You probably have an antivirus, and maybe a firewall to stop attacks to your box. However, have you ever considered using an Intrusion Detection System (IDS), especially if your box is part of a network? An IDS, unlike a firewall, works passively— instead of blocking traffic, they simply log attacks to a file and alert users.
The advantage an IDS gives you over a firewall is that it can even detect attack signatures from within the network. You can create your own custom alerts or download them over the Internet. Systems like Snort are widely used in company networks because of their effectiveness in detecting a huge range of attacks. Snort was originally built for Linux. A Windows version is available, but it requires quite a bit of tinkering—which is what this article is for. This assumes you have knowledge of the following:
1. Basic DOS commands, and
2. General knowledge of IP addresses and subnets
The Basics
-
To get started, download both the EXE installer and the rules file (make sure to get the rules file corresponding to your Snort version) from http://www.snort.org.
-
The rules file contains the signatures for various attacks, similar to virus definition files.
-
Install Snort and be sure to select the ‘I do not plan to log to a database’ option unless you want you want to use an MS SQL server or Oracle database for Snort.
-
Extract the rules file its contents to your Snort install directory.
-
After the install, Snort informs you that it requires the Windows Packet Capture library available at http://www.winpcap.org/install/default.htm, so download and install it.
The Real Thing
The first thing you will need to get your hands on is the snort.conf file. Assuming you installed Snort in its default location, this file can be found in c:\snort\etc. This is where the tweaking starts. The config file, by itself, is made for Linux, which we’ll have to edit for Windows. Open the file and scroll down to “Step 2: Configure dynamic loaded libraries”. Change the following lines:
Dynamicpreprocessor directory
/usr/local/lib/snort_dynamicpreprocessor/
Dynamicengine
/usr/local/lib/snort_dynamicengine/libs
f_engine.so
to
Dynamicpreprocessor directory
C:\snort\lib\snort_dynamicpreproces-
sor
Dynamicengine
C:\snort\lib\snort_dynamicengine\sf
_engine.dll
Now that the basic setup is done to get snort compatible with Windows XP, we need to confirm if it indeed detects attacks. Snort is a command line based
program—go to Start > Run, type “cmd” and hit [Enter]. CD your way through to c:\snort\bin and enter:
Snort -l c:\snort\log -c
C:\snort\etc\snort.conf -A console
We’ll spend a few lines explaining the command. The -l switch points to the directory where the log files are to be stored, remember that the directory has to already exist—Snort won’t create it for you. The next switch, -c, points to the snort.conf file. The -A switch (case sensitive) tells Snort that we want it to run in a specific mode—in this case, console mode. Leave this window open since you will be seeing your alerts over here for now.
Now to test if it’s working properly—for this, we’ll need to run a simple DOS (Denial of service) attack and confirm whether snort alerts us on it. Go to Start > Run, type cmd and enter “ping -l 65500 -t” without the quotes and hit [Enter].
Switch back to the Snort window. If all’s working well you should see a bunch of alerts in the window. This should ensure that snort is now up and running on your box.
Configure It More
Next, we’ll look into some lines in the snort.conf file. Look for the following –
var HOME_NET any
This pertains to your home network, the subnet being in CIDR format and monitors any attacks in the specified range, for example for IP address 192.168.1.1 with a subnet of 255.255.255.0 you would put in –
Var HOME_NET 192.168.1.1/24
Use a CIDR calculator on the Internet to find out the CIDR for your subnet mask.
Other things you can configure are to monitor specific services like DNS or SMTP; you can find these further down the file, delete the # at the end of the line if you want the line to be executed by snort.
Finishing Up
The only thing left is to configure Snort so it can be run as a service without you having to go through the command line headache every time. We will need to start snort as a service every time windows boots so that we can see the alerts directly in the event viewer. Use the following command to do so:
Snort /service /install -l c:\snort\log
-c c:\snort\etc\snort.conf –E
That’s it, you should now see snort in your list of services. And all alerts should be visible in event viewer along with the log files in c:\snort\log. Remember, you can download more rules from http://www.snort.org for new vulnerabilities.
very nice and thorough tutorial. you gave me a nice idea to test it on my debian box. thx!