Sign in to follow this  
Followers 0

Updating the Snort Intrusion Detection Engine


Windows Intrusion Detection System - Companion Add-On Tutorial

ids.gif

Updating the Windows Intrusion Detection Systems (WinIDS)

Snort Intrusion Detection Engine

Written by: Michael E. Steele



Introduction

During my research, and development I've found a lot of tutorials, and blogs describing the installation process for the UNIX environment. Yet, none of them specifically detailed setting this up in a Windows environment. I've been working on, and updating these tutorials for the past 12 plus years, and managed to get through the complete process in the Windows environment.

These tutorials gives all the basic instructions on how to either update major componets, or add-on componets to the Windows Intrusion Detection System (WinIDS).

Copyright Notice

This document is Copyright © 2002-2019 Michael Steele. All rights reserved. Permission to distribute this document is hereby granted providing that distribution is electronic, in it's original form, no money is involved, and this copyright notice is maintained. Other requests for distribution will be considered.

Use the information in this document at your own risk. Michael Steele disavows any potential liability of this document. Use of the concepts, examples, and/or other content of this document are entirely at your own risk.

This tutorial is written in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose.

All copyrights are owned by their owners, unless specifically noted otherwise. Third party trademarks or brand names are the property of their owners. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements.

Support Questions and Help

All support questions related to this specific tutorial MUST be directed to the specific forum for which this Windows Intrusion Detection System (WinIDS) tutorial resides!

By request, there is a premium fee service available for one on one support.

If you have not acquired this tutorial directly from the winsnort.com website, then you most likely do not have the latest revision of this tutorial!

This is a basic update to the Intrusion Detection Engine (Snort)

This tutorial will cover the updating of the Windows Intrusion Detection Systems (WinIDS) Intrusion Detection Engine (Snort). There are three required downloads.
  • Snort, the heart of the Windows Intrusion Detection System (WinIDS).
  • Rules, the lifeblood of the Windows Intrusion Detection System (WinIDS).
  • Signatures, the event information used to display in the Windows Intrusion Detection Systems (WinIDS) security console.


Prepping for updating the Windows Intrusion Detection System (WinIDS) Intrusion Detection Engine (Snort) Tutorial


Downloading The required software

For this tutorial the original files from the 'WinIDS - xxbit Core Software Support Pack' must be located in its original folder (d:\temp).
The following procedure will require the installer to be a registered user, and logged into the snort.org web site.
From a browser log into the snort.org web site, and sign-in.

If any of the next three downloads asks to overwrite, make SURE to overwrite the file.
At the main screen left-click the 'Downloads' button, scroll down to the 'Snort' section, under the 'Binaries' column left-click 'Snort_x_x_x_x_Installer.exe', and save to the 'd:\temp' folder.

Scroll down to the 'Rules' section, in the 'Community' column under 'Documentation' left-click 'opensource.tar.gz', and save to the 'd:\temp' folder.

In the 'Rules' category in the 'registered' column under 'Snort vx.x' left-click the latest version of the 'snortrules-snapshot-xxxx.tar.gz' file (usually at the bottom), and save to the 'd:\temp' folder.

In some instances the version of Snort might not match the version of the latest available rules. Just make sure both Snort and the rules are the latest versions available.

At this point all three files listed below should have been downloaded into the 'd:\temp' folder.
  • Snort_x_x_x_x_Installer.exe
  • snortrules-snapshot-xxx.tar.gz
  • opensource.tar.gz


Updating the Windows Intrusion Detection Systems (WinIDS) Intrusion Detection Engine (Snort)


During this process the Windows Intrusion Detection System (WinIDS) will NOT be detecting events.
As a precaution cutting all incoming live feeds should be severed until the updating process has been completed and verified.

Backing up the current Snort Installation

At the CMD prompt type 'xcopy /E /I d:\winids\snort d:\winids\snort-old' (less the outside quotes), and tap the 'Enter' key.

The above procedure will preserve any custom files that can be manually copied back, if needed.

Killing the services

Open a CMD window and type 'net stop barnyard2 & net stop snort' (less the outside quotes), and tap the 'Enter' key to stop the services.

Prepping and Installing Snort, the Traffic Detection and Inspection Engine

At the CMD prompt type 'rd d:\winids\snort /S /Q' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'd:\temp\Snort_x_x_x_x_Installer.exe' (less the outside quotes), and tap the 'Enter' key.

In the above 'd:\temp\Snort_x_x_x_x_Installer.exe' the exact filename will be required for the version of snort that were downloaded.
The Snort installation wizard appears, left-click the 'I Agree' button, left-click 'Next', left-click 'Next', in the 'Destination Folder' dialog box, type 'd:\winids\snort' (less the outside quotes), left-click 'Next' allowing Snort to install, left-click the 'Close' button, left-click 'OK'.

Prepping and Installing the Latest Rule Set

At the CMD prompt type 'tartool d:\temp\snortrules-snapshot-xxxx.tar.gz d:\winids\snort' (less the outside quotes), and tap the 'Enter' key.

