All Activity

This stream auto-updates   

  1. Yesterday
  2. Last week
  3. Earlier
  4. Windows Intrusion Detection System - Companion Add-On Tutorial Configuring Barnyard2 to run as a Windows service Written by: Michael E. Steele Introduction This tutorial is a simple to understand, step-by-step tutorial to upgrade an existing Master Windows Intrusion Detection System to run Barnyard2 as a Windows service. By default the Master Windows Intrusion Detection System requires someone to be logged into the Windows Intrusion Detection System in order for Barnyard2 to shuttle events to the database. Running Barnyard2 as a Windows service, events are shuttled to the database immediately weather anyone is logged in or not. Copyright Notice This document is Copyright © 2002-2017 Michael Steele. All rights reserved. Permission to distribute this document is hereby granted providing that distribution is electronic, in it's original form, no money is involved, and this copyright notice is maintained. Other requests for distribution will be considered. Use the information in this document at your own risk. Michael Steele disavows any potential liability of this document. Use of the concepts, examples, and/or other content of this document are entirely at your own risk. This guide is written in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. All copyrights are owned by their owners, unless specifically noted otherwise. Third party trademarks or brand names are the property of their owners. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements. Support Questions and Help All support questions related to this specific tutorial MUST be directed to the specific forum for which this Windows Intrusion Detection System (WinIDS) tutorial resides! By request, there is a premium fee service available for one on one support. If you have not acquired this tutorial directly from the winsnort.com website, then you most likely do not have the latest revision of this tutorial! Operating System and Configuration Setup All existing Master Windows Intrusion Detection Systems (WinIDS) are supported. Prepping Barnyard2 to run as a Windows service This tutorial assumes the files from the original Windows Intrusion Detection System (WinIDS) tutorial have been downloaded, and are located in the d:\temp folder. It is imperative to only use the files included in the 'WinIDS - (32/64bit) Software Support Pack'. Those files have been thoroughly tested and compatible with this particular tutorial. Converting Barnyard2 to run as a Windows Service Tutorial Adding Barnyard2 to the Windows Services Database At the CMD prompt type 'unzip -oqq d:\temp\service_files.zip -d c:\windows' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'cd /d c:\windows' (less the outside quotes), and tap the enter key. At the CMD prompt type 'instsrv srvany c:\windows\srvany.exe' (less the outside quotes), and tap the enter key. The following is a confirmation that 'srvany' was successfully added to the Windows Services Database. The service was successfully added! Do not proceed until the srvany service has been successfully added! At the CMD prompt type 'instsrv Barnyard2 c:\windows\srvany.exe' (less the outside quotes), and tap the enter key. The following is a confirmation that Barnyard2 was successfully added to the Windows Services Database. The service was successfully added! Do not proceed until the Barnyard2 service has been successfully added! At the CMD window type 'd:\temp\auto-remote-barnyard2.reg' (less the outside quotes), and tap the 'Enter' key. The Registry Editor selection box opens and asks; 'Are you sure you want to continue?', left-click 'Yes', and at the next input selection left-click 'OK'. At the CMD prompt type 'sc config Barnyard2 start= delayed-auto' (less the outside quotes), and tap the 'Enter' key. The following as a confirmation that the Barnyard2 auto-start service has been successfully activated. [SC] ChangeServiceConfig SUCCESS Do not proceed until the Barnyard2 auto-start service has been successfully activated. Open a CMD window and type 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Barnyard2 /f' (less the outside single quotes), and tap the 'Enter' key. The above run line will remove the existing registry key that invokes Barnyard2 to run when someone logs in. The following is a confirmation that the registry key was removed successfully. The operation completed successfully. Do not proceed until 'The operation completed successfully.' At the CMD prompt type 'taskkill /F /IM barnyard2.exe' (less the outside quotes), and tap the 'Enter' key. The above run line terminates the existing Barnyard2 process. The following is a confirmation that the Barnyard2 process has been successfully terminated. SUCCESS: The process "barnyard2.exe" with PID 2340 has been terminated. Do not proceed until the Barnyard2 process has been terminated. At the CMD prompt type 'net start barnyard2' (less the outside quotes), and tap the 'Enter'. The above run line starts the new Barnyard2 Windows service. The following is a confirmation that the Barnyard2 Windows service was successfully started. The Barnyard2 service is starting. The Barnyard2 service was started successfully. Do not proceed until the Barnyard2 service has been started successfully. Note: It may take several minutes before events start arriving in the Windows Intrusion Detection Systems security console. In conclusion Congratulations, you have just converted the default Barnyard2 to run as a Windows service. I hope this tutorial has been of great assistance. Optional Companion Documents Be SURE to check out the available 'Companion Add-on Documents' to enhance the Windows Intrusion Detection System (WinIDS) experience. How to update the Master Sensor rules, signatures, and sig-msg.map using PulledPork This tutorial will show how to update the Master Sensor rules, signatures, and the sig-msg.map file using PulledPork on an existing Windows Intrusion Detection System (WinIDS). How to update the Slave sensor rules using PulledPork This tutorial will show how to update the Slave Sensor rules using PulledPork on an existing Windows Intrusion Detection System (WinIDS). How to add Email Alerting to an existing Windows Intrusion Detection System (WinIDS) This tutorial will show how to send user defined priority events sent to a Windows Application Log file being eMailed to user defined eMail accounts, on an existing Windows Intrusion Detection System (WinIDS). How to add Event Logging to a remote Syslog server This tutorial will show how to configure Snort to send events to a remote UNIX syslog server, on an existing Windows Intrusion Detection System (WinIDS). How to install MySQL Tools into a MySQL enabled Windows Intrusion Detection System (WinIDS) This tutorial will show how to install the 'MySQL System Tray Monitor' as a service to monitor the condition of the MySQL database in real time, on an existing Windows Intrusion Detection System (WinIDS). This will allow starting and stopping of the database. The 'MySQL System Tray Monitor' has two tools associated with it that can be accessed directly from the 'MySQL System Tray Monitor'. These tools will allow editing, maintaining, and repairing of the MySQL database. Use extreme caution using these tools. How to compile Barnyard2 on Windows using Cygwin for PostgreSQL database support This tutorial is a simple to understand, step-by-step tutorial for Compiling Barnyard2 on Windows using Cygwin (UNIX emulator) for PostgreSQL database support. How to build and deploy a passive Ethernet tap This tutorial will show how to build and deploy a passive Ethernet tap. Updating the Windows Intrusion Detection Systems (WinIDS) Major components How to update the Snort Intrusion Detection Engine This tutorial will show How to update the Windows Intrusion Detection Systems Snort Intrusion Detection Engine. How to update the Rules, Signatures, and sig-msg.map file This tutorial will show how to update the Windows Intrusion Detection Systems rules, signatures, and the 'sig-msg.map' file. How to update the PHP General-Purpose Scripting Language This tutorial will show how to update the Windows Intrusion Detection Systems PHP General-Purpose Scripting Language. Debugging Installation errors Check the Event Viewer as most of the support programs will throw FATAL errors into the Application log. General problems For general help, left-click the support button at the top of this tutorial, or manually navigate to the correct forum. Michael E. Steele | Microsoft Certified System Engineer (MCSE) Email Support: support@winsnort.com Snort: Open Source Network IDS - www.snort.org
  5. I manually add rules from YOUR GUIDE and after that i see all the traffic. Your information is helpful too. THANK YOU !!!
  6. The Windows Intrusion Detection System is probably plugged into a SWITCH. The Windows Intrusion Detection System needs to be plugged into a HUB with all the other PC's on the network, or if The Windows Intrusion Detection System is plugged into a SWITCH all the ports for the PC's to be monitored MUST be mirrored to the port The Windows Intrusion Detection System is plugged into. You could do this
  7. I Follow the guide and everything is fine but Alerts in Base are only for the PC that is the system installed. Is there the way that can scan all PC's in the network. I mean that i see traffic only for my PC IP 192.168.1.161 but i wanna see other PC's traffic. Thank you.
  8. You should have checked and verified the tables per the tutorial. The error states there is a problem with the archive database. Below is how to check the existence of the tables in the archive database. If the tables are missing then you might need to reinstall, and make sure that no steps are missed. Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\Operator>mysql -u root -pd1ngd0ng mysql: [Warning] Using a password on the command line interface can be insecure. Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 7 Server version: 5.7.18-log MySQL Community Server (GPL) Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> connect archive; Connection id: 8 Current database: archive mysql> show tables; +-------------------+ | Tables_in_archive | +-------------------+ | acid_ag | | acid_ag_alert | | acid_event | | acid_ip_cache | | base_roles | | base_users | | data | | detail | | encoding | | event | | icmphdr | | iphdr | | opt | | reference | | reference_system | | schema | | sensor | | sig_class | | sig_reference | | signature | | tcphdr | | udphdr | +-------------------+ 22 rows in set (0.00 sec) mysql>
  9. Everything seems to work I have the system up but when I go to the http://winids/ url, the page loads but I receive the error "Database ERROR"Database ERROR: Table'archive.acid_event' doesn't exist. I connect with sql developer to verify and it indeed doesn't. Do I need to run the MySQL_ configuration again for the archive database? or can I manually add the tables and row column data? can someone provide the steps to do that? thanks so much.. really looking forward to using this system I have been severely compromised on my home network and This is the final piece to hardening my home network.
