SNORT is an open source Intrusion Detection System. What is an IDS? Well an IDS is a type of network scanner that looks within the packets crossing the wire for malicious data. When you use SNORT on your network, you can monitor the traffic on the network (in real time) looking for attacks and other rouge traffic.
SNORT is open source and you can find the win32 port at CodeCraft Consultants, and you will also need WinPCAP. On the hardware front we need a Windows 2003 Server with a network card. SNORT requires very little system resources so feel free to run it on a low end server if you like. Install WinPCAP. Because SNORT is a promiscuous network sniffer, we need WinPCAP to provide driver level support. Once WinPCAP is installed we can proceed to installing SNORT. SNORT is pretty easy to install, launch the installer, accept the EULA, select the type of logging and the install location and you are set. For my purposes and for smaller networks, I prefer not to log to a database but instead log to the Windows Event Logs, if you wish to do this, keep the default selection. You can use EventTriggers.exe to notify you when SNORT logs events to the logs.
Now that SNORT is installed we are ready to configure it and start monitoring. First lets test if SNORT is working, CD to C:\Snort\Bin and run the following command(switches are case sensitive):
snort -l C:\Snort\Log -c C:\Snort\etc\snort.conf -A console
This command will configure SNORT to write its log files to C:\Snort\Log and also points out the location of the snort.conf file. Lastly the -A console switch tells SNORT output alerts to the console window. You will see a messages stating a successful initialization.
With SNORT running we can test it by opening a command prompt and run:
ping -l 45678 xxx.xxx.xxx.xxx
You should see a bunch of alerts show up in the console window. If so we can move on to configuring SNORT.
The first thing we need to configure is our local network. We need to distinguish internal from external traffic. Open up C:\Snort\etc\snort.conf with Notepad and find the line var HOME_NET any and replace "any" with the IP range and subnet mask. i.e. 192.168.0.1/24 If you have more than one internal subnet you can specify them all by putting them in brackets and separate them with a comma. Now we need to define the external network, find the line var EXTERNAL_NET any.
You can replace any with the IP address(es) of the external networks, or you can leave "any" to set all networks not defined as HOME_NET as external. Next we have to define the services on our network. Find the following lines and replace $HOME_NET with the IP address(es) of the server(s) running the services.
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
These are the most popular ones, there are others in the snort.conf file. If you do not need to monitor the service you can remove them from monitoring by commenting the line out with a # at the start of the line. Last thing we need to configure is the rules to monitor. SNORT includes over 1500 rules and we probably don't need them all. Scroll to the bottom of the snort.conf until you find the rules section, the first rule is: include $RULE_PATH/local.rules Here you will find a whole assortment of rules. To stop SNORT from monitoring a rule you can comment it out with a # at the start of the line. # include $RULE_PATH/local.rules
Lastly we need to setup Snort to log to the Event Logs and to run as a service. This can be done easily by running the following from a command prompt:
snort /SERVICE /INSTALL -l C:\Snort\Log -c C:\Snort\etc\snort.conf -E
This will install SNORT as a service and launch it when the server starts up and logs alerts to the Event Logs, however we do need to start the service and set it to run automatically.
Now with SNORT running as a service and logging to the event logs, running the same ping test as we did before we whould see events in the Application event log.
SNORT is lightweight, free and very scalable and I urge you to give it a try!
For more information see:
SNORT Homepage