Snort IDS & BASE on Server Core 2008

I’ve used the Snort Intrusion Detection System for about two years, and while I’m far from an expert and my experience with other IDS platforms is limited, I believe Snort to be one of the best solutions out there, especially for the price (free). There is definitely a learning curve associated with it, but Snort is highly configurable and its extensibility means it can be suited to fit the needs of almost any environment.

Like most, I usually run Snort on a Linux system. However, win32 binaries are offered, and I’ve never been able to find any compelling reason against running it on a Windows system. This post documents the steps required to configure a Snort sensor to run on a Windows Server 2008 Server Core platform. With its stripped down environment, Server Core is ideal for running Snort. In addition to Snort, I also hoped to be able to use one of the many popular front-ends for reporting and alerting services. One of the best Windows Snort front-ends is IDSCenter, but it’s a GUI application that won’t run on Server Core, so I decided to go with another favorite, the Basic Analysis and Security Engine (BASE). BASE is a PHP application based on the ACID project. Being written in PHP means it’s platform independent and can run on any web server that supports PHP.

Prerequisites

In order to start this project, a basic Server Core installation of Windows Server 2008 is required. The IIS Web Server role needs to be activated, and PHP needs to be installed. I also wanted to log alert data to a MySQL database, so that needs to be installed as well. I documented those steps in my previous post, if you haven’t seen that, go follow those steps to get the server set up then return here to get started with Snort. There are several requirements for the php.ini file mentioned in that post, so even if you already have a PHP web server running, double check your settings against those in the post.

Snort Setup

The first step obviously is to obtain the Snort install files. I used the most recent release, v2.8.3.1, click here for the download link. While on the Snort site go ahead and download the current rule files too (v2.8 link is here ). This will require a free site registration. Snort on Windows also requires the WinPcap packet capture libray. I used v4.1 beta 4, which supports Server 2008, downloadable from here. The Snort installer will run on Server Core, however the WinPcap installer will not, so you’ll need to use another system (XP works) for that install, then manually copy the required .dll files.

On Server Core, run the Snort_2_8_3_1_Installer.exe file, installing Snort to c:\snort. Next, extract the contents of the zipped up rule file into c:\snort, overwriting any files or folders already present. On your non-Server Core system, run the WinPcap installer. When that completes, copy the following files to the Server Core box, making sure to keep the files in the same directories.

From / To c:\windows\system32 : Packet.dll, WanPacket.dll, WPcap.dll, npptools.dll
From / To c:\windows\system32\drivers : npf.sys

At this point, Snort should be ready for basic functionality. Test this by running the following command, which will show available interfaces:

c:\snort\bin\snort.exe -W

You should see a list of interfaces, make note of the interface number for the one on which you want Snort to listen, you will need it later. Snort is pretty good about letting you know when something is wrong, so if there is a problem, like a missing .dll, you should see that here, which is how I figured out which WinPcap .dlls were needed.

Now that we know Snort works, it needs to be configured for database logging and set up to run as a service. Log in to your MySQL database then run the following commands which will create a database called “snort”, grant privileges to a new MySQL user account, also called “snort”, and create the DB table structure. I’m using username ‘snort’ and password of ‘password’ for example purposes.

mysql> create database snort;
mysql> grant all privileges on snort.* to snort@localhost identified by ‘password’;
mysql> use snort;
mysql> source c:\snort\schemas\create_mysql
mysql> commit;
mysql> show tables;

The output of the final command should show a listing of tables in the newly created snort database. Now you’ll need to edit the c:\snort\etc\snort.conf file to work in the Windows environment and direct Snort to log to a database. The file is ugly in Notepad, so I suggest using the DOS edit utility to make the following changes, then save the file.

Under “Step #1: Set the network variables”:
MODIFY:
var RULE_PATH c:\snort\rules
under “Step #2: Configure dynamic loaded libraries” section:
MODIFY:
dynamicengine c:\snort\lib\snort_dynamicengine\sf_engine.dll
ADD:
dynamicpreprocessor file c:\snort\lib\snort_dynamicpreprocessor\sf_dcerpc.dll
dynamicpreprocessor file c:\snort\lib\snort_dynamicpreprocessor\sf_dns.dll
dynamicpreprocessor file c:\snort\lib\snort_dynamicpreprocessor\sf_ftptelnet.dll
dynamicpreprocessor file c:\snort\lib\snort_dynamicpreprocessor\sf_smtp.dll
dynamicpreprocessor file c:\snort\lib\snort_dynamicpreprocessor\sf_ssh.dll
dynamicpreprocessor file c:\snort\lib\snort_dynamicpreprocessor\sf_ssl.dll
Under “Step #4: Configure output plugins”:
ADD:
output database: log, mysql, user=snort password=password dbname=snort host=localhost

If that was all done correctly, you should now be able to confirm full Snort operation by running the following:

c:\snort\bin\snort.exe -i 1 -l c:\snort\log -c c:\snort\etc\snort.conf

Modify the -i (interface number) argument to the correct interface number for your system. The -l argument tells Snort to also log alerts to a flat file (required when running on Windows), and -c tells Snort where to get its configuration settings. You should see several screens of info during initialization, after which you should see the text “Initialization Complete” along with some version info. If you see that, you are ready to make Snort a service, if not, address any errors you receive.

