Posts Tagged ‘server’

How to install Snort Intrusion Detection System on Windows

Tuesday, December 22nd, 2009

First short explanation what is Snort from Snort official website:

Snort® is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Combining the benefits of signature, protocol and anomaly-based inspection, Snort is the most widely deployed IDS/IPS technology worldwide.

Installation of Snort on Windows is pretty simple.

First, you need to download and install few things. For Snort to be able to act as sniffer and IDS it needs Windows Packet Capture Library which is WinPcap. The stable latest version on the site is 4.1.1 and you can download it here.

Now when we have WinPcap installed the next step will be to download Snort. The latest version for Windows is 2.8.5.1 and you can download it here. Installation shouldn’t be a problem, if you need IPv6 support and logging to Microsoft SQL or Oracle database then you need to select proper radio and check boxes and if don’t then just go next and next to the end and that’s it. Default installation directory is C:\Snort so remember it because it will be our working dir all the time.

So we have installed WinPcap and Snort but we are not finished with installation yet. We have one more thing to download and install. The Snort rules. These rules are those small files that tells Snort what it should search for in captured packages and how to identify them, as a threat, information disclosure or something else. For us to be able to download Snort rules we have to be registered on Snort site. Registration is free and rules are one month old for free users, for those who need the latest threats detected at the same moment when they are published to the community I suggest to buy VRT subscription so you will have the latest rules directly as they are announced. So now we will download snortrules-snapshot-2.8.tar.gz rules archive file.  When you open archive file you will get following structure:

Snort rules

Copy all four directories over those in C:\Snort replacing contents that already exists on the hard drive.

Now when we are done with easy part we need to configure Snort to run. Because these rules are written for unixoid systems we need to change some things in the main config file C:\Snort\etc\snort.conf so that Snort can start at all.

Here are the things that you need to edit to be able to run snort:

Find lines 269 and 270. These lines will not allow Snort to start, at least not on Windows because Snort detects the second one as double config detection line so we need to change this.

Change from this:

config detection: search-method ac-bnfa
config detection: max_queue_events 5

To this:

config detection: search-method ac-bnfa max_queue_events 5

Now, the next thing that we need to change is lines where we say to Snort where to find dynamic preprocessor files. On lines from 298 to 303 change this:

dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so
dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so
dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so
dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so
dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so
dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so

To this:

dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_dce2.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_dcerpc.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_dns.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_ftptelnet.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_smtp.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_ssh.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_ssl.dll

Next thing to change is line 324 on which we have dynamic engine path, so change it from this:

dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so

To this:

dynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll

I don’t know why, maybe some mistake, but lines bellow should be commented out by default, but they were not so we have to comment them out. Because we are not VRT subscriber and don’t have any dynamic detection files we need to coment lines from 339 to 354, so change this:

dynamicdetection file /usr/local/lib/snort_dynamicrules/bad-traffic.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/chat.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/dos.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/exploit.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/imap.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/misc.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/multimedia.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/netbios.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/nntp.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/p2p.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/smtp.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/sql.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/web-client.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/web-misc.so

To this:

#dynamicdetection file /usr/local/lib/snort_dynamicrules/bad-traffic.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/chat.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/dos.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/exploit.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/imap.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/misc.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/multimedia.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/netbios.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/nntp.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/p2p.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/smtp.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/sql.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/web-client.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/web-misc.so

Now we need to trim a bit SSH preprocessor to work on Windows as it is different from Linux one, so find line 753 and change this:

preprocessor ssh: server_ports { 22 } \
max_client_bytes 19600 \
max_encrypted_packets 20 \
disable_srvoverflow \
disable_protomismatch \
disable_badmsgdir

To this:

preprocessor ssh: server_ports { 22 } \
max_client_bytes 19600 \
max_encrypted_packets 20

Now we are good to go. We can test snort easily from the command line. So now go on Start->Run and type cmd following by enter key. Now in command prompt type following commands:

c: and then enter key

cd c:\snort\bin and then enter key

snort -v -c C:\snort\etc\snort.conf -l C:\snort\log -K ascii and then enter key

So now we have entered Snort directory and started Snort on command line. You will first see Snort starting and parsing config file snort.conf and then you will see lot of output when Snort start sniffing and controlling packages on the network. If it finds any package that is not regular network traffic it will save info about it in c:\Snort\Log\alert.ids file. Simple output of one captured packet looks like this:

[**] [1:254:7] DNS SPOOF query response with TTL of 1 min. and no authority [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
12/22-12:19:12.577553 192.168.137.206:53 -> 192.168.137.10:55153
UDP TTL:128 TOS:0×0 ID:5399 IpLen:20 DgmLen:79
Len: 51

Now to explain what we have here. The first line says what type of attack is it, the second line says what classification is it and what priority does it have, and the last three lines are data about the attack, attacker IP, your IP, destination and source ports and so on.

