Home > Security > Installing WinSnort

Installing WinSnort

The following is my attempt to install and configure a version of the intrusion detection system Snort using the instructions provided on WinSnort.com. The actual system being installed is called WinIDS (Windows Intrusion Detection System) and the site provides zipped download of the required software. Although you can download eac item separately from thier corresponding sites, the article indicates clearly that newer versions may be incompatible and the install will fail to work. The WinIDS AIO Software Pack includes the following:

  • Snort
  • WinPcap
  • MySQL Server
  • ADOBD
  • PHP
  • Basic Analysis And Security Engine (BASE)
  •  

    Additional Software: Considering the download is zipped you will need to extract the files. There are several tools to do this but i like WinZip.

    System Preparation

    I’ve recently implemented Virtual PC as a learning tool in the Network+, A+ and MCSE classes that i teach at ACE Computer Training Center in Forest Hills, Queens. Virtual PC is a free Microsoft tool which creates a virtual environment to install multiple Operating Systems and simultaneously run them in thier own protected space. My current laptop is a Latitude D620 laptop that has 2 instances of Server 2003 and of XP all joined to an Active Directory Domain. All have been configured with thier own IP Addresses and can actively communicate with each other as well as with the host machine. I believe that this type of environment allows for a more productive learning environment. Although I am introducing which involves a greater learning curve I believe it will allow the students to rapidly learn the material through repetition and with little consequence to thier host machine. I recommend using Virtual PC to do the install of the Operating System and can learn more by clicking on the following links:

    Download VitrualPC

    VirtualPC Step By Step

    Considering the innumerable possible hacks against the Windows OS the following measures should be taken:

  • Install software into a drive other then C:, and if at all possible rename the folder
  • Install all Service Packes and Patches. As of now XP is at SP3…install it…
  • Assign a static IP address
  • Disable any firewalls
  • Install an AntiVirus
  • Only use the support programs included the ‘AIO Software Pak’
  • You might also want to also run the Microsoft Baseline Security Analyzer (MBSA) tool or even better Belarc Advisor, which will compare your current security settings to baselines as defined by the Center for Internet Security (CIS). In the end you should do as much as possible to protect your machine which will also provide you a greater understanding of how an operating system truly works.

    Although I’m documenting my own install of WinSnort using the clearly defined instructions provided on their site I will be editing the original instructions to include any suggestions or issues that I come across.

    Pre-installation Tasks
    Note: These are to be completed on the sensor prior to starting the installation of WinIDS.

    Note: In some circumstances Microsoft installs ‘Internet Information Services’ by default. Make sure that ‘Internet Information Services’ has been removed prior to starting this guide. If your unsure, go into the Add/Remove Programs, select ‘Add/Remove Windows Components’, make SURE the ‘Internet Information Services’ radio box is unselected, if selected, unselect ‘Internet Information Services’, and remove the application, and all associated components.

    Navigate to the ‘C:\WINDOWS\system32\drivers\etc’ folder, right-click on the ‘hosts’ file and open with ‘WordPad’.

    Note: If there are problems finding the ‘hosts’ file in the above procedure then use the search function to find its location. If there is none; use the web to search for a resolution to setting up host names.

    Just below the line that reads ’127.0.0.1 localhost’ add ’127.0.0.1 winids’ (less the outside quotes).

    Now save the file, eXit WordPad

    To test the above procedure; open a command window, at the command prompt type ‘ping winids’ (less the outside quotes), and tap the ‘Enter’ key. The result should be the IP address of the soon to be, WinIDS.

    At the command prompt type ‘mkdir d:\temp’ (less the outside quotes), and tap the ‘Enter’ key.

    Download the ‘WinIDS – All In One Software Pak’ and dissolve it into the ‘d:\temp’ folder.

    When opening the WinPcap zip file for the first time i was prompted with the following:

    Install WinPcap
    Navigate to the ‘d:\temp’ folder, double left-click on the ‘WinPcap…’ file, left-click ‘Next’, left-click ‘Next’, left-click the ‘I Agree’ button, and left-click the ‘Finish’ button.

    Install and configure Snort
    Navigate to the ‘d:\temp’ folder, double left-click on the ‘Snort…’ file to start the installer, left-click the ‘I Agree’ button, left-click ‘Next’ (leave default), left-click ‘Next’, in the ‘Destination Folder’ dialog box, type ‘d:\win-ids\snort’ (less the outside quotes), left-click ‘Next’ allowing Snort to install, left-click the ‘Close’ button, and finally left-click ‘OK’.