To run Snort as a service, you run the previous command, but with the /SERVICE and /INSTALL arguments, for example:

c:\snort\bin\snort.exe /SERVICE /INSTALL -i 1 -l c:\snort\log -c c:\snort\etc\snort.conf

This should complete successfully. You can verify status by running “snort.exe /SERVICE /SHOW” The final two tasks for Snort are to set the service to automatically start, and to actually start it. In the first command, note the space between the equals sign and ‘auto’, this is required.

c:\> sc config snortsvc start= auto
c:\> sc start snortsvc

Upon successful service start, the Snort IDS is now running and monitoring traffic on the selected interface.

BASE Setup

Now that Snort is running and logging alert data to MySQL, we can use the BASE front-end to easily view that data and set up alert notification. I won’t go too deeply into post-install BASE configuration, but the following steps will get it running on your Server Core system. Download the current BASE files here, I used v1.4.1. BASE also requires the ADODB PHP database abstraction library, which you can get here. I used v5.0.6a.

There isn’t much to installing these. Simply extract the contents of the BASE file to c:\inetpub\wwwroot\base. Extract the contents of the ADODB file to c:\php\adodb. Configuration is a little more in depth, but the process is almost complete. First, the following extension needs to be enabled in your c:\php\php.ini file, after which the IIS service (w3svc) needs to be restarted:

Uncomment: extension=php_gd2.dll

There are other php.ini requirements, but if you followed the suggestions in my previous post, they’re already done. Next up is the set up of the BASE configuration file. First, make a copy of the c:\inetpub\wwwroot\base\base_conf.php.dist file named base_conf.php, in the same directory. Make the following modifications based on your setup.

set $BASE_urlpath = ‘/base’
set $DBlib_path = ‘c:\php\adodb’
set $alert_dbname = ‘snort’;
set $alert_host = ‘localhost’;
set $alert_user = ‘snort’;
set $alert_password = ‘password’;

BASE also requires some additions to the Snort database, so to make those, use mysql.exe with the -D argument (specifies database) to run the following script:

mysql.exe -D snort -u root -p < c:\inetpub\wwwroot\base\sql\create_base_tbls_mysql.sql

The final step is to download additional PHP graphing packages from PEAR used by BASE. This step is optional if you don’t intend to use the graphs that BASE offers. On the Server Core box, cd to c:\php then run the following:

go-pear.bat

At the prompt, press Enter to install system-wide, press Enter on the next prompt (taking defaults), finally accept the suggestion to update php.ini include path, if offered. When complete, run the following commands, one at a time:

pear install Image_Color
pear install Log
pear install Numbers_Roman
pear install http://pear.php.net/get/Image_Canvas
pear install http://pear.php.net/get/Numbers_Words-0.15.0
pear install http://download.pear.php.net/package/Image_Graph-0.7.2.tgz

The End

You can now browse to http://server/base/base_main.php to interact with the BASE webpage. If Snort has been running for a while you may have some alerts in the database already. If not, you can easily create one by browsing to the http://server/phptest.php file mentioned in the previous post.

A lot of configuration options for both Snort & BASE were not covered in this post. This was intended to be a how-to on getting these running on Windows Server Core 2008. There are many other considerations to take into account such as where to place the IDS sensor on the network, further configuration of Snort and Snort rules, setting up SMTP alert notifications in BASE, security implications, etc. Should you want further information, the resources at the links below will assist you.

Snort.org
BASE
Snort IDS & DIY Network TAP

Subscribe to TechScrawl via RSS

Advertisements

5 Responses

  1. Dear Sir,
    I am a begginer in to use snort. will you please tell the sequence to run snort in Linux System. and how to use Base with it. i am trying to use acid with it as frontend but i m facing some problem with it.
    Thanks in advance

  2. I’m wondering about these lines:

    From / To c:\windows\system32 : Packet.dll, WanPacket.dll, WPcap.dll, npptools.dll
    From / To c:\windows\system32\drivers : npf.sys

    Do you mean to copy c:\windows\system32\packet.dll to a new file at c:\windows\system32\wanpacket.dll? (the same for wpcap.dll to npptools.dll, overwriting an existing version)

  3. Hi David,

    Not quite. Those lines reference copying those 5 files from a non-server core system over to your server core system. Since the WinPcap installer does not run on Server Core, you will need to run the installer on a full server installation, then copy those 5 files over to the same location on your Server Core system.

    Hope that helps. – Clay

  4. Hi, Clay.
    I followed your indications but for Windows7
    These are the results:
    a) snort is up an running and sending data to mysql database
    b) After this, I installed base, php and adodb but when I go to http://localhost/base/base_main.php I have the following error:
    *Fatal error*: Call to undefined function mysql_pconnect() in *C:\PHP\adodb\drivers\adodb-mysql.inc.php* on line *382

    Can you help?
    Regards Emilio

  5. Hi Emilio. It sounds like the mysql extension is not enabled in your php.ini file. See my previous post on getting mysql & php running for what needs to be done: http://blog.techscrawl.com/2008/11/12/iis-php-and-mysql-on-server-core/ . Hope that helps.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: