Intrusion Detection FAQ: Running Snort under Windows

By: Loras R. Even

Executive Summary

As a long time implementer and user of Microsoft products (Starting with NT version 3.0) I’ve long been frustrated with the wealth of security products available for the Unix operating system as compared those available for Microsoft. The Microsoft compatible solutions line have suffered with bug filled and expensive security solution alternatives to solutions that are relatively inexpensive and work trouble-free on the Unix platform.

As part of my practical, I have had an opportunity to work with the Microsoft NT version of the popular intrusion detection tool called Snort along with many other tools designed to work with Snort.

I will discuss the tools used, review the installation of the tools, discuss configuration considerations and provide a brief opinion regarding my opinions regarding the products capabilities.

Tools Utilized

Snort:

Snort’s official web site is: http://www.snort.org. This site has links to most tools you’ll need to get snort up and running. A brief review of the site confirms that many of snort’s tools will run on only Unix, but closer inspection still turns up some excellent tools that you will want to use as part of your snort installation.

The current version is 1.7 as of the time of this report.

The binaries needed to install Snort can be found in the downloads section. The link is: http://download.datanerds.net/binaries/snort-1.7-win32-static.zip

WinPCap:

This is the REQUIRED promiscuous driver used to sniff the packets. Installation is easy and it can be found at: http://netgroup-serv.polito.it/winpcap/install/2.1beta/WinPcap.exe.

IDSCenter:

IDS Center (Version 1.08) is an excellent tool that provides alert notification among other niceties. Some of the more useful features I found in IDSCenter are:

Graphical access to most Snort command-line options
Ability to restart Snort if it dies
Alerts can be configured to use "Net Send" to send an SMB alerts
Audio and visual alerts can be configured
Snort can be configured to start at host startup
Your configuration can be tested within IDS Center

I also tried Snort Panel which has many features similar to IDSCenter but I preferred some of the features in IDSCenter. You can also find it at: http://www.xato.net/downloads.

Installation

After you have downloaded the files referenced above, installation is pretty straightforward. I’d recommend the following process:

Install the WinPcap driver. This is a pretty straightforward step. All you need to do is double click on the WinPcap.exe file you downloaded from the link: http://netgroup-serv.polito.it/winpcap/install/2.1beta/WinPcap.exe. It self installs and asks you if you want to reboot (Required) when installation is complete. There is no additional configuration needed for the driver.

After you reboot your system, you can verify that the driver was installed by checking the properties of your LAN connection. If the driver is properly installed, your properties should look as follows:

Note: If you need to run the Novell Client for Windows 2000, you may have problems getting the WinPcap driver to work correctly. The version of Netware Client for Windows 2000 I was trying to use is:v4.71.20000312. There is reportedly a new driver available from Novell that may help things. I had to remove the Netware client completely to get Snort/WinPcap to work on my system.
Next, you will want to install the Snort application itself. The zip file I downloaded (The standard version, there are additional versions for SQL and FlexRESP) was called snort-1.7-win32-static.zip. You will need an unzip utility to extract the zipped files to a directory that you want snort to be installed into.

Snort installs itself with many example rules files and other documentation. The Win32 port of snort is different from the Unix version in that there is not a lot of configuration during install of the Win32 port. The snort application requires that the user enter the correct command line options and have a properly configured rules file.

If you type snort at the command line alone you will get a display like the following:

As you can see, there are MANY command line options! Snort is a very command line oriented which means that the user needs to understand what they want to get out of the tool and how the tool is to report detects before implementing it.

Snort.conf contains most of the configuration parameters specific to your system that are needed by snort to properly process packets as they are captured by the driver. The snort.conf file is very well documented. The only change you will most likely need is to change the "var HOME_NET" to reflect your systems IP address.

If desired, you can update additional information in the snort.conf file to reflect your DNS servers and other information specific to your environment. The snort.conf includes enough information for you to modify as much or as little as possible. I recommend making as few modifications as possible in the beginning stages of your testing to keep troubleshooting minimal. Once you have had more experience with the product, additional modifications can be made.

Although snort does support SMB messages, (Swatch and some of the other Unix add-on tools have not been ported to Windows as this time) I still desired a little more in the way of "active" alerting. By active alerting, I wanted snort to give me some audible notification that it had found an alert.

In order to get the additional alerting, I tried Snort Panel and IDSCenter.
I installed both Snort Panel and IDSCenter. I will cover only IDSCenter as I decided to use it and it performed fairly well. The file you download from http://www.snort.org/Files/idscenter.zip is a zip file containing an installation file called setup.exe. Simply extract setup.exe to a temporary directory. Begin the installation by double clicking on setup.exe. The installation program prompts you through some fairly simple prompts asking where to install the files and where to put the shortcut in your "Start" menu.

