Step 1. Install WinPcap
Because Snort is essentially a promiscuous-mode network sniffer, you need driver-level support. To provide this support, you can use WinPcap. Loris Degioanni created WinPcap as a port of the popular libpcap packet-capture driver commonly used in the UNIX world. WinPcap includes a kernel-level packet filter, a low-level DLL (packet.dll), and a high-level system-independent library (wpcap.dll, based on libpcap 0.6.2).

WinPcap, which is available for download at http://winpcap.polito.it, supports Windows Server 2003, XP, Win2K, Windows NT, Windows Me, and Windows 9x. WinPcap also supports an open-source packet sniffer called Ethereal, which is available at http://www.ethereal.com. You might find Ethereal useful when you're testing your Snort setup.

After you've downloaded the WinPcap installer, simply walk through the few installation screens it provides you. The most involved screen you'll see is the one in which you must agree to the license agreement.

Step 2. Install Snort
The next step is to install Snort. You can find the latest version at CodeCraft Consultants Web site (http://www.codecraftconsultants.com/snort.aspx) or the Snort.org Web site (http://www.snort.org). I recommend that you download Snort from CodeCraft Consultants because that Web site provides a self-installing executable. The installation program even walks you through the basic setup of Snort on your system. For this article, I used Snort 2.1.1, build 18, which was the most current version at the time. Since that time, later versions have been released.

When you run the installation program, the first dialog box in which you need to make a selection is Installation Options, which lets you configure the database to log to. If you intend to use a MySQL or ODBC-compliant database, you can leave the default selection, which Figure 1 shows. However, if you intend to log to a Microsoft SQL Server or Oracle database, you need to select the appropriate option and make sure you have the requisite client software installed on your system. For the purposes of this article, let's stick with the default selection.

Next, you need to choose the Snort components you want to install. The default selections, which Figure 2 shows, are fine, so I recommend that you leave those components selected and click Next. In the Choose Install Location dialog box, you must specify the directory in which you want to install Snort. After you enter the directory, you just need to click Next to finish the installation process.

Step 3. Test the Snort Installation
After the installation process completes, you need to test Snort to see how it's working. By default, the main executable for Snort needs to know two pieces of information to run: where to write its logs to and where to find the configuration file (i.e., snort.conf). You provide this information when you launch Snort from the command line by using the -l and -c switches, respectively. For example, the Snort command

snort -l F:\snort\log
  -c F:\snort\etc\snort.conf
  -A console

tells Snort that it should write its logs to the F:\snort\log directory and that it can find snort.conf in the F:\snort\etc directory. The -A switch tells Snort how to handle the alerts that it generates. In this instance, you're telling Snort to display the alerts on the console screen so that you can determine whether Snort is working properly. Note that, although this command appears on several lines here, you would enter it on one line in the command-shell window. (The same holds true for the other multiline commands in this article.) Also note that many of the Snort command-line switches are case sensitive, so you need to enter the switches exactly as they appear here.

If you have multiple network interfaces on your system, by default, Snort listens on the first one it finds. If you're uncertain about the order of your network interfaces, you can execute the Snort command with just the -W switch. Snort will then list the names and numbers of the network interfaces in the order in which it finds them. To instruct Snort to use a specific network interface, you need to add the -i switch followed by the interface number to the command that launches Snort. After you execute Snort, you should see a screen similar to the one that Figure 3 shows.

Assuming Snort is running, you can throw some interesting traffic past the NIDS to test the Snort sensor. One of the easiest ways to intentionally trip an alert is to try to access the command interpreter (cmd.exe) on a remote system as a part of an HTTP URL request—a common part of the Code Red and Nimda attacks. You can simulate this part of the attack by going to any specific URL and appending /cmd.exe at the end of your request. For example, going to http://www.a-website-that-I-can-trust.com/cmd.exe should cause your Snort sensor to log alerts in the command-shell window, as the first three alerts in Figure 4 show. These alerts also appear in F:\snort\log.

Please be careful about the Web sites you target with this test. Technically, most Web site administrators would consider this type of activity a hacking attempt. Although that approach shouldn't be exploitable (unless the server is horribly misconfigured), I recommend running this test only against your own server or a server that you can trust and whose administrators are aware that you'll be doing this type of test.

If this test doesn't work or isn't an option, another way you can test your Snort installation is to send an abnormally large ping request to a server across your network or to the computer on which you're running Snort. For example, you might execute the Ping command

ping -l 32767 ip_address

where ip_address is the IP address of the server or Snort computer you're targeting. This command should send an abnormally large ping packet (32KB to be exact), which is definitely not routine behavior for the Ping command. Snort should pick up this packet activity, as the bottom eight alerts in Figure 4 show.

If you're seeing such alerts, you can start tuning Snort for your specific environment. If not, you need to go back and check your installation to see whether you've missed a step.

Prev. page     1 [2] 3 4     next page



You must log on before posting a comment.

If you don't have a username & password, please register now.

Reader Comments

Thank you for the fine article. It prompted me to get off my duff and finally play with Snort.

I've found the most integrated (i.e. easy) way of getting started is to use EagleX from EngageSecurity. They package all the goodies together. ACID, MySQL, IDSCenter, Snort, etc. It installs simply and is highly configurable.

Once running, the Snort detected something very interesting. While surfing YOUR site, I was subjected to a portscan and attempted buffer overflow attack against real networks products by your banner provider, DoubleClick. I could probably prove that it was an intentional act to install spyware on my system.

Thanks for the education (on several fronts). Please do something about your vendor's behavior.

Jim Jernigan Redmond, WA

Jim Jernigan- June 21, 2004

Snort.Org also has the self-installing executables. The URL is http://www.snort.org/dl/binaries/win32/

I look for it here because CodeCraft Consultants site appears to be down at the time I tried it.

STopilnycky- August 11, 2004

Article Rating 5 out of 5

 
 

ADS BY GOOGLE