  10. Thanks, again I made the assumption it had to be there.
  11. Remember: The Windows Intrusion Detection Systems security console (BASE) will never work with PHP-7 Do not preform function if it's not detailed in the tutorial. The portscan.log will be created when it is needed.
  12. Yes, it works now, thanks! Did two things though: 1. Got the exact PHP version (did not work! different error) 2. Changed the extension from mysqli to mysql in php.ini (worked!) I only used mysqli.dll because I could not find mysql.dll in the mysql folder. I tried to be one step ahead I guess.
  13. Thanks, will try the exact php version shortly.
  14. Only use the versions that are detailed in the tutorial. There MIGHT be a failure by using newer/older versions. If you are using PHP 7.x then the BASE console will not work, and PHP is only installed for that one program. Note: It is possible to run multiple versions of PHP at the same time.
  15. Unfortunately I can't afford 250 now. But I can live with just the output from barnyard for now. I suspect it's the newer version of the PHP that I'm using that is causing all the problems. The test.php actually works! Thanks.
  16. I have no idea what you are doing but you are working on a non-standard (not following tutorial) and it is really hard to diagnose problems. Note: PHP that is supported in the tutorial has extension=php_mysql as an option. There are a couple of solutions: Preform a complete reinstall and follow the tutorial. I am available for a one on support, and I guarantee to get it 100%. However, there is a $250 US fee and I would need remote access to the PC. Everything will be installed on one device, and the OS has to be one that is officially supported, and memory has to be a minimum of 3 gigs for non-server and 6 gigs for server.
  17. I've done everything by the book, with the exception of having Snort under C:\Snort, and all tests passed. However I get this when I type http://winids (cut off like that): nk_field_string, $add_button_string) in D:\WinIDS\inetpub\wwwroot\base\includes\base_state_citems.inc.php on line 1398 PHP Warning: Declaration of ICMPFieldCriteria::Description() should be compatible with ProtocolFieldCriteria::Description($human_fields) in D:\WinIDS\inetpub\wwwroot\base\includes\base_state_citems.inc.php on line 1438 PHP Warning: Declaration of ICMPFieldCriteria::PrintForm() should be compatible with MultipleElementCriteria::PrintForm($field_list, $blank_field_string, $add_button_string) in D:\WinIDS\inetpub\wwwroot\base\includes\base_state_citems.inc.php on line 1438 PHP Warning: Declaration of DataCriteria::PrintForm() should be compatible with MultipleElementCriteria::PrintForm($field_list, $blank_field_string, $add_button_string) in D:\WinIDS\inetpub\wwwroot\base\includes\base_state_citems.inc.php on line 1634 PHP Fatal error: Uncaught Error: Cannot use string offset as an array in D:\WinIDS\inetpub\wwwroot\base\includes\base_state_common.inc.php:47 Stack trace: #0 D:\WinIDS\inetpub\wwwroot\base\base_main.php(60): InitArray('', 1, 3, '') #1 {main} thrown in D:\WinIDS\inetpub\wwwroot\base\includes\base_state_common.inc.php on line 47 Exactly cut off like that. Any ideas? I've created a portscan.log file since did not exist Also my php.ini does not have a extension=php_mysql.dll but a extension=php_mysqli.dll with an i. Probably because it's the latest version. Windows 10 64bit, Firefox or Internet Explorer, barnyard and snort services running BTW This is the most comprehensive install tutorial I've seen Edit 1 After some double checking I realized that the Barnyard2 service is running (svrany) but not the barnyard2.exe. I am now launching barnyard2.exe manually with the following command: barnyard2.exe -c d:\winids\barnyard2\etc\barnyard2.conf -d c:\snort\log -f merged.log -l d:\winids\barnyard2 -w c:\snort\log\barnyard.waldo which works fine. The IIS still does not work!
