Snort on Windows 98/ME/NT4/2000 Using MySQL and Acid
Author: Michael Steele
Technical Snort Support Engineer for Silicon Defense
Release Date: July 23, 2001 - Rev 1.5
Website: http://www.silicondefense.com
This documentation will hopefully help you to install Snort on your Win32 box. It will also help you install Snort as a service (Only available on NT4 and 2000), install MySQL as a database, and Acid to view your alert file that Snort will create.
I found it very confusing with what information was available concerning installing Snort for Windows. Parts of this documentation were extracted from the Snort FAQ file for Snort Win32 and other places.
I will be installing the Snort service on a Windows 2000 box. There should be no difference if you are using 98/ME/NT4. I will be installing MS IIS5 Web server, MySQL v1.0, Snort v1.7, PHP 4.0.6, WinPcap.exe v2.1, ADODB v1.12, and Acid v0.9.6b9. If you have not downloaded these files, please do so now.
Download Snort (Win32 MySQL Binary!) 1.7: HERE
http://www.silicondefense.com/software/win32/snort-1.7-win32-MySQL-static.zip
Note: There are several flavors of Snort available, so be sure to download Snort with MySQL support! (win32 MySQL Binary!!!)
Download Snort Rules 1.7:
http://www.silicondefense.com/software/win32/snortrules.tar.gz
Download WinPcap 2.1:
http://www.silicondefense.com/software/win32/WinPcap2.1.exe
Download MySQL Shareware 3.23.39:
http://www.silicondefense.com/software/win32/mysql-3.23.39a-win.zip
Download "create_mysql" database creator:
http://www.silicondefense.com/software/win32/create_mysql
Download PHP 4.0.6:
http://www.silicondefense.com/software/win32/php-4.0.6-Win32.zip
Download ADODB 1.1.2:
http://www.silicondefense.com/software/win32/adodb112.zip
Download ACID 0.9.6b6:
http://www.silicondefense.com/software/win32/acid-0.9.6b6.tar.gz
*** Installing Snort MySQL Version 1.7 ***
** Create 5 Folders: "C:\Snort" - "C:\Snort\PHP” "C:\Snort\ADODB" - "C:\Snort\Bin" - "C:\Snort\Logs"
** Uncompress Snort into "C:\Snort\Bin" folder.
** Remove all the rules and snort.conf files from the C:\Snort\Bin folder.
** Install the latest FULL set of rules and snort.conf file into "C:\Snort\Bin" folder.
** You will need to edit the snort.conf file to reflect your HOME_NET settings.
Note: If your IP address is 10.0.0.20 your HOME_NET will be 10.0.0.0/24 and this will monitor your entire network.
** Remove the # before the "output database: log, mysql, user=snort dbname=snort host=localhost" to activate MySQL.
** You must specify the FULL path to each rule in the snort.conf file.
** First place # in front of "include local.rules" and it should look like "#include local.rules"
** Edit all your includes to look like this:
Include c:\snort\bin\exploit.rules
Include c:\snort\bin\scan.rules
*** Installing WinPcap (Required Library) ***
** Install WinPcap.exe
** Reboot your machine!
*** Installing MySQL Database
Note: If you are running Windows 2000 Server or Advanced Server, at the command prompt prior to installation, type: "Change User /install" or install MySQL from the Add/Remove panel.
** Install MySQL using ALL the default settings.
Note: If everything installed correctly you should now have a MySQL icon in the system tray.
** Right Click the MySQL icon in the system tray and select Show Me.
** Select the "Start Check" tab and everything in there should say Ok and Yes.
Note: If there are any errors then you might reboot and check them again prior to proceeding.
** Select the "my.ini setup" tab. Comment out the User Name and Password, then Save Modifications.
** Select the "Create Shortcut on Start Menu" button.
Note: This will create an entry in the startup folder that will run the administration panel when you restart each time.
Creating a Win32 MySQL database
** Right mouse click on the MySQL program in the System Tray and select "Show Me". MySQL will display to the screen. Choose the Database tab, Right Mouse click on your server name, Select Create Database, and type your database name IE: "Snort".
** You will need to create a user at the command prompt. Navigate to the "C:\MySQL\Bin" directory and type MySQL at that prompt. You will be at the Prompt "mysql> " Type: \u mysql; <press enter> (sets the database to mysql)
Type: grant INSERT,SELECT,CREATE,DELETE on snort.* to snort@localhost; <press enter>
** To confirm user addition, at the "mysql> " prompt type: \u mysql <press enter> (this sets the database to mysql)
At the "mysql> " prompt type: show tables; (you should see a table’s list with a user entry)
At the "mysql> " prompt type: select * from user; (you should see the user "snort" listed)
*** Creating Tables into MySQL for Acid ***
** Copy the file called "create_mysql" into the C:\MySQL\Bin folder.
** Navigate to "C:\MySQL\Bin" folder from the command shell. At the "C:\MySQL\Bin> " prompt Type: MySQL -u snort snort < C:\MySQL\Bin\create_mysql
Note: To check to make sure the tables were added. Right Click on the MySQL icon in the system tray and choose Show Me. Select the Database tab, then in the Databases window pane select Snort. In the Databases Tables pane you should see some entries under Snort.
*** Testing Snort ***
** Navigate to "C:\Snort\Bin" folder. At the "C:\Snort\Bin> " prompt Type: Snort -W. You will see a list of possible adaptors that you can install your sensor on. They will be numbered IE: 1,2,3,4,5,6 etc.
** At the "C:\Snort\Bin> " prompt type:
Snort -c C:\Snort\Bin\Snort.conf -l C:\Snort\Logs -ix
Note: -ix (x is the number of the NIC to place the sensor on)
Note: If you get the error below, it is most likely a WinPcap problem.
-> initializing Network Interface \Device\Packet_{D066D391-D0DA-4315-80F3-9222A4B093DB}
-> ERROR: OpenPcap() device \Device\Packet_{D066D391-D0DA-4315-80F3-9222A4B093DB}
open:
-> Error opening adapter
Note: Uninstall WinPcap and install WinPcap.exe 2.1 with a byte count "Size 692,137"
Download this file:
http://www.silicondefense.com/techsupport/windows.htm
Note: Snort should have created an Alert.ids file in the C:\Snort\Logs folder. Try editing the Alert.ids file with notepad. You should be locked out if Snort is running.
** Kill short from Task Manager Process tab.
*** Configuring Snort to run as a Service on NT4 and 2000
** You will need to install the Windows Resource Kit for your version of Windows.
** Navigate to the root folder of your Resource Kit folder.
Note: If the Resource Kit in unavailable, you can search Google.com for srvany.exe and instsrv.exe and place them in a temp folder. You will need to replace <PATH TO RESKIT> with <PATH TO TEMP FOLDER> in the following directions.
** You must install the SRVANY service. At the command prompt type: INSTSRV SrvAny <PATH TO RESKIT>\srvany.exe
** At that same prompt type: INSTSRV.EXE snort <PATH TO RESKIT>\SRVANY.EXE
** Now start the Registry Editor From the run box (BACKUP YOUR REGISTRY!!!!!)
** Locate the following sub key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Snort and select it.
** From the Edit pull down menu select New, select Key, and then type: Parameters
** Select the new Parameter key, right mouse click, select Key, select String Value, and type: Application
** Right Mouse Click the new Application String, select Modify, and type: C:\Snort\Bin\Snort.exe
** Right Mouse Click the Parameter Key again, select New, select String Value, and type: AppParameters
** Right Mouse Click the new AppParameters String, select Modify
** Type: -c C:\Snort\Bin\Snort.conf -l C:\Snort\Logs -ix
Note: -ix (x is the number of the NIC to place the sensor on)
** From the Start Menu go to Programs / Administrative Tools and Open the Services applet in Administrative Tools. Select Snort from the services window, right click on Snort, choose Properties, and under startup type select Automatic (this will allow snort to be active when there is no one logged on). Finally under Service Status select Run. This will start the service. To check if Snort is running, go to the Task Manager and if Snort is listed, it is running.
