active Perl version 5.6.1.635 according to the following procedures.
         1. Double click the file and click “Next” and check “I accept the term…” box, click the “Next” button.
         2. Click the “Browse” button, and type in d:idsperl and click “OK”
         3. Click “Next”, “Next”, “Next”, and click “Install”.
         4. Untick the “Display the release notes”. And then click “Finish” button.
      5. Install and configure Snortsnarf according to the following procedures.
         1. Uncompress the file into d:ids
         2. Go to the uncompressed files and load snortsnarf.pl into wordpad and make the following changes and save.
            Read: $os=’unix’; #Either ‘wndows’ or ‘unix’
            Read: $os= ‘windows’; #Either ‘wndows’ or ‘unix’
         3. Installing Time Modules. Go to d:idssnortsnarfTime-modules and copy the “Time” folder and all its contents to d:idsperlsitelib.
            1. If time module is not included than go to http://cpan.org
            2. Do a search in distribution for time module, once found download. Uncompress and go to the lib folder and make copy of the time folder and the content.
            3. Delete everything in the folder and create new folder called “time module” and paste the content into the time module folder and do step 3.
         4. Installing Annotations.
            1. Go to d:idssnortsnarfcgi folder and copy all of the content in the folder to d:idsapacheapache2htdocscgi folder.
            2. Go to d:idssnortsnarfinclude folder and copy all of the content in the folder to d:idsperlsitelib folder.
            3. Once completed go to the command prompt and go to d:idssnortsnarfutilities. Once there type: setup_anns_dir.pl d:idssnortsnarfann-dir annotation-base.xml
            4. Once completed go to d:idssnortsnarf folder and right click the ann-dir folder and select property. Select security tab, if exist and make sure to select “Full Control” for each user or group that will be accessing Snortsnarf.
         5. Viewing snort alerts on snortsnarf, the fun part.
            1. To view whatever alerts was collected on WinSnort, go to d:idssnortsnarf and type: snortsnarf.pl –d d:applicationsapacheapache2htdocslog -dns -db d:applicationssnortsnarfann-dirannotation-base.xml -cgidir http://localhost/cgi d:applicationsapacheapache2htdocslogalert.ids
               1. This command will let you view your snortsnarf from the computer where snortsnarf was installed.
               2. To view the current alerts, this command needs to be manually entered. To run these automatically go to "Setting automatic schedule for updating Snortsnarf" section for instruction.
            2. To view alerts from other computers in your domain type: snortsnarf.pl -d d:applicationsapacheapache2htdocslog -dns -db d:applicationssnortsnarfann-dirannotation-base.xml -cgidir http://IP address of server/cgi d:applicationsapacheapache2htdocslogalert.ids
            3. To view portscan, type: snortsnarf.pl –d d:idsapacheapache2htdocslog –dns –db d:idssnortsnarfann-dirannotation-base.xml –cgidir http://IP address of server/cgi d:idsapacheapache2htdocslogportscan.log –cgidir http://IP address of server/cgi d:idsapacheapache2htdocslogalert.ids –ldir http://IP of server/log (this command will add a snort log on snortsnarf log file, so you can directly go to the packet information).
      6. Install and configure EventWatchNT for mail notification.
         1. Ensure you do this first before installing and configuring EventWatchNT.
            1. Go to d:idssnortetc and open snort.conf on WordPad
            2. Go to #output alert_syslog: Log_Auth Log Alert and under win32 delete the pound (#) sign, so snort can read the command.
            3. Save
         2. Double click EventWatchNT file and load it to d:ids
         3. Go to the folder and double click eventwatchnt.exe, which will bring up the configuration GUI interface.
            1. In the send name box, type in a title you want to be shown on the email sender line. For this document we’ll title it WinSnort IDS.
            2. Sender email address; put in the email address you want it to show on the email as sender.
            3. Recipient box, type in the email address where you want the alert sent to.
            4. SMTP server, type in the name or IP of the SMTP server, if no SMTP server than do the following:
               1. Acquire an SMTP server program, like freesmtp, which I used for this document and also it is free. For other program use their instruction for installation and configuration. (http://www.softstack.com/download.html)
               2. Load freesmtp program in d:ids and once completed it will create an icon on your desktop. Double click the desk top icon, which will start and open the program.
               3. Once the program is open click option and check automatic DNS server and standard port 25, unless you have different setting for your DNS server and port and let it run, do not close it.
               4. In the SMTP Server box, type in localhost, so that the EventwatchNT send email using freesmtp
            5. In the email subject box, type in Snort Priority 1 Alert or whatever title you want to be shown in the email subject line.
            6. For the filter(s) box type in, ensure to include [ ], [Priority: 1] or whatever priority you want to receive.
            7. Type section, check “include
            8. Event logs to monitor, check application
            9. Event to report, check information
            10. Option, check HTML email
            11. In the installation, click install button and in service control click start. If any changes made in the snort.conf, make sure to stop and start service, so it can read the new command
            12. Next to the SMTP serve box is a test button, click it to see if the email went through by checking the recipient email.