Important part of this log is [Priority: 2] because that’s how you can identify the real threat from false one. The threats are divided in three groups, group 3 or [Priority: 3] is the lowest one and it usually means that someone is scanning your network. The second one is a bit serious. It’s information disclosure and it has [Priority: 2]. This means that someone has got some info about services that you are running which is usually the first part of any attack, gaining of information. The most critical one is the one with [Priority: 1] which usually means that right now someone is trying to exploit some of services that you are running. This could mean that you have older version of some service on your server, like IIS that is not updated or Exchange server or something else and that snort has detected some patterns in packages sent to server that could be exploits which can do harm.
Now we can stop Snort with Ctrl+C and Snort will display some statistics. The only thing that we have to do now is to install Snort as a Windows service. To do so we will write following command on command prompt:
snort /service /install -c C:\Snort\etc\snort.conf -l C:\Snort\log -K ascii
After this command service is installed and you can start it from service manager or simply type sc start snortsvc.
So with this Snort is installed on your machine and is logging everything. Now you just need some program to parse alerts and do actions based on the alert priority. There are lot of those available on the Internet.
Note 1: If you have more than one network interface on your machine you need to tell Snort on which one should it listen. First type snort -W command to list all interfaces on your machine (works only on Windows) and then when you find which interface is the one that you will listen on then you need to add -i n where n is number of interface from the list that you got. You need to add that to all Snort commands that you are executing from command prompt and when creating Windows service.
Note 2: If you want Snort to log alerts to Eventlog as well as to log files than add -E (only on Windows) to the command line parameters.
Update:  Here is my snort.conf (44) file which is working on my machine without any problems. It could be something with updated rules that can cause problems with starting of Snort.
Update2:  One trailing / on ssh preprocesor line was left by mistake, now it’s removed.

Tags: , , , , , , , , , , , ,
Posted in Tips and tricks | 14 Comments »

Synchronize directories from command prompt

Wednesday, May 27th, 2009

If you have ever wanted to synchronize 2 directories from command prompt in windows this tool is must-have for you.
It works perfectly from scheduled tasks as well, so it’s easy to write batch script that will execute every night and synchronize files and folders.

The program is called Mirror and is written by Dominik Jain and you can download it here. The latest version is 1.43.

It works very simple like it should, you enter source and destinations dir and that’s it. If you want only to test it w/o any actions taken just add -d (d for demonstration).

Of course it has possibility to enter file mask or regular expressions as well and it’s only 172kb in size.

On his site you can find few more tools and utils that he wrote.

Tags: , , , , , , , , , , , ,
Posted in Tips and tricks | 2 Comments »

Creating simple cleanup scripts on Windows 2003

Monday, November 10th, 2008

Here is one short tip. If you had problem with old log files that are being held on system after too much time and wanted to delete all of them automatically here is explanation how to do it.

  1. open notepad
  2. write this line in it Forfiles -p “c:\temp” -s -m *.log -d -14 -c “Cmd /C del @FILE”
  3. save file and then change it extension from .txt to .bat

So here we have batch file created that will do following:

  • find all .log files in c:\temp path
  • older than 14 days
  • and delete them

Here is small explanation of the command line:

  • -p “full path” is used to specify exact path to the destination dir, it can be c:\ or c:\temp
  • -s says to forfiles that it will go recursive into subdirs
  • -m *.ext creates filter for files of the .ext extension, it can be *.* as well
  • -d 7 says to forfiles to filter files from output above to match current date minus number of days
  • -c “command” executes command on files that are returned from output of forfiles command
  • cmd /c command is saying to cmd that is command prompt to execute command and terminate itself

Now to test this batch file you can delete or comment out command part so you will get output from forfiles only without deleting of the files. Also you can use move command instead of del to move logfiles to another location.

If everything works like it should open Start->Control panel->Scheduled tasks and create new task to executes every day or in any time frame that you want.

Tags: , , , , , , , , ,
Posted in Tips and tricks | No Comments »