Friday , June 22 2018
Home / Information Security / Snort Sensor on Windows with Remote Snort using WinIDS

Snort Sensor on Windows with Remote Snort using WinIDS

Print Friendly

This article is about Installing Snort on Windows Host and monitoring it with Remote Snort Server configured with MySQL Database & Barnyard2.

More:

Install and Configure Snort HIDS with Barnyard2, Base & MySQL on Ubuntu

Installing Snorby on Ubuntu for Snort with Barnyard2

 

 

In this Tutorial, Directories used are:

Main Temp Dir:                c:\Temp

Main Install Dir:               c:\IDS

Note:  Hash Mark ( # ) is no included in any of the commands given below.
  • Install DotNet Framework 3, on windows 7, 8, Server 2008/2012, use following command:

Run with Administrator Rights:

#  dism.exe /online /enable-feature /all /featurename:NetFX3 /Source:x:\sources\sxs

Replace X with the DvD Drive letter from where it will fetch files.

Result should be like:

Enabling feature(s)

[==========================100.0%==========================]

The operation completed successfully.

– Extract & Copy all files to: c:\Temp
– WinIDS Wrapper Password: w1nsn03t.c0m
– Modify “d:\temp\modder.vbs” and replace d:\temp in this with “c:\temp

– Install Dependencies:

#   modder.vbs

1 - Install Deps

– Install WinPcap:

#  C:\Temp\WinPcap_4_1_3.exe

– Install Snort:

#  C:\Temp\Snort_2_9_7_0_Installer.exe

When asked for Destination to install Snort, enter:         c:\IDS\Snort

2 - Snort Install

Testing the Windows Intrusion Detection System (WinIDS) for network traffic:
First check available interfaces that Snort can listen on by:

#  C:\IDS\snort\bin\snort  –W

3 - Snort Listen Interfaces

– Start traffic listening on LAN interface.

#  c:\IDS\snort\bin\snort –v –i x

Replace X with the Interface Number shown by previous command.

4 - Snort Listen Traffic

This indicates Snort is installed correctly and is working.

– Copy / Extract Snort Ruleset:

#   tartool C:\Temp\snortrules-snapshot-2970.tar.gz c:\IDS\snort

This will extract all Snort rules and config files to Snort Directory.

– Install Strawberry Perl:

#  c:\Temp\strawberry-perl-5.14.2.1-64bit.msi

When asked for Destination Folder, Enter:
                         C:\IDS\strawberry\

5 - Install Strawberry Perl

– Install Barnyard2:

Barnyard is in Zip Archive, we just need to extract it.

#   unzip -oqq c:\Temp\barnyard2-1.13-build333.zip -d C:\IDS\barnyard2

– Update the ‘sid-msg.map’ file:

#   unzip -oqq C:\Temp\activators.zip -d C:\IDS\activators
#   unzip -oqq C:\Temp\create-sidmap.zip -d C:\IDS\create-sidmap
#   C:\IDS\create-sidmap\create-sidmap.pl C:\IDS\snort\rules > C:\IDS\snort\etc\sid-msg.map

It will Create sid-msg.map file in etc folder of snort.

6 - Create SID Map File

– Configuring Snort:

Enter Following commands to Create White & Black list rules files.

#  type NUL > C:\IDS\snort\rules\white_list.rules
#   type NUL > C:\IDS\snort\rules\black_list.rules

Edit Snort file by opening in provided Notepad2

#   notepad2 C:\IDS\snort\etc\snort.conf

Changes to Make:
Original Line(s): ipvar HOME_NET any
Change to: ipvar HOME_NET 192.168.1.0/24

Original Line(s): var RULE_PATH ../rules
Change to: var RULE_PATH C:\IDS\snort\rules

Original Line(s): var SO_RULE_PATH ../so_rules
Change to: # var SO_RULE_PATH ../so_rules

Original Line(s): var PREPROC_RULE_PATH ../preproc_rules
Change to: var PREPROC_RULE_PATH C:\IDS\snort\preproc_rules

Original Line(s): var WHITE_LIST_PATH ../rules
Change to: var WHITE_LIST_PATH C:\IDS\snort\rules

Original Line(s): var BLACK_LIST_PATH ../rules
Change to: var BLACK_LIST_PATH C:\IDS\snort\rules

Original Line(s): dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
Change to: dynamicpreprocessor directory C:\IDS\snort\lib\snort_dynamicpreprocessor

Original Line(s): dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
Change to: dynamicengine C:\IDS\snort\lib\snort_dynamicengine\sf_engine.dll

Original Line(s): dynamicdetection directory /usr/local/lib/snort_dynamicrules
Change to: # dynamicdetection directory /usr/local/lib/snort_dynamicrules

Original Line(s):
preprocessor normalize_ip4
preprocessor normalize_tcp: ips ecn stream
preprocessor normalize_icmp4
preprocessor normalize_ip6
preprocessor normalize_icmp6
Change to:
# preprocessor normalize_ip4
# preprocessor normalize_tcp: ips ecn stream
# preprocessor normalize_icmp4
# preprocessor normalize_ip6
# preprocessor normalize_icmp6

Original Line(s): # preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low }
Change to: preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low }

Original Line(s): # output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
Change to: output unified2: filename merged.log, limit 128

Original Line(s): include classification.config
Change to: include C:\IDS\snort\etc\classification.config

Original Line(s): include reference.config
Change to: include C:\IDS\snort\etc\reference.config

Original Line(s):
# include $PREPROC_RULE_PATH/preprocessor.rules
# include $PREPROC_RULE_PATH/decoder.rules
# include $PREPROC_RULE_PATH/sensitive-data.rules
Change to:
include $PREPROC_RULE_PATH/preprocessor.rules
include $PREPROC_RULE_PATH/decoder.rules
include $PREPROC_RULE_PATH/sensitive-data.rules

Original Line(s): include threshold.conf
Change to: include C:\IDS\snort\etc\threshold.conf

– Testing the Snort configuration file:

#   C:\IDS\snort\bin\snort -c C:\IDS\snort\etc\snort.conf -l C:\IDS\snort\log -ix -T

Replace X with the Interface number.