In the above 'd:\temp\snortrules-snapshot-xxxx.tar.gz' the exact filename will be required for the version of snort rules that were downloaded.
At the CMD prompt type 'xcopy d:\winids\snort-old\rules\*_list.* d:\winids\snort\rules /Q /Y' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'xcopy d:\winids\snort-old\rules\local.* d:\winids\snort\rules /Q /Y' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'xcopy d:\winids\snort-old\rules\experimental.* d:\winids\snort\rules /Q /Y' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'rd d:\winids\snort\so_rules /S /Q' (less the outside quotes), and tap the 'Enter' key.

Installing the Latest Signatures

Apache2 Installs: At the CMD prompt type 'rd d:\winids\Apache24\htdocs\base\signatures /S /Q' (less the outside quotes), and tap the 'Enter' key.

Apache2 Installs: At the CMD prompt type 'tartool d:\temp\opensource.tar.gz d:\winids\apache24\htdocs\base\signatures' (less the outside quotes), and tap the 'Enter' key.

IIS Installs: At the CMD prompt type 'rd d:\winids\inetpub\wwwroot\base\signatures /S /Q' (less the outside quotes), and tap the 'Enter' key.

IIS Installs: At the CMD prompt type 'tartool d:\temp\opensource.tar.gz d:\winids\inetpub\wwwroot\base\signatures' (less the outside quotes), and tap the 'Enter' key.

The above command may take a few minutes to complete as its moving twenty thousand plus files.

Updating the 'sid-msg.map' file

At the CMD prompt type 'd:\winids\create-sidmap\create-sidmap.pl d:\winids\snort\rules\ > d:\winids\snort\etc\sid-msg.map' (less the outside quotes), and tap the 'Enter' key.

Configuring Snort, the Heart of the Windows Intrusion Detection System (WinIDS)

The original snort.conf is located in the d:\snort-old\etc folder of the backup. The below will configure the Windows Intrusion Detection System with all the default settings. If there have been any customizations added to the old snort.conf then those custom entries will need to be migrated over to the new snort.conf that is being edited in the next procedure.
At the CMD prompt type 'notepad2 d:\winids\snort\etc\snort.conf' (less the outside quotes), and tap the 'Enter' key.

Use the Find option in Notepad2 to locate and change the variables below.
Original Line(s): ipvar HOME_NET any
Change to: ipvar HOME_NET 192.168.1.0/24

In the above HOME_NET example (192.168.1.0/24), using a CIDR of 24 the Windows Intrusion Detection System (WinIDS) will monitor addresses 192.168.1.1 - 192.168.1.254. It is important to specify the correct internal IP segment of the Windows Intrusion Detection System (WinIDS) network that needs monitoring, and to set the correct CIDR.
Original Line(s): var RULE_PATH ../rules
Change to: var RULE_PATH d:\winids\snort\rules

Original Line(s): var SO_RULE_PATH ../so_rules
Change to: # var SO_RULE_PATH ../so_rules

Original Line(s): var PREPROC_RULE_PATH ../preproc_rules
Change to: var PREPROC_RULE_PATH d:\winids\snort\preproc_rules

Original Line(s): var WHITE_LIST_PATH ../rules
Change to: var WHITE_LIST_PATH d:\winids\snort\rules

Original Line(s): var BLACK_LIST_PATH ../rules
Change to: var BLACK_LIST_PATH d:\winids\snort\rules

Original Line(s): dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
Change to: dynamicpreprocessor directory d:\winids\snort\lib\snort_dynamicpreprocessor

Original Line(s): dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
Change to: dynamicengine d:\winids\snort\lib\snort_dynamicengine\sf_engine.dll

Original Line(s): dynamicdetection directory /usr/local/lib/snort_dynamicrules
Change to: # dynamicdetection directory /usr/local/lib/snort_dynamicrules

Original Line(s):
preprocessor normalize_ip4
preprocessor normalize_tcp: block, rsv, pad, urp, req_urg, req_pay, req_urp, ips, ecn stream
preprocessor normalize_icmp4
preprocessor normalize_ip6
preprocessor normalize_icmp6
Change to:
# preprocessor normalize_ip4
# preprocessor normalize_tcp: block, rsv, pad, urp, req_urg, req_pay, req_urp, ips, ecn stream
# preprocessor normalize_icmp4
# preprocessor normalize_ip6
# preprocessor normalize_icmp6

Original Line(s): decompress_swf { deflate lzma } \
Change to: # decompress_swf { deflate } \

Original Line(s): # preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low }
Change to: preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } logfile { \portscan.log }

Original Line(s): # output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
Change to: output unified2: filename merged.log, limit 128

Original Line(s): include classification.config
Change to: include d:\winids\snort\etc\classification.config

Original Line(s): include reference.config
Change to: include d:\winids\snort\etc\reference.config

Original Line(s):
# include $PREPROC_RULE_PATH/preprocessor.rules
# include $PREPROC_RULE_PATH/decoder.rules
# include $PREPROC_RULE_PATH/sensitive-data.rules
Change to:
include $PREPROC_RULE_PATH/preprocessor.rules
include $PREPROC_RULE_PATH/decoder.rules
include $PREPROC_RULE_PATH/sensitive-data.rules

Original Line(s): include threshold.conf
Change to: include d:\winids\snort\etc\threshold.conf

Save the file, and eXit Notepad2.