Note: You will be unable to see Snort running in the Task Manager if you are remotely installing Snort. The solution is to edit the C:\Snort\Logs\Alert.ids file. If Snort is running it will have the file locked (no edit).
Note: If Snort is not running, return to the Services applet located in the Administrative Tools folder of the Start Menu, right click Snort in the Services window, choose Properties, Stop the service, select the Log On Tab, select Allow Service to Interact with Desktop. Apply the new setting. Return to the General Tab and Start the service. Snort will now start in a command window so you can see where the problem resides.
*** Installing the Acid Plug-in and associated programs ***
Note: There are five tasks to do in order for Acid to display. IE: install a Web server, install PHP, install ADODB, edit the 'acid_conf.php' file, and Edit the 'ADODB.INC.PHP' file
** Windows 98/ME/NT and 2000 have a web server available and this should be installed and operating before continuing.
*** Installing PHP the HTML embedded scripting language
** Uncompress PHP into the C:\Snort\PHP folder.
** Copy the file, php.ini-dist to your ROOT directory and rename it to php.ini.
Note: Your WINDOWS or SYSTEMROOT directory is typically:
c:\windows for Windows 95/98
c:\winnt or c:\winnt40 for NT/2000 servers
*** Configure PHP extensions for 98/NT/2000 Server running IIS 4/5 or PWS ***
** Start the Microsoft Management Console (may appear as 'Internet Services Manager', either in your Windows NT 4.0 Option Pack branch or the Control Panel=>Administrative Tools under Windows 2000).
** Right click on your Web server node (this will most probably appear as 'Default Web Server'), and select 'Properties'.
** Under 'Home Directory', 'Virtual Directory', or 'Directory', click on the 'Configuration' button, and then enter the Applications Mappings tab.
** Click Add, and in the Executable box, type: c:\snort\php\php.exe
**In the Extension box, type: .php
Leave 'Method exclusions' blank if there is one
Check the Script engine checkbox.
Note: You may also like to check the 'check that file exists' box - for a small performance penalty, IIS (or PWS) will check that the script file exists and sort out authentication before firing up php. This means that you will get sensible 404 style error messages instead of cgi errors complaining that php did not output any data.
Click "OK" then "Apply" then "OK"
*** Install ADODB - A high quality database library ***
** Uncompress ADODB into the C:\Snort\ADODB folder. Edit the ADODB.INC.PHP file to reflect the location of the ADODB folder IE: $ADODB_Database = 'C:\Snort\adodb';
** Uncompress and move the Acid folder into the root folder of your default website. IE: C:\Inetpub\wwwroot\
** Configure the Acid 'acid_conf.php' file in the Acid folder. You should only have to edit the variables below:
$DBlib_path = "C:\Snort\ADODB";
$alert_dbname = "snort";
$alert_host = "localhost";
$alert_port = "";
$alert_user = "snort";
$alert_password = "";
** Reboot your machine!
** Start your browser and type: http://localhost/Acid/Index.html
Note: You will receive a configuration error the first time Acid is run. Proceed to the Setup page and mouse click on the "Setup" option, then click "Create ACID AG" to complete the Acid Alert Group configuration.
** Return to your browser and retype "http://localhost/Acid/Index.html"
Note: It may take a while to start seeing alerts, just let it go and Acid will auto refresh.
*** Conclusion: ***
You should be able to:
1) Run Snort as a service (NT4 / 2000 only)
2) Run MySQL and have Snort log to the database
3) Run Acid to view alerts in HTML format
Note: This is a basic setup; you should modify this to your own needs
Note: Please direct all installation problems to:
http://www.snort.org/discuss/forum.asp?forum_id=7&forum_title=Installation
Your comments and criticism are always appreciated. If you feel there is a mistake or omission please Email me and I will revise.
Michael Steele - Commercial Snort Support
1.866.41.SNORT
Silicon Defense -- www.silicondefense.com
Email: michaels@silicondefense.com