Snort on Windows 98/ME/NT4/2000 using Snortsnarf to view alerts
Author: Michael Steele
Technical Snort Support Engineer for Silicon Defense
Release Date: June 06, 2001 - Rel 1.0
Website: http://www.silicondefense.com
This documentation will hopefully help you to install Snort on your Win32 box. It will also help you install Snort as a service (Only available on NT4 and 2000), and install Snortsnarf to view your alert file.
I found it very confusing with what information was available concerning installing Snort for Windows, and Snortsnarf to view my Alert.ids.
I will be installing the Snort service on a Windows 2000 box. There should be no difference if you are using 98/ME/NT4. I will be installing MS IIS5 Web server, SnortSnarf-052301.1, ActivePerl-5.6.1.626-MSWin32-x86-multi-thread.msi, and nmake15.exe.
Snort Download Page: Snort Win32 version
http://www.snort.org/snort-files.htm
Snort Download Page: Rules
http://www.snort.org/snort-files.htm#Rules
inPcap Download Page: (Required Driver)
http://netgroup-serv.polito.it/winpcap/install/default.htm
WinPcap Download Page: (Required Driver - V2.1 beta 692,137 byte count)
Note: use this ONLY if you have unresolved WinPcap Errors!
http://www.silicondefense.com/techsupport/downloads.htm
NMake Download Page:
http://download.microsoft.com/download/vc15/Patch/1.52/W95/EN-US/Nmake15.exe
SnortSnarf Download Page:
http://www.silicondefense.com/software/snortsnarf/index.htm
Active Perl Download Page:
http://aspn.activestate.com/ASPN/Downloads/
Installing Web Server – IIS5 or PWM
- You should have this installed and operational.
Installing Snort Version 1.7
- Create 5 Folders: "C:\Snort" - "C:\Snort\Bin" - "C:\Snort\Snortsnarf" – "C:\Inetpub\wwwroot\Logs" - "C:\Intepub\wwwroot\CGI"
- From the Start Menu go to Programs / Administrative Tools and open the Internet Services Manager. Double click the entry for your Web server (your computer name). Double Click on your Default Web Site. You should see a CGI folder. Right click the CGI folder and select properties. Select the Directories tab and under Local Path make sure Read & Write are selected. Under Application Settings make sure that Execute Permissions: are set to “Scripts and Executables”.
- Install Snort into "C:\Snort\Bin" folder.
- Remove all the rules and snort.conf files from the C:\Snort\Bin folder. Install the latest FULL set of rules and snort.conf file into "C:\Snort\Bin" folder.
- You will need to edit the snort.conf file to reflect your HOME_NET settings or leave it set to any.
Note: With Snort 1.7 you must specify the FULL path to each rule in the snort.conf file. First place # in front of all rule files not found or used and then add C:\Snort\Bin\ to the beginning of each rule in the config file IE: include C:\Snort\Bin\misc.rules.
Installing WinPcap (Required Library)
- Install the latest WinPcap.exe file (Very important to get the LATEST!)
Testing Snort
- Navigate to "C:\Snort\Bin" folder. At the "C:\Snort\Bin> " prompt Type: Snort -W. You will see a list of possible adaptors that you can install your sensor on. They will be numbered IE: 1,2,3,4,5,6 etc.
- At the "C:\Snort\Bin> " prompt type:
Snort -c C:\Snort\Bin\Snort.conf -l C:\Inetpub\wwwroot\Logs -ix
Note: -ix (x is the number of the NIC to place the sensor on)
Note: If you get the error below, it is most likely a WinPcap problem.
-> initializing Network Interface \Device\Packet_{D066D391-D0DA-4315-80F3-9222A4B093DB}
-> ERROR: OpenPcap() device \Device\Packet_{D066D391-D0DA-4315-80F3-9222A4B093DB} open:
-> Error opening adapter
Note: Uninstall WinPcap and Reinstall WinPcap.exe 2.1 with a byte count "Size 692,137"
Grab this file from http://www.silicondefense.com/techsupport/downloads.htm
Note: Snort should have created an Alert.ids file in the C:\Inetpub\wwwroot-Logs folder. Try editing the Alert.ids file with notepad. You should be locked out if Snort is running.
- Kill that instance of short from Task Manager Process tab.
Configuring Snort to run as a Service on NT4 and 2000
- You will need to install the Windows Resource Kit for your version of Windows.
- Navigate to the root folder of your Resource Kit folder.
Note: If the Resource Kit in unavailable, you can search Google.com for srvany.exe and instsrv.exe and place them in a temp folder. You will need to replace <PATH TO RESKIT> with <PATH TO TEMP FOLDER> in the following directions.
- You must install the SRVANY service. At the command prompt type: INSTSRV SrvAny <PATH TO RESKIT>\srvany.exe
- At that same prompt type: INSTSRV.EXE snort <PATH TO RESKIT>\SRVANY.EXE
- Now start the Registry Editor From the run box (BACKUP YOUR REGISTRY!!!!!)
- Locate the following sub key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Snort and select it.