After installation, you can simply start IDSCenter by selecting Snort IDSCenter 2001 from your "Start" menu.

When you run IDSCenter, it installs itself in your systems toolbox and looks like a small black dot. If you right click on the dot, you will be prompted with a menu. Since this is the first time you have run IDSCenter and snort, you will want to select settings so you can configure the system.

The main menu of IDSCenter looks as follows:

The main items to be configured in IDSCenter to get it running are:
1. General Setup Tab
2. IDS Rules Tab
3. Logfile/Alerts

Using Snort (Observations and Tips)

I quickly discovered that snort is a very useful intrusion detection system; it’s not only very small and reliable but very extensible and configurable with it’s use of rule sets. I found the rule sets so easy to understand that I was able to create my own fairly quickly and easily.

After some experimenting with the default rule sets over a two week period, I can make the following recommendations regarding how you may want to configure snort to help avoid missing information while still not being overwhelmed in false positives.

Be careful with the ICMP rules. It seemed as though I was overwhelmed with "ICMP Unknown, unreachable, etc." error messages during my testing. I eventually deleted many of the ICMP rules.
Review your alert.ids file often during the first few days to identify potential false positives.
Be sure and identify your DNS servers as documented in the snort.conf file. Until I updated my snort.conf file to reflect my DNS servers, I had several "false" UDP port scans in the alerts.ids file. Another approach might have been to increase the thresholds for port scans in the snort.conf file, but this may have made it possible for legitimate ports scans to sneak in below the threshold.
A symptom that sometimes occurred with IDSCenter seemed to be a problem with the way it recursively calls the graphic system. If left to run for several days, my display would become corrupt. What I eventually have done is to copy the command-line for snort from IDSCenter and put it in a batch file that is run during boot in a minimized window. This gives me the capability of running snort for extended periods of time with little concern of it’s impact on my graphics display.

As much as I like the Microsoft version of snort, there are still some limitations to what you can do with it. We’ve also installed the Unix variant of snort on one of our FreeBSD systems at work. When using the basic capabilities of snort, they perform essentially the same. The real difference exists in the number of "add-on" utilities that are available for Unix and not for the Microsoft platform.

Even though the Microsoft system port of snort is very useable, if you wish to build a true IDS with capabilities such as Secure Shell management, e-mail notification and others using snort, you will still need to use the Unix version.

Opinion of Snort as an IDS

There are currently over 92 IDS systems available for a variety of platforms. As an IDS, the Win32 version of snort is excellent: it is very extensible with it’s rule set support which means that it can be updated quickly when new exploits are released.

When it comes to network traffic analysis the ability of snort to detect crafted packets is limited only by your ability to create (or download) a rule to detect the packet. Luckily, snort was written with a rule interpreter that is very easy to learn. Most users that have written a couple of lines of code or created a script or batch file will be writing their own detects within minutes of reviewing the examples.

I have and use an older version of Data Generals Sniffer, which allows me to capture, edit and replay Ethernet traffic. The sniffer is very handy if you want to test the ability of a system to actually detect "crafted" packets. We found that snort was able to detect any "crafted" packet we could throw at it as long as the rule is correctly defined.

I also monitored resource utilization of the snort application. My system is configured as follows:

Pentium III 850 MHz
256 MB RAM
10 MBps Ethernet network

Running at "real-time" prioritization, Task Manager reported less than 1% CPU utilization and less than 500k of memory was in use. You may expect higher utilization in a higher traffic environment, but considering the resource requirements of some of the commercial packages (RealSecure, etc.) compared to those used by snort, the Win32 version still deserves the "light weight" tag

In addition to network traffic analysis, content analysis is also desirable in an IDS. Snort is also able to perform content filtering as evidenced by the number of "anonymous ftp" alerts I received from starting my FTP server on my snort-enabled system. Further inspection of the downloaded rule sets reveals many other content inspection alerts, such as HTTP content. Some of the commercial systems we have considered implementing also perform content filtering in addition to network traffic analysis but for server thousands of dollars!

Alert reporting is another important element in an IDS. The reporting capabilities of snort are somewhat limited and can seem confusing to the average user due to it’s design of creating a new directory for every host detect and the technical detail in the alerts.ids file. I did not have time to experiment with the SQL version of snort but I did download and run the tool Win32 version Snort2Html which creates a much friendlier HTML version report of the alerts in the alerts.ids file. Network administrators might find it easier to browse an HTML formatted report than the alerts.ids file itself.

Overall, I’m relatively pleased with the results I’ve been able to obtain with snort on my Windows 2000 system. As an IDS, snort fulfills many of the basic requirements. Long-term, heavy weight analysis of attacks may require a more through analysis tools such as Shadow, RealSecure or other commercial offerings.