    Navigate to the ‘d:\temp’ folder and dissolve the ‘snortrules-snapshot-CURRENT.zip’ file into ‘d:\win-ids\snort’.

    Prior to making and editions you should make a copy of the snort.conf file to use as a backup in case you need to start from scratch due to multiple errors during the initial configurations. You also might want to print out the file as well for ease of use.

    Navigate to the ‘d:\win-ids\snort\etc’ folder, right-click on the ‘snort.conf’ file and open with ‘WordPad’.

    Note: Use the Find in WordPad to locate and change the variables below.

    The home network variable below defines the network you wish to monitor, like the local LAN segment for instance It is set by specifying one or more networks in the form of a CIDR.

    Note: The IP address below is fictitious and must be changed to the correct IP Address and CIDR that reflects the actual network that the IDS is monitoring.

    Original: var HOME_NET any
    Change: var HOME_NET 192.168.1.0/24

    Being that the school has two locations, Manhattan & Queens, I will be configuring two separate Virtual Machines both configured with almost identical installs. As of right now, it will only the the HOME_NET variable that needs to be changed as the ip addresses in either locations are different. Also doing multiple installs guarantess that i wil master the install process once and for all.

    The external network below specifies one or more networks where you believe threats or attacks will originate. The var EXTERNAL_NET variable below can also be set by specifying a CIDR, or you can make use of the home network variable we’ve specified below.

    Original: var EXTERNAL_NET any
    Change: var EXTERNAL_NET !$HOME_NET

    Original: var RULE_PATH ../rules
    Change: var RULE_PATH e:\win-ids\snort\rules

    The following line was added as there is also a dynamicpreprocessor directory which also exists but is missing from the original instructions.
    Original: dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
    Change: dynamicpreprocessor directory e:\win-ids\snort\lib\snort_dynamicpreprocessor

    Original: dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_dcerpc_preproc.so
    Change: dynamicpreprocessor file e:\win-ids\snort\lib\snort_dynamicpreprocessor\sf_dcerpc.dll

    Original: dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so
    Change: dynamicpreprocessor file d:\win-ids\snort\lib\snort_dynamicpreprocessor\sf_dns.dll

    Original: dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so
    Change: dynamicpreprocessor file d:\win-ids\snort\lib\snort_dynamicpreprocessor\sf_ftptelnet.dll

    Original: dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so
    Change: dynamicpreprocessor file d:\win-ids\snort\lib\snort_dynamicpreprocessor\sf_smtp.dll

    Original: dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so
    Change: dynamicpreprocessor file d:\win-ids\snort\lib\snort_dynamicpreprocessor\sf_ssh.dll

    Original: dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
    Change: dynamicengine d:\win-ids\snort\lib\snort_dynamicengine\sf_engine.dll

    Note: Find the line entries below and change the next lines.

    Original:
    # preprocessor sfportscan: proto { all } \
    # memcap { 10000000 } \
    # sense_level { low }

    Change:
    preprocessor sfportscan: proto { all } \
    memcap { 10000000 } \
    sense_level { low } \
    logfile { portscan.log }

    Note: Just below ‘# output log_tcpdump: tcpdump.log’ insert this next line:
    output alert_fast: alert.ids

    Original: # output database: log, mysql, user=root password=test dbname=db host=localhost
    Change: output database: log, mysql, user=snort password=l0gg3r dbname=snort host=localhost sensor_name=WinIDS

    Original: include classification.config
    Change: include d:\win-ids\snort\etc\classification.config

    Original: include reference.config
    Change: include d:\win-ids\snort\etc\reference.config

    Original: # include threshold.conf
    Change: include d:\win-ids\snort\etc\threshold.conf

    Now save the file and eXit WordPad.

    Test the Snort installation
    Open a command, at the command prompt type ‘cd d:\win-ids\snort\bin’ (less the outside quotes) and tap the ‘Enter’ key. You can also edit the Windows Environmental Variables to include the previous path to snort so and then you will be able to run snort from any directory.

    At the command prompt type ‘snort -W’ (less the outside quotes), and tap the ‘Enter’ key.