- From the Edit pull down menu select New, select Key, and then type: Parameters
- Select the new Parameter key, right mouse click, select Key, select String Value, and type: Application
- Right Mouse Click the new Application String, select Modify, and type: C:\Snort\Bin\Snort.exe
- Right Mouse Click the Parameter Key again, select New, select String Value, and type: AppParameters
- Right Mouse Click the new AppParameters String, select Modify
- type: -c C:\Snort\Bin\Snort.conf -l C:\Inetpub\wwwroot\Logs -ix
Note: -ix (x is the number of the NIC to place the sensor on)
- From the Start Menu go to Programs / Administrative Tools and Open the Services applet in Administrative Tools. Select Snort from the services window, right click on Snort, choose Properties, and under startup type select Automatic (this will allow snort to be active when there is no one logged on). Finally under Service Status select Run. This will start the service. To check if Snort is running, go to the Task Manager and if Snort is listed, it is running.
Note: You will be unable to see Snort running in the Task Manager if you are remotely installing Snort. The solution is to edit the C:\Inetpub\wwwroot\Logs\Alert.ids file. If Snort is running it will have the file locked (no edit).
Note: If Snort is not running, return to the Services applet located in the Administrative Tools folder of the Start Menu, right click Snort in the Services window, choose Properties, Stop the service, select the Log On Tab, select Allow Service to Interact with Desktop. Apply the new setting. Return to the General Tab and Start the service. Snort will now start in a command window so you can see where the problem resides.
Installing Active Perl
- Install ActivePerl-5.6.1.626-MSWin32-x86-multi-thread.msi into your C:\Inetpub\wwwroot folder. Use all the default settings.
Installing Snortsnarf
- Install Snortsnarf into "C:\Snort\Snortsnarf" folder.
- Edit the Snortsnarf.pl file located in the C:\Snort\Snortsnarf folder. Find this line and change it to say: $os = 'windows'; # Either 'windows' or 'unix'
- Navigate to the C:\Snort\Snortsnarf\include folder and copy everything into C:\Inetpub\wwwroot\perl\site\lib folder.
Install Nmake15.exe (Microsoft's compiler)
- Install Nmake into your root folder (IE: C:\Windows or C:\WINNT)
- From a command prompt navigate to the C:\Snort\Snortsnarf\time-modules folder. At the command prompt you must compile the time modules into Perl.
>From the prompt type: perl Makefile.PL
From the prompt type: nmake
From the prompt type: nmake test
From the prompt type: nmake install
- Copy the time folder located in C:\Snort\Snortsnarf\time-modules\lib to the C:\Inetpub\wwwroot\perl\site\lib folder.
Installing Annotations
- Navigate to the C:\Snort\Snortsnarf\cgi folder and copy all the files to the C:\Inetpub\wwwroot\cgi folder.
- From the command prompt navigate to the C:\Snort\Snortsnarf\utilities folders. At the prompt type: setup_anns_dir.pl C:\Snort\Snortsnarf\ann-dir annotation-base.xml and this will create a folder in C:\Snort\Snortsnarf called “ann-dir” and inside that folder a file will be created called “annotation-base.xml”.
- You should now be able to have Snortsnarf compile the alert.ids file into a format that is readable using your browser by executing the following line:
“c:\snort\snortsnarf\snortsnarf.pl -d c:\inetpub\wwwroot\logs -dns -db c:\snort\snortsnarf\ann-dir\annotation-base.xml -cgidir http://<Computername>/cgi c:\inetpub\wwwroot\logs\alert.ids”
Note: The above is one long line and be sure to place the spaces in the correct part of the line.
Note: You may want to setup a script for the above command line and a cron job to execute the script once an hour. By executing the script every so often it will add all the new alerts into Snortsnarf.
To view the alerts use: http://<computername>/logs/Index.html from your browser.
Conclusion:
You should be able to:
1) Run Snort as a service (NT4 / 2000 Only)
2) View the alerts with using Snortsnarf
3) Create annotations with Snortsnarf
Note: This is a basic setup and you should modify this installation to your own needs
Note: Please direct all installation problems to:
http://www.snort.org/discuss/forum.asp?forum_id=7&forum_title=Installation
Note: The Alert.ids file can grow very fast. Snortsnarf does take some time to parse the file, and can use a considerable amount of memory. If someone wanted to write a small .bat file that could do these things I would post it on our site with the proper credit:)
1. Create 2 folders (if not present) in c:\inetpub\wwwroot called Weekly_Logs, and Yearly_Logs.
2. Once a week create a folder in c:\inetpub\wwwroot\Weekly_Logs with a folder name of the date (IE: 06-1-2001 for Day, week number, and the year).
3. Copy the complete contents of c:\inetpub\wwwroot\logs into the newly created date folder.
4. Verify that the move was completed (byte count and compare)
4. Delete the entire contents of the c:\inetpub\wwwroot\logs folder
5. When the month and day is equal to 01-01 it will compress and move the entire contents of c:\inetpub\wwwroot\Weekly_Logs into the c:\inetpub\wwwroot\Yearly_Logs folder.
Your comments and criticism are always appreciated. If you feel there is a mistake or omission please Email me and I will revise.
Michael Steele - Commercial Snort Support
1.866.41.SNORT
Silicon Defense -- www.silicondefense.com