Problem
You want to use IDScenter to manage your Windows Snort Sensor.
Solution
Before installing IDScenter, follow the Recipe 1.4 recipe to install WinPcap and Snort.
- Download the latest zipped version of IDScenter from the following site: http://www.engagesecurity.com/products/idscenter/. The latest stable version at the time of this writing is Version 1.1 RC4.
- Unzip the installer and double-click the setup.exe file to start the installation.
- The first screen (Figure 5-1) states, "This will install Snort IDScenter 1.1 RC4. Do you wish to continue?" Click Yes.
Figure 5-1. IDScenter installation
- The next screen (Figure 5-2) welcomes you to the Snort IDScenter 1.1 RC4 Setup Wizard. Click Next to continue.
Figure 5-2. IDScenter Setup Wizard
- Read and accept the license agreement to continue (Figure 5-3). Click Yes to continue.
Figure 5-3. IDScenter License Agreement
- Select a destination directory for IDScenter (Figure 5-4). The default is C:Program FilesIDScenter. Choose a directory, or accept the default and click Next to continue.
Figure 5-4. IDScenter Destination Directory
- Select a Start Menu folder for IDScenter (Figure 5-5). The default is Engage SecuritySnort IDScenter. Choose a folder or accept the default and click Next to continue.
Figure 5-5. IDScenter Start Menu Folder
- Select the additional tasks such as creating a desktop icon and creating a quick launch icon, and click Next to continue (Figure 5-6).
Figure 5-6. IDScenter icon creation
- The Ready to Install window allows you to review your settings (Figure 5-7). If they are correct, click Install to being the installation. If they are incorrect, use the Back button to select the appropriate settings.
Figure 5-7. IDScenter installation confirmation
The install progress bar will appear and the application will install. However, even when it gets to 100 percent, the window will remain and you won't be able to close it. This is because the IDScenter icon is now in the task tray and you must configure some initial settings before the installation completes. The following steps allow you to configure some basic settings:
- Double-click on the IDScenter icon in the system tray. This brings up the General Configuration screen (Figure 5-8).
Figure 5-8. IDScenter General Configuration screen
- First, select the location of the Snort executable file. Do this by typing in the location or browsing to the location. The default Snort installation places the executable in C:Snortinsnort.exe.
- Select a logging directory and standard logfile. The default Snort installation uses C:Snortlogalert.ids. On new installs, the alert.ids file won't exist yet.
- Click on the Snort Options icon on the left side of the window. Here you must import the snort.conf file (Figure 5-9). Do this by typing in the location or browsing to the location. The default Snort installation places the snort.conf file in C:Snortetcsnort.conf.
Figure 5-9. IDScenter general Snort options
- Click on the Wizards tab on the left side of the window. Then click on the Rules/Signatures icon. Here you must select the classification.config file to use (Figure 5-10). Click on the classification.config file under the Rule files list and then click Select at the bottom of the window. You should now see Classification file: classification.config.
Figure 5-10. IDScenter rules configuration
- Click on the Alerts tab on the left side of the window. Then click on the Alert detection icon. Here you must specify the files that IDScenter monitors for changes (Figure 5-11). Click on Add alert log file to add the C:Snortlogalert.ids. You can also click on the open folder icon to add any other files that you want monitored.
Figure 5-11. IDScenter alert detection
- Click on Apply in the top-right corner of the window. To make sure there aren't any errors, click on the General tab on the left side of the window, and then click the Overview icon. There should not be any configuration errors, if there are, make the appropriate changes to fix them (Figure 5-12).
Figure 5-12. IDScenter configuration overview and errors
- Once all errors are fixed, click on Test settings at the top of the window. A DOS window opens and runs the Snort executable with the configured parameters. It will alert you to any errors that it encounters. Press the Enter key to exit this screen. If you receive an error about the preprocessor, follow the directions in the next section of this recipe.
- Close the IDScenter configuration screen, and then right-click on the IDScenter system tray icon and choose exit. (You may have to do this twice.) This will stop IDScenter and allow the setup process to complete.
- The final setup screen allows you to view the Readme.txt file and launch IDScenter (Figure 5-13). Click Finish to complete the installation.
Figure 5-13. IDScenter setup complete
Discussion
IDScenter is a nice graphical interface to use to manage your Windows Snort sensor. However, it is not updated regularly. The last update at the time of this writing was 4/8/2003, and it does have some bugs. For example, make sure you have a backup of the snort.conf file. IDScenter makes changes to the file and leaves some errors. After installing IDScenter, you will need to change the following two lines:
preprocessor http_inspect: global
preprocessor http_inspect_server: server default
To the following:
preprocessor http_inspect: global
iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default
profile all ports { 80 8080 8180 } oversize_dir_length 500
When IDScenter changes the snort.conf file, it actually leaves out part of the http_inspect preprocessor configuration. To make the change, use an external editor such as Wordpad.exe to edit the snort.conf configuration file, and then reload the new configuration into IDScenter by clicking on the Reload button in the General, Snort Options area.
Once you have made the change, click Test Settings again and you should see "Snort successfully loaded all rules and checked all rule chains!" in the test console window.
See Also
Recipe 1.4
http://www.engagesecurity.com/products/idscenter/
Installing and Configuring SnortCenter
|