Testing the Snort configuration file

At the CMD prompt type 'd:\winids\snort\bin\snort -W' (less the outside quotes), and tap the 'Enter' key.

The following is a partial example of what might be listed as valid Network Interface Cards.
Index	Physical Address	IP Address
-----	----------------	----------
    1	00:0C:29:25:B4:96	0000:0000:fe80:0000:0000:0000:ad63:31cf
In the above list, the 'Index' number is important, and will need to be remembered for later use in this tutorial. There may be several Network Interface Cards listed, and it will be up to the installer to determine the correct Network Interface Card (Index number) that will be monitoring the Windows Intrusion Detection System (WinIDS).

The switch for the Network Interface Card will always be '-ix' (less the outside quotes), and the 'x' (less the outside quotes) will always represent the 'Index' number of Network Interface Card that will be monitoring the Windows Intrusion Detection System (WinIDS).
At the CMD prompt type 'd:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix -T' (less the outside quotes), and tap the 'Enter' key.

The above run line will require the 'Index' number of the monitoring Network Interface Card added to the 'x' in the '-ix' switch. This will start Snort in self-test mode for configuration and rule file testing.

If all the tests are passed, the following is a confirmation that the Snort configuration file and rules have tested good.
Snort successfully validated the configuration!
Snort exiting
Do not proceed until 'Snort successfully validated the configuration!'
At this point any custom configurations made to the old Snort installation located in the 'd:\winids\snort-old' folder should be moved/merged to the new Snort installation located in 'd:\winids\snort'. Upon completion of any changes, return to the section labeled 'Testing the Snort configuration file', and complete.
As an emergency backup the original Snort installation folder was mirrored to 'd:\winids\snort-old'. If this update was a complete failure all that is needed to revert back to the original Snort installation is to delete the new 'd:\winids\snort' folder, rename the 'd:\winids\snort-old' to 'd:\winids\snort', return to the section labeled 'Testing the Snort configuration file', and complete.
At the CMD prompt type 'net start snort & net start barnyard2' (less the outside quotes), and tap the 'Enter' key to restart the services.

Verifying Barnyard2, and Snort is running as a process

It could take several minutes for the Barnyard2 process to display as it is on a delayed start.
At the CMD prompt type 'taskmgr.exe' (less the outside quotes), and tap the 'Enter' key.

The 'Windows Task Manager' starts, in the bottom left-click and check 'Show processes from all users' or left click 'More Details', left-click the 'Details' tab, in the 'Status' column 'Barnyard2.exe', and 'Snort.exe' should be listed as running.

Do not proceed until both processes shows to be running!
eXit the 'Task Manager'.

At the CMD prompt type 'exit' (less the outside quotes), and tap the 'Enter' key.

Starting the Windows Intrusion Detection Systems (WinIDS) Security Console

Open a web-browser and type 'http://winids' (less the outside quotes) into the URL Address box, and tap the 'Enter' key.

It could take several minutes for events to start populating into the Windows Intrusion Detection Systems (WinIDS) Security Console. Refreshing the browser will show new events when added. If no events start to show up in a reasonable length of time, come visit the forums for help on manually generating events.
If the updating process has been successful and the backup is no longer needed the below process will scrub the backup folder.
Open a CMD window and type 'rd d:\winids\snort-old /S /Q' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'exit' (less the outside quotes), and tap the 'Enter' key.

In Conclusion

Congratulations, you have just completed updating the Windows Intrusion Detection Systems (WinIDS) Intrusion Detection Engine know as Snort.

It is highly encouraged to perform some post-installation tasks if still needed to get a fully production-ready Windows Intrusion Detection System (WinIDS).

This includes:
  • Tuning your rules and preprocessors.
  • Tuning Snort thresholds and limit values.
  • Securing your host (Maybe changing the default database user access, disabling unneeded services, etc.).
  • Adding user authentication to the Windows Intrusion Detection Systems (WinIDS) Security Console.
  • Configure a system, such as PulledPork to auto-update the Windows Intrusion Detection Systems (WinIDS) rules and signatures.

Optional Companion Documents

Be SURE to check out the available 'Companion Add-on Documents' to enhance the Windows Intrusion Detection System (WinIDS) experience.

Updating the Windows Intrusion Detection Systems (WinIDS) Major components


Debugging Installation errors

Check the Event Viewer as most of the support programs will throw FATAL errors into the Application log.

General problems

For general issues that pertain to this tutorial, left-click the support button at the top of this tutorial, or manually navigate to the correct support forum.

Michael E. Steele | Microsoft Certified System Engineer (MCSE)
Email Support: support@winsnort.com
Snort: Open Source Network IDS - www.snort.org