All Activity

This stream auto-updates   

  1. Today
  2. Yesterday
  3. Last week
  4. Earlier
  5. It appears the snort database has a problem or authentication. Go into the task manager and kill the Barnyard2 process. Go into the uninstall programs and remove postgresql. Go into the d:\winids folder and delete the postgresql folder. Return to the tutorial section labeled Installing the PostgreSQL Database Server and complete. Go to the tutorial section labeled Configuring the PostgreSQL Database Server and complete. Go to the tutorial section labeled Confirming PostgreSQL and Snort are operational and complete. Go to the tutorial section labeled Testing the Barnyard2 configuration file and complete. This should fix the problem.
  6. Pulled your Pulledpork folder in and everything works as expected. I'm not sure what the problem is? Possible firewall issue with a blocked port? C:\Users\Operator>perl d:\winids\pulledpork\pulledpork.pl -c d:\winids\pulledpork\etc\pulledpork.conf -T https://github.com/shirkdog/pulledpork _____ ____ `----,\ ) `--==\\ / PulledPork v0.7.4 - Helping you protect your bitcoin wallet! `--==\\/ .-~~~~-.Y|\\_ Copyright (C) 2009-2017 JJ Cummings, Michael Shirk @_/ / 66\_ and the PulledPork Team! | \ \ _(") \ /-| ||'--' Rules give me wings! \_\ \_\\ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 'uname' is not recognized as an internal or external command, operable program or batch file. Checking latest MD5 for snortrules-snapshot-29111.tar.gz.... Rules tarball download of snortrules-snapshot-29111.tar.gz.... They Match Done! IP Blacklist download of https://talosintelligence.com/documents/ip-blacklist.... Reading IP List... Checking latest MD5 for opensource.gz.... Rules tarball download of opensource.gz.... They Match Done! Prepping rules from opensource.gz for work.... Done! Prepping rules from snortrules-snapshot-29111.tar.gz for work.... No such file in archive: 'doc/signatures/rules/VRT-License.txt' at d:\winids\pulledpork\pulledpork.pl line 366. Could not find an entry for 'doc/signatures/rules/VRT-License.txt' at d:\winids\pulledpork\pulledpork.pl line 366. Done! Reading rules... readline() on closed filehandle DATA at d:\winids\pulledpork\pulledpork.pl line 722. readline() on closed filehandle DATA at d:\winids\pulledpork\pulledpork.pl line 722. readline() on closed filehandle DATA at d:\winids\pulledpork\pulledpork.pl line 722. Reading rules... Activating security