            13. Go to control panel and open administrative tool. Select event viewer and right click application and in property check “overwrite events as needed”. All alerts will be logged on the event viewer.
            14. If you wonder about the upgrade to Eventsenty, I recommend not to because it is a much bigger program and it does the same thing with extra feature.
      7. Installing and configuring Oinkmaster for rule management.
         1. Uncompress the file into d:ids
         2. Go to the folder and open sub folder contrib and double click oinkgui.pl, which will bring up a GUI for configuration. Ensure you have oinkmaster 1.1 because later version does not have the GUI feature and what is the point of using Windows if no GUI. But on the serious side the GUI makes it much easier to configure oinkmaster.
            1. Once the oinkgui is opened and if the GUI is too big for the screen than go to display and change the setting.
            2. Once the GUI is open it will display that there is no file exist and needed to fill in the Required Files and Directory
            3. On the GUI, top portion needs to be completed as follow:
               1. For the Required Files and Directory:
                  1. Oinkmaster.pl filed, either type in or use the brows button to select your path to the oinkmaster.pl file.
                  2. Oinkmaster.conf, either type in or use the brows button to select your path to the oinkmaster.pl file.
                  3. Output directory, either type in or use the brows button to select your path to the Snort rules folder.
               2. For the Optional Files and Directory:
                  1. Alternate URL, click the down arrow button and select the url for your snort version, for this document snort 2.2
                  2. Variable File, either type in or use the brows button to select your path to the snort.conf file.
                  3. Backup Directory, make a subfolder in snort folder titled old or whatever you want to call it to store tarball of old rules before overwriting them. Type in the path to the subfolder in the field, I tried to brows it but didn’t work.
                  4. Editor, either type in or use the brows button to select your path to the Word Pad. Word Pad is located in program files > WindowNT>Accessory
            4. Once the top portion of the GUI is done, click save current setting, located on the left side of the GUI. Once click, it will tell you that the oinkgui file is saved to the path as stated on the display.
            5. For the other options on the left side of the GUI, it will be up to your preference on how you want Oinkmaster to run and to view the files.
            6. Once all the selection is done, click test configuration to see if everything is running okay. Once done and no error click update rule. Once finish downloading rules, click exit, because you are done.
            7. Next thing you need to do is go to Snort.conf and rules folder and turn off or on for rules you want to apply to snort IDS.
            8. For easy access to Oinkmaster GUI, make a short cut and place it on your desk top.
      8. Setting automatic schedule for updating Snortsnarf.
         1. Write up a command in note pad and save it as update.bat and put it in d:applicationssnortsnarf. The command would read: snortsnarf.pl –d d:idsapacheapache2htdocslog -dns -db d:idssnortsnarfann-dirannotation-base.xml –cgidir http://localhost or IP/cgi d:idsapacheapache2htdocslogportscan.log –cgidir http://local or IP/cgi d:idsapacheapache2htdocslogalert.ids –ldir http://localhost or IP/log Ensure to have word wrap turned off because it could create extra space, which will cause error.
         2. Go to Control panel and click open scheduled Tasks
            1. Double click add schedule task.
            2. Click Next and click browse and go to d:idssnortsnarfupdate
            3. Click update and click open
            4. Check one of the options that best suit your operation, for this document check daily and click next.
            5. Set the time when you want to start and check one of the three options for perform this task. For this document we’ll check everyday and click next. Finally set the start date. Make sure your WinSnort and Apache are running when you start the schedule.
            6. Enter user name or leave it as is and put in password. Click next
            7. Click finish and right click the new schedule you created and click property.
            8. Go to schedule section and click advance and check repeat task and change every to 12 hours or whenever you wanted the update to run. For unit, check duration and change the time to 24 hours. This tell schedule to run the script every 12 hours within 24 hours.
               1. Click ok and go to setting section. Uncheck stop the task if It runs for. For power management uncheck all and check wake the computer to run this task. Click apply and put in your password and should be all done.
               2. Click apply and exit
         3. If you prefer to see updated snortsnarf whenever you are on the IDS system than make a short cut of the update.bat and put it on the desktop. Whenever you want to see the update, just click the update.bat. If you want to do it from another computer set up a SSH server and client service and just SSH in and run the update.bat. Setting up ssh server and client is a whole different procedure and information can be found in the Internet and will be covered in WinSnort for Enterprise IDS.

Closing

Congratulations for finishing the installation, and have fun running WinSnort. If you have any questions and/or recommendations on improving the procedure please let me know.














Your IP address will be sent with this e-mail

From e-mail to e-mail