    Note: When the -W switch was used in the above run line, Snort detected multiple interfaces, and displayed then by numbers. Snort will need to know which interface to monitor. If No interface is found, the install MUST stop until the problem is corrected.

    Note: This next procedure will require the WinIDS to be connected to the network, and traffic will need to be generated. This is usually done by opening a web browser on the WinIDS and visiting a remote website.

    From a command prompt type ‘snort -v -i1′ (less the outside quotes), and tap the ‘Enter’ key.

    Note: this will run Snort in verbose mode, detecting traffic on interface 1 (-i1).

    Now open a web browser and generate some web traffic.

    Note: If there is only a single Network Interface Card (NIC) then there should be traffic flowing by in the command window as traffic is generated. If there are multiple Network Interface Cards (NIC’s) installed on the sensor and no traffic is seen flowing by in the command window, and Snort is running, then stop snort from the Task Manager and change the ‘-i1′ to another interface number until traffic is seen.

    Note: In the above procedure the number of the NIC that the WinIDS will be sniffing on needs to be noted as its used in one or more following procedures.

    At the command prompt press the ‘CTRL/C’ keys or use the Task Manager to exit Snort.

    Note: Snort MUST be able to see traffic before continuing. One possible reason for Snort not seeing any traffic on the network is the possibility that the WinIDS is plugged into a switch that cannot be mirrored. The solution is to use a HUB or a TAP to plug the WinIDS into.

    Install Internet Information Services (IIS)
    Note: This procedure will require the original Windows install CD to be inserted into the CD player.

    There is an iisanswer.txt file that will be used to install the required components for IIS and includes the following lines. I’ve included some comments to explain what each component does. It’s always best to install only the components you need as each one is suseptible to several known hack attacks.

    [Components]
    iis_common = on (installs common files)
    iis_inetmgr = on (installs IIS manager)
    iis_www = on (web component)
    iis_smtp = off (disables simple mail transer protocol. aka: email)
    iis_nntp = off (disable network news transfer protocol)
     
    1. At the command prompt type ‘sysocmgr /i:%windir%\inf\sysoc.inf /u:e:\temp\iisanswer.txt’ (less the outside quotes), and tap the ‘Enter’ key.
    Note: If its looking for the x:\i386 folder, browsing to that folder on the original Windows install CD might be required to complete the install. If you put the i386 files on the network you could edit the following registry entry (SourcePath) to include the network path and all future component installs will have access to required files or check out “How To Change Location of I386 Folder”
     

    2. At the command prompt type ‘exit’ (less the outside quotes), tap the ‘Enter’ key.

    3. Allow Microsoft Internet Information Services to complete and the CD can be removed.

    Microsoft IIS Lockdown
    Warning: This procedure is NOT to be implemented on Microsoft ‘Windows 2003 Server’ software.Navigate to the ‘d:\temp’ folder and double left-click on the ‘iislockd.exe’ file, left-click ‘Next’, left-click tick the ‘I agree…’ radio button, left-click ‘Next’, in the ‘Server templates:’ dialog box left-click highlighting the ‘Static Web server’ dialog, left-click ‘Next’, make sure the ‘Install URLScan filter on the server’ is checked, left-click ‘Next’, left-click ‘Next’, allow the install to complete the default setup, left-click ‘Next, and finally left-click ‘Finish’.
    Navigate to the ‘C:\WINDOWS\system32\inetsrv\urlscan’ folder, right-click on the ‘urlscan.ini’ file and open with ‘WordPad’.

    Note: Use the Find in WordPad to locate and change the variables below.

    Original: RemoveServerHeader=0
    Change: RemoveServerHeader=1

    Scroll down to the ‘[AllowVerbs]‘ section and just under the ‘HEAD’ listing type ‘POST’ (less the outside quotes) on a new line.

    Now save the file and exit WordPad…

    Navigate to the Control Panel, double left-click on ‘Administrative Tools’, and double left-click on ‘Internet Information Services’ starting the ‘Internet Information Services’ applet.

    Expand ‘Servername (Local computer), expand ‘Web Sites’, right-click ‘Default Web Site’, highlighting and left-click ‘Stop’, right-click ‘Default Web Site’, highlighting and left-click ‘Start’, and finally exit the ‘Internet Information Services’ applet.

    Install and Configure PHP

    Navigate to the ‘d:\temp’ folder and dissolve the ‘php-5…’ file into ‘d:\win-ids\php’.

