Snort Support Tips

Most Recent Version: 2.3 (modified Nov. 19, 2004)

Snort Documentation

Questions:

1) How do I install Snort and monitor alerts?

Answers:

1) How do I install Snort and monitor alerts?

We are going to install (on W2K professional or Server - 11/2004):

• Snort 2.2 for Windows (requires winpcap)
• IDS Center 1.1 RC4 to manage Snort configuration
• Honeynet Security Console 1.1.2 to monitor & report events
• MySQL database server 5.0 to record Snort events to a database

All of this software is completely free, if not easy to set up.   In this case, I installed all the software on one machine, but you can distribute the load.  Some people choose to set up Snort sensor devices around their network, and then send all of the event logging to a centralized database server (in this case MySQL).

1. Install HSC 1.1.2.
2. Install IDS Center.  This should install a black radar screen in the taskbar.
3. OK, so step 1 will be to install MySQL database.  Download the software from MySQL and install on your server.
4. To set up a valid administrator account, first log in as root with the 'mysql' client program (this is usually in c:\mysql\bin):
   
   mysql -u root
   
   Reset the password to pre-4.1 style for each user that needs to use a pre-4.1 client program. This can be done using the SET PASSWORD statement: 
   mysql> SET PASSWORD FOR 'root'@'localhost' = OLD_PASSWORD('mypass');
5. Log in and create an event database that snort will log into.
   
   mysql -u root -p
   
   You will be prompted for your root password.  After logging in, create the database (we will call it 'snort'):
   
   create database snort; 
   GRANT SELECT,DELETE on snort.* to bob@127.0.0.1 identified by 'abc123';        # this will allow a user 'bob' with password 'abc123' to manage this table
   connect snort            # connect to the snort database
   source snort.v106.sql    # and import schema from HSC files.  This will be in the directory where HSC is installed - usually "C:\Program Files\Activeworx\HSC\schema".  You will either have to type the full path, or else copy the schema file to mysql/bin.
6. Perform the exact same procedure again in order to create a database that HSC will use for basic database management:
   
   create database aw_hsc;
   GRANT INSERT,SELECT,UPDATE on aw_hsc.* to bob@127.0.0.1 identified by 'abc123';
   connect aw_hsc
   source hsc.v104.sql
   
   This database will be called 'aw_hsc' (which is the default for HSC), and our trusty user bob will basically have full access to it.  It also requires a schema import.
7. You should now be able to log in to MySQL from the Honeynet Security Console with credentials of 'bob':
   
   If you get a warning about no events database, do not worry!  You created this database already in step 5 - HSC just doesn't know where it is yet.  Click on "Resources" and then right-click on "databases" and add a database.
   
   Notice that we are now defining the EVENT database, whereas we had originally logged into the aw_hsc (primary) database.  There is currently nothing in the event database because Snort is not set up yet.
8. Install Snort.  Ignore message regarding snort.conf.  We will manage that with IDS Center.  Also install winpcap.  This will require a reboot.
9. Open IDS Center so that we can manage Snort.  There is a really good howto here.
   
   
   • Specify the location of the snort.exe file and the log directory.  The logging is not so critical, since we will log to a database, but IDSC complains if it is not specified.
   • Under "General > Snort Options", define the location of snort.conf (top of page).  Informit also recommends commenting out two lines as they apparently cause issues with IDSC:
     
     preprocessor http_inspect: global \ 
     preprocessor http_inspect_server: server default \
     
   • Under "Alerts > Alert Detection" we want to specify Database alert detection.
     
     Reference the events table, as defined in step 5.
   • You should be able to start Snort from the top tab in IDSC now.  At this point, Snort should start logging to the MySQL events database.  You can verify this by running a port scan of the Snort box and looking in the HSC GUI to see if the events show up.

DISCLAIMER: This support site is provided as a FREE service to our customers. Every effort is made to ensure it is complete and accurate. However, due to changing versions, typos, different environments, etc. information may be inaccurate for your site. Note that we do not assume responsibility for any problems you might encounter using information provided in these pages. Please inform us of any problems you encounter we will make every effort to correct this information. Thank you.

Home | Services | Training | Support | Contact Us | Search

Copyright 2006, Security Evolution, Inc.