7 - Test Snort

– Adding Snort to the Windows Services Database:

#    cd /d C:\IDS\snort\bin

#    snort /SERVICE /INSTALL -c C:\IDS\snort\etc\snort.conf –l C:\IDS\snort\log –ix

Replace X with Interface Number in the following command:

8 - Add Snort Service

– Set Snort Service to Auto-Start at Boot:

#   sc config snortsvc start= auto

9 - Snort Service AutoStart

– Configuring Barnyard2:

#    notepad2 C:\IDS\barnyard2\etc\barnyard2.conf

Change Settings as:

Original Line(s):
config reference_file: /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file: /etc/snort/gen-msg.map
config sid_file: /etc/snort/sid-msg.map

Change to:
config reference_file: C:\IDS\snort\etc\reference.config
config classification_file: C:\IDS\snort\etc\classification.config
config gen_file: C:\IDS\snort\etc\gen-msg.map
config sid_file: C:\IDS\snort\etc\sid-msg.map

Original Line(s): # config event_cache_size: 4096
Change to: config event_cache_size: 32768

Original Line(s): #output database: alert, postgresql, user=snort dbname=snort
Change to: output database: log, mysql, user=winsnort password=mypass dbname=snort host=192.168.1.33 port=3306 sensor_name=Win8_ServOne

Details of the Database Output given above::

Log type: log
DB Type: MySQL
User: winsnort
Password: mypass
DB Name: snort
Snort Server: x.x.x.x Replace with IP like: 192.168.1.21 (Snort IP)
Port: yyyy Replace with MySQL port: 3306
Sensor_Name: WinIDS Change it as you want, it will be shown as name of this sensor machine.

Also, Create user on Snort server and allow it to write to this database.

Mysql>    grant all on snort.* to winsnort@’192.168.1.29′ identified by ‘mypass’;

10 - Create Snort Database

Binding it to Sensor’s IP (192.168.1.29 in my network) is best security practice.

– Testing the Barnyard2 configuration:

First modify provided script according to your installation configuration.
Script: C:\IDS\activators\by2-test

Original:
d:\winids\barnyard2\barnyard2.exe -c d:\winids\barnyard2\etc\barnyard2.conf -d d:\winids\snort\log -f merged.log -l d:\winids\barnyard2 -w d:\winids\snort\log\barnyard.waldo –T

Change to:
C:\IDS\barnyard2\barnyard2.exe -c C:\IDS\barnyard2\etc\barnyard2.conf -d C:\IDS\snort\log -f merged.log -l C:\IDS\barnyard2 -w C:\IDS\snort\log\barnyard.waldo –T

Execute script by:

C:\IDS\activators\by2-test

Successful message:

Barnyard2 successfully loaded configuration file!
Barnyard2 exiting
database: Closing connection to database “snort”

11 - Barnyard2 Test

– Adding Barnyard2 to the Windows Services Database:

#   unzip -oqq C:\Temp\service_files.zip -d c:\windows
#   cd /d c:\windows
#   instsrv srvany c:\windows\srvany.exe
#   instsrv Barnyard2 c:\windows\srvany.exe

Edit provided Registry file according to installation, Add it as well.

#   C:\Temp\auto-remote-barnyard2.reg

– Set Barnyard2 Service to Auto-Start with Delay at Boot.

#   sc config Barnyard2 start= delayed-auto

12 - Add Barnyar2 Service

 

 

Now, Services added and set both to start automatically after reboot, it’s time to test by restarting Windows host and waiting / noticing its services status. Then to check if it is logging into Snort Database.

Restart Windows by:

#   shutdown -r -f -t 0

About Muhammad Attique

Related Posts

my file

Installing & Configuring OpenVPN Client on Kali Linux

In this blog post, I am going to install and configure OpenVPN client on Kali …

  • kurat

    Hello Muhammad.. thank you for sharing and i need to ask u some help….

    i follow your steps now.. how i will use Base to GUI

    How i use the Barnyard2 database with Base ????

    please show me full steps ..

  • Muhammad Attique

    Hi,

    Barnyard2 setup with Base and Snort on ubuntu server link is already given at the top of this page, still:

    http://blog.muhammadattique.com/install-configure-snort-hids-barnyard2-base-mysql-ubuntu/

    There, I have explained step by step complete procedure of Barnyard2 with Base and Snort installation & configuration.

  • Rama

    Hi,
    I follow your steps,
    and I get error “can’t connect to local MySQL Server through socket /temp/mysql.sock”

    can U help me?
    Thanks

  • Rama

    this error when I execute by2-test.
    please explain why I get this error.

    thanks

  • Muhammad Attique

    Hi,
    Have you configured MySQL on remote host and confirmed that it is working fine and is accessible from other hosts like by telnet to the host on MySQL port?
    This error means either MySQL is not installed or started or not accessible from this host.
    If it is installed, running and accessible from other hosts, have your entered MySQL database information like host ip, db name, db user and password correctly in the barnyard.conf file..?

    Regards.