    Open a command window, at the command prompt type ‘copy d:\win-ids\php\libmysql.dll c:\windows\system32′ (less the outside quotes), and tap the ‘Enter’ key.

    Should display ’1 file(s) copied.’, and return to the command prompt.

    At the command prompt type ‘copy d:\win-ids\php\php.ini-dist d:\win-ids\php\php.ini’ (less the outside quotes), and tap the ‘Enter’ key.

    Note: Should display ’1 file(s) copied.’, and return to the command prompt.

    At the command prompt type ‘exit’ (less the outside quotes), and finally tap the ‘Enter’ key to eXit the command window.

    Navigate to the ‘d:\win-ids\php’ folder, right-click on the php.ini file and open with ‘WordPad’.

    Note: Use the Find in WordPad to locate and change the variables below.

    Original: max_execution_time = 30
    Change: max_execution_time = 60

    Original: display_errors = On
    Change: display_errors = Off

    Original: ;include_path = “.;c:\php\includes”
    Change: include_path = “d:\win-ids\php\pear”

    Original: extension_dir = “./”
    Change: extension_dir = “d:\win-ids\php\ext”

    Original: ; cgi.force_redirect = 1
    Change: cgi.force_redirect = 0

    Original: ; extension=php_gd2.dll
    Change: extension=php_gd2.dll
     
    Original: ; extension=php_mysql.dll
    Change: extension=php_mysql.dll
     

    Original: ; session.save_path = “/tmp”
    Change: session.save_path = “c:\windows\temp”

    Note: Make SURE the ‘session.save_path =’ variable is pointing to the correct and existing ‘WINDOWS\Temp’ or ‘WINNT\Temp’ folder, and that EVERYONE has FULL CONTROL in that folder.

    Now save the file and exit WordPad…

    Configure IIS for PHP
    Navigate to the Control Panel, double left-click on ‘Administrative Tools’, and double left-click on ‘Internet Information Services’ starting the ‘Internet Information Services’ applet.

    Expand ‘Servername’ (Local computer), expand ‘Web Sites’, right-click ‘Default Web Site’, highlighting and left-click ‘Properties’, left-click the ‘Home Directory’ tab, under ‘Application settings’ left-click ‘Configuration…’, left-click the ‘Mappings’ tab, left-click the ‘Add’ button, to the right of the ‘Executable:’ dialog box type ‘d:\win-ids\php\php-cgi.exe’ (less the outside quotes), in the ‘Extension:’ dialog box type ‘.php’ (less the outside quotes), left-click ‘OK’, left-click ‘Apply’, left-click ‘OK’, left-click ‘OK’

    This line is ONLY for ‘Windows Server 2003′; Double left-click ‘Web Service Extension’, left-click ‘Add a new Web service extension’, in the ‘Extension Name:’ dialog box type ‘php’ (less the outside quotes), in the ‘Required Files:’ dialog box left-click ‘Add…’, in the ‘Path to File:’ dialog box type ‘d:\win-ids\php\php-cgi.exe’ (less the outside quotes), left-click ‘OK’, place a checkmark in the radio box labeled ‘Set extension status to Allowed’, and left-click ‘OK’.

    Note: For ‘Windows Server 2003′; Under the ‘Web Service Extensions’ category there should be a new ‘PHP’ extension with the with the ‘Status’ category set to Allowed.

    Finally exit the ‘Internet Information Services’ applet.

    Test IIS and PHP
    Open a command window, at the command prompt type ‘copy d:\temp\test.php d:\win-ids\inetpub\wwwroot’ (less the outside quotes), and tap the ‘Enter’ key.

    Note: Should display ’1 file(s) copied.’, and return to the command prompt.

    At the command prompt type ‘exit’ (less the outside quotes), and finally tap the ‘Enter’ key to exit the command window.

    Open a browser and type ‘http://winids/test.php’ (less the outside quotes), and tap the ‘Enter’ key. You should see the following:

    Several sections of information concerning the status and install of PHP should have been displayed.

    In the first section of information make SURE that the item labeled ‘Loaded Configuration File’ is pointing to ‘D:\win-ids\php\php.ini’ (less the outside quotes).

    In the section labeled ‘Configuration – PHP Core’ (less the outside quotes) make SURE that the item labeled ‘extension_dir’ is pointing to ‘d:\win-ids\php\ext’ (less the outside quotes) in columns ‘Local Values’ (less the outside quotes) and ‘Master Values’ (less the outside quotes).