  18. This has been fixed in the current version. To fix this: Open a CMD window and type 'cd /d d:\winids\php' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'pear install mail mail_mime' (less the outside quotes), and tap the 'Enter' key. Close the CMD window and try it again.
  19. PHP Warning: include_once(Mail.php): failed to open stream: No such file or directory in C:\winids\inetpub\wwwroot\base\includes\base_action.inc.php on line 29 PHP Warning: include_once(): Failed opening 'Mail.php' for inclusion (include_path='c:\winids\php;c:\winids\php\pear') in C:\winids\inetpub\wwwroot\base\includes\base_action.inc.php on line 29 PHP Warning: include_once(Mail/mime.php): failed to open stream: No such file or directory in C:\winids\inetpub\wwwroot\base\includes\base_action.inc.php on line 30 PHP Warning: include_once(): Failed opening 'Mail/mime.php' for inclusion (include_path='c:\winids\php;c:\winids\php\pear') in C:\winids\inetpub\wwwroot\base\includes\base_action.inc.php on line 30
  20. I'm supposed to compare SNORT, Suricata, OSSIM, and OpenVAS, based on the strategy for intrusion detection. Can you help?
  21. You have a non-standard path assigned. I'm betting you failed to edit one of the .reg files to match your path.
  22. Hi! Thank you for the amazing tutorial! I searched and found another user with this same issue I'm having in the posts.He said he modified the VB script and the only vb script I saw was modder.vbs - and it was true it referenced drive d: throughout. I use drive c so I modified that script, BUT still no luck. c:\winids\activators\by2-test returns success as it should: (I think) >c:\winids\barnyard2\barnyard2.exe -c c:\winids\barnyard2\etc\barnyard2.conf -d c:\winids\snort\log -f merged.log -l c:\winids\barnyard2 -w c:\winids\snort\log\barnyard.wald Running in Test mode --== Initializing Barnyard2 ==-- Initializing Input Plugins! Initializing Output Plugins! Parsing config file "c:\winids\barnyard2\etc\barnyard2.conf" +[ Signature Suppress list ]+ ---------------------------- +[No entry in Signature Suppress List]+ ---------------------------- +[ Signature Suppress list ]+ Barnyard2 spooler: Event cache size set to [32768] INFO database: Defaulting Reconnect/Transaction Error limit to 10 INFO database: Defaulting Reconnect sleep time to 5 second [CacheSynchronize()],INFO: No system was found in cache (from signature map file), will not process or synchronize informations found in the database database: compiled support for (postgresql) database: configured to use mysql database: schema version = 107 database: host = winids database: user = snort database: database name = snort database: sensor name = WinIDS-Home database: sensor id = 1 database: sensor cid = 1 database: data encoding = hex database: detail level = full database: ignore_bpf = no database: using the "log" facility --== Initialization Complete ==-- ______ -*> Barnyard2 <*- / ,,_ \ Version 2.1.14 (Build 337) |o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/ + '''' + (C) Copyright 2008-2013 Ian Firns <firnsy@securixlive.com> Barnyard2 successfully loaded configuration file! Barnyard2 exiting database: Closing connection to database "snort" There is nothing in event viewer referencing this crash. when I try net start baryard2: C:\>net start barnyard2 The Barnyard2 service is starting. The Barnyard2 service could not be started. The service did not report an error. More help is available by typing NET HELPMSG 3534. Is there anywhere else to look? Does anyone have any ideas? Thank you in advance! ~Blaine
  23. thank you! I had the same dang question - I was fighting this for hours! ima dork - thanks again for ask and answer!
  24. Sorry for the delay. There is no event mechanism setup for auto-updating the rules using Pulledpork. This has to be completed manually unless you create something to auto-update. Remember: there needs to be faults checked throughout the complete update process because if one error occurs the Windows Intrusion Detection will shut down without notice. A script would need to very detailed and faults would need to be handled properly.
  25. Preform a fresh install of Windows 10, and then use this tutorial to install the Windows Intrusion Detection System per the support programs you requested.
  26. I want to install snort for my windows 10. snort +base +barnyard2 +apache2.4+php After i install barnyard. i test it . then i got this database mysql_error: Can't connect to local MySQL server through socket '/var/run/mysql.sock' (2 "No such file or directory") this error is not for windows. it is in linux is it? now i do not know how to deal with it. hope someone can help me
  27. Make a copy of your barnyard2 folder, and then dissolve the attached by2.zip into the barnyard2 folder and overwrite everything. Then try the test again. Your original barnyard2.conf will not be over written. by2.zip
  1. Load more activity