    In the section labeled ‘Configuration – PHP Core’ (less the outside quotes) make SURE that the item labeled ‘include_path’ is pointing to ‘d:\win-ids\php\pear’ (less the outside quotes) in columns ‘Local Values’ (less the outside quotes) and ‘Master Values’ (less the outside quotes).

    In the section labeled ‘session’ (less the outside quotes) make SURE that the item labeled ‘session.save_path’ is pointing to ‘c:\windows\temp’ (less the outside quotes) in columns ‘Local Values’ (less the outside quotes) and ‘Master Values’ (less the outside quotes).

    Do not continue until all the above paths are correct.

    Now exit the browser.

    Open a command window, at the command prompt type ‘del d:\win-ids\inetpub\wwwroot\test.php’ (less the outside quotes), and tap the ‘Enter’ key. You should see the following:

    Configuring Snort to run as a service
    At the command prompt type ‘cd d:\win-ids\snort\bin’ (less the outside quotes) and tap the ‘Enter’ key.

    In the following step the ‘x’ in the ‘-ix’ switch (less the outside quotes) will represent the number of the NIC that Snort will sniff on, and should have been retrieved and noted in an earlier procedure using the ‘snort -W’ switch.

    At the command prompt type ‘snort /SERVICE /INSTALL -c d:\win-ids\snort\etc\snort.conf -l d:\win-ids\snort\log -K ascii -ix’ (less the outside quotes), and tap the ‘Enter’ key.

    You should see all of the following with the last line being ‘[SNORT_SERVICE] Successfully added the Snort service to the Services database.’ as a confirmation that the service has successfully been installed.

    At the command prompt type ‘exit’ (less the outside quotes), and finally tap the ‘Enter’ key to exit the command window.

    I originally mistyped the snort.conf file naming it conft.conf instead and although I received the above success message knew the service would have to be uninstalled and then reinstalled again. The only other way around that would be to rename the snort.conf file and that would surely cause more problems then I could imagine. After doing a short Google search of “uninstall snort service” (less the quotes) but not pulling up anything directly I typed in snort /? And realized I could uninstall it stall it by renaming the snort.conf file to conft.conf and then typing in the following: ‘snort /SERVICE /UNINSTALL -c d:\win-ids\snnort\etc\conft.conf and it worked, after which I renamed the snort.conf and installed the service using all the appropriate filenames.

    This lesson did have me ponder the need to backup the changes made thus far and so I will be adding a backup\restore section to the end of this document when complete.

    Navigate to the Control Panel, double left-click on ‘Administrative Tools’, and double left-click on ‘Services’ starting the ‘Services’ applet.

    Note: If the Snort service has been installed properly, when scrolling down through the services in the applet there will be a new ‘Snort’ listing. To the right of the new ‘Snort’ listing there is a column listed as ‘Startup Type’ and in that column it will show ‘Manual’, as seen below. This needs to be set to ‘Automatic’ so when the sensor is booted Snort will automatically start.

    In the services applet highlight and right-click on the ‘Snort’ entry, highlight ‘Properties’ and left-click.

    Left-click the ‘General’ tab, under ‘Startup Type’ the selection box shows ‘Manual’, to the right there is a radio down button, highlight and left-click selecting ‘Automatic’. The ‘Startup Type’ should now show ‘Automatic’ (Do NOT try starting the Snort service), left-click ‘Apply’ and left-click ‘OK’. In the services applet to the right of the name ‘Snort’ the ‘Startup Type’ should now show as ‘Automatic’.Now exit the ‘Services’ applet, and exit the ‘Administrative Tools’ folder

    Install and configure MySQL
    Note: If Terminal Services is running in Server 2000 or 2003 then MySQL must be installed from the Add/Remove panel, or by selecting the RUN dialog box in the start menu and typing: ‘change user /install’ and after MySQL has installed then type: ‘change user /execute’ to revert back to user execution mode. 

    Navigate to the ‘d:\temp’ folder, double left-click on the ‘mysql-essential…’ file to start the installer, left-click ‘Next’, left-click and select the ‘Custom’ radio button, left-click ‘Next’, left-click the ‘Change’ button, in the ‘Folder Name:’ dialog box type ‘d:\win-ids\mysql’ (less the outside quotes), left-click ‘OK’, Under ‘Install to:’ it should read ‘d:\win-ids\mysql\’, left-click ‘Next’, left-click ‘Install, left-click and select the radio button ‘Skip Sign-up’, left-click ‘Next’, Make SURE the ‘Configure the MySQL Server Now’ is checked, and left-click ‘Finish’.

    Left-click ‘Next’, left-click and select the ‘Standard Configuration’ radio button, left-click ‘Next’, left-click and select the ‘Include Bin Directory in Windows Path’ radio box, left-click ‘Next’, left-click and uncheck the ‘Modify Security Settings’ radio box, left-click ‘Next’, left-click ‘Execute’, and finally left-click ‘Finish’ to complete the MySQL installation.

    Create the Snort Databases
    Open a command window and at the command window type ‘mysql -u root’ (less the outside quotes) and tap the ‘Enter’ key.

    Note: You will be dropped into the MySQL administration console command prompt (mysql>)

    At the mysql prompt type ‘drop database test;’ (less the outside quotes), and tap the ‘Enter’ key.  Pay very close attention to the ; after test.  If you don’t type that in then you won’t get the ‘Query OK’ message as stated below.

    Note: It will display ‘Query OK…’ and drop back to the mysql prompt.   I also tried to retest the above command again to take a snapshot to include here but when I received the following error:

    ERROR 1008 (HY000): Can’t drop database ‘test’; database doesn’t exist.  Since I’m not familiar with MySQL so I am can only guess that you have once change at this
    At the mysql prompt type ‘create database snort;’ (less the outside quotes), and tap the ‘Enter’ key.

    Note: It will display ‘Query OK’ and drop back to the mysql prompt.

    At the mysql prompt type ‘create database archive;’ (less the outside quotes), and tap the ‘Enter’ key.

    Note: It will display ‘Query OK’ and drop back to the mysql prompt.

    At the mysql prompt type ‘show databases;’ (less the outside quotes), and tap the ‘Enter’ key.

    Note: There should be several databases listed, ‘information_schema’, ‘archive’, ‘mysql’, and ‘snort’.

     
    Create the Snort Database Tables
    At the mysql prompt type ‘connect snort;’ (less the outside quotes), and tap the ‘Enter’ key.

    Note: It will display ‘Current database: snort’ and drop back to the mysql prompt.

    At the mysql prompt type ‘source d:\win-ids\snort\schemas\create_mysql’ (less the outside quotes), and tap the ‘Enter’ key.

    Note: It will display 22 ‘Query OK, 0 rows affected (0.00 sec)’ entries and drop back to the mysql prompt.

    At the mysql prompt type ‘show tables;’ (less the outside quotes), and tap the ‘Enter’ key.

    Note: It will display for ‘Tables_in_snort’ as ’16 rows in set (0.02 sec)’ and drop back to the mysql prompt.

    At the mysql prompt type ‘connect archive;’ (less the outside quotes), and tap the ‘Enter’ key.

    Note: It will display ‘Current database: archive’ and drop back to the mysql prompt.

    At the mysql prompt type ‘source d:\win-ids\snort\schemas\create_mysql’ (less the outside quotes), and tap the ‘Enter’ key.

    Note: It will display 22 ‘Query OK, 0 rows affected (0.00 sec)’ entries and drop back to the mysql prompt.

    At the mysql prompt type ‘show tables;’ (less the outside quotes), and tap the ‘Enter’ key.

    Note: It will display ‘Tables_in_archive’ as ’16 rows in set (0.02 sec)’ and drop back to the mysql prompt.

    Create Database Access and Authenticated Users
    At the mysql prompt type ‘set password for root@localhost = password(‘d1ngd0ng’);’ (less the outside quotes), and tap the ‘Enter’ key.

    Note: Logging into the MySQL database command prompt using the username ‘root’ will now require the password ‘d1ngd0ng’ (less the outside quotes).

    At the mysql prompt type ‘quit;’ (less the outside quotes), and tap the ‘Enter’ key.

    At the command prompt type ‘mysql -u root -p’ (less the outside quotes), and tap the ‘Enter’ key.

    At the password prompt type ‘d1ngd0ng’ (less the outside quotes) and tap the ‘Enter’ key.

    At the mysql prompt type ‘grant INSERT,SELECT,UPDATE on snort.* to snort identified by ‘l0gg3r’;’ (less the outside quotes), and tap the ‘Enter’ key.

    Note: It will display ‘Query OK’ and drop back to the mysql prompt.

    At the mysql prompt type ‘grant INSERT,SELECT,UPDATE on snort.* to snort@localhost identified by ‘l0gg3r’;’ (less the outside quotes), and tap the ‘Enter’ key.

    Note: It will display ‘Query OK’ and drop back to the mysql prompt.

    At the mysql prompt type ‘grant INSERT,SELECT,UPDATE,DELETE,CREATE on snort.* to base identified by ‘an@l1st’;’ (less the outside quotes), and tap the ‘Enter’ key.

    Note: It will display ‘Query OK’ and drop back to the mysql prompt.

    At the mysql prompt type ‘grant INSERT,SELECT,UPDATE,DELETE,CREATE on snort.* to base@localhost identified by ‘an@l1st’;’ (less the outside quotes), and tap the ‘Enter’ key.

    Note: It will display ‘Query OK’ and drop back to the mysql prompt.

    At the mysql prompt type ‘grant INSERT,SELECT,UPDATE,DELETE,CREATE on archive.* to base identified by ‘an@l1st’;’ (less the outside quotes), and tap the ‘Enter’ key.

    Note: It will display ‘Query OK’ and drop back to the mysql prompt.

    At the mysql prompt type ‘grant INSERT,SELECT,UPDATE,DELETE,CREATE on archive.* to base@localhost identified by ‘an@l1st’;’ (less the outside quotes), and tap the ‘Enter’ key.

    Note: It will display ‘Query OK’ and drop back to the mysql prompt.

    At the mysql prompt type ‘use mysql;’ (less the outside quotes), and tap the ‘Enter’ key.

    At the mysql prompt type ‘select * from user;’ (less the outside quotes), and tap the ‘Enter’ key.

    Note: There should be several users listed, ‘root’, ‘snort’, ‘snort’, ‘base’, and ‘base’.

    At the mysql prompt type ‘quit;’ (less the outside quotes), and tap the ‘Enter’ key

    At the command prompt type ‘exit’ (less the outside quotes), and finally tap the ‘Enter’ key to exit the command window.

    Navigate to the ‘d:\win-ids\mysql’ folder, right-click on the ‘my.ini’ file and open with ‘WordPad’.

    Note: Use the Find in WordPad to locate and change the variable below.

    Original: sql-mode=”STRICT_TRANS_TABLES,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION”
    Change: sql-mode=”NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION”

    Now save the file, exit WordPad, and reboot the system.

    Confirming MySQL and Snort are operational
    Right-click the start bar at the bottom of the desktop, highlight and left-click ‘Task Manager’, left-click the ‘Processes’ tab, in the ‘Image name’ category there should be a ‘snort.exe’, and ‘mysqld-nt.exe’ listed as a process.

    Note: If either Snort or MySQL is not listed in the Task Manager then there is an error somewhere and ALL errors must be resolved before proceeding. Check the Event Viewer under the ‘Application’ tab for error explanations.

    Now exit the ‘Task Manager’.

    I was not able to find snort.exe in Process tab of Task Manager, so I decided to start the service manually by going to Computer Management (Right Click “My Computer” & choose “Manage”), expanding “Services & Applications”,  left clicking on Services.  On the right hand side find Snort and left click to open. 

     

    Once open I noticed that the section under “Path to executable”  read “C:\Documents and Settings\Administrator\snort /SERVICE” which was not the path to where snort was located nor was did I state this when installing the service. I tried several times to uninstall\reinstall the service but the results were always the same…service wouldn’t start.  I then noticed the path from the command prompt was c:\documents and settings\administrator and although I edited the Path statement previously so that I could execute snort from any directory I actually need to be in the e:\win-ids\snort\bin directory to actually install the service.  Once that was done I was able to start the service as now the path was correct as seen below:

     

    Install ADODB
    Navigate to the ‘d:\temp’ folder and dissolve the ‘adodb…’ file into ‘d:\win-ids’.

    Install and configure the BASE Security Console
    Navigate to the ‘d:\temp’ folder and dissolve the ‘BASE…’ file into the ‘d:\win-ids\InetPub\wwwroot’ folder.

    Open a command window, at the command prompt type ‘copy d:\win-ids\InetPub\wwwroot\base\base_conf.php.dist d:\win-ids\InetPub\wwwroot\base\base_conf.php’ (less the outside quotes), and tap the ‘Enter’ key.

    Note: Should display ’1 file(s) copied.’, and return to the command prompt.

    At the command prompt type ‘mkdir d:\win-ids\InetPub\wwwroot\base\signatures’ (less the outside quotes), and tap the ‘Enter’ key.

    At the command prompt type ‘xcopy d:\win-ids\snort\rules\doc\signatures d:\win-ids\InetPub\wwwroot\base\signatures /Q /Y’ (less the outside quotes), and tap the ‘Enter’ key.  (The original path stated d:\win-ids\snort\doc\signatures however that folder is empty.  After looking around I found signatures in the snort\rules\doc\signatures folder which is what I have stated above)

    Note: The above command may take a few minutes to complete as its moving several thousand files.

    At the command prompt type ‘exit’ (less the outside quotes), and finally tap the ‘Enter’ key to eXit the command window.

    Navigate to the ‘d:\win-ids\InetPub\wwwroot\base’ folder, right-click on the ‘base_conf.php’ file and open with ‘WordPad’.

    Use the Find in WordPad to locate and change the variables below.

    Original: $BASE_urlpath = ”;
    Change: $BASE_urlpath = ‘http://winids/base’;

    Original: $DBlib_path = ”;
    Change: $DBlib_path = ‘d:\win-ids\adodb’;

    Original: $DBtype = ‘?????’;
    Change: $DBtype = ‘mysql’;  (This path already existed and didn’t need to be changed)

    Originals:
    $alert_dbname = ‘?????’;
    $alert_host = ‘?????’;
    $alert_port = ‘?????’;
    $alert_user = ‘?????’;
    $alert_password = ‘?????’;

    Change to:
    $alert_dbname = ‘snort’;
    $alert_host = ‘localhost’;
    $alert_port = ”;
    $alert_user = ‘base’;
    $alert_password = ‘an@l1st’;

    Originals:
    $archive_exists = 0; # Set this to 1 if you want access to the archive DB from BASE
    $archive_dbname = ‘?????’;
    $archive_host = ‘?????’;
    $archive_port = ‘?????’;
    $archive_user = ‘?????’;
    $archive_password = ‘?????’;

    Change to:
    $archive_exists = 1; # Set this to 1 if you want access to the archive DB from BASE
    $archive_dbname = ‘archive’;
    $archive_host = ‘localhost’;
    $archive_port = ”;
    $archive_user = ‘base’;
    $archive_password = ‘an@l1st’;

    Original: $show_rows = 48;
    Change: $show_rows = 90;

    Original: $show_expanded_query = 0;
    Change: $show_expanded_query = 1;

    Original: $portscan_file = ”;
    Change: $portscan_file = ‘d:\win-ids\snort\log\portscan.log’;

    Original: $colored_alerts = 0;
    Change: $colored_alerts = 1;

    Original: $priority_colors = array (‘FF0000′,’FFFF00′,’FF9900′,’999999′,’FFFFFF’,’006600′);
    Change: $priority_colors = array(’000000′,’FF0000′,’FF9900′,’FFFF00′,’999999′);

    Now save the file and eXit WordPad.

     

     

     

     

     

     

     

     

    About these ads
    Categories: Security
    1. http://andcarinsurancequotes.com
      March 20, 2012 at 1:15 pm | #1

      I have fun with, cause I found exactly what I used to be taking a look for. You’ve ended my four day lengthy hunt! God Bless you man. Have a nice day. Bye

    2. January 27, 2013 at 3:16 pm | #2

      I was wondering if you ever thought of changing the page layout
      of your blog? Its very well written; I love what youve got to say.
      But maybe you could a little more in the way of content
      so people could connect with it better. Youve got an awful
      lot of text for only having 1 or 2 pictures. Maybe you could space it out better?

    1. No trackbacks yet.

    Leave a Reply

    Fill in your details below or click an icon to log in:

    WordPress.com Logo

    You are commenting using your WordPress.com account. Log Out / Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out / Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out / Change )

    Google+ photo

    You are commenting using your Google+ account. Log Out / Change )

    Connecting to %s

    Follow

    Get every new post delivered to your Inbox.

    %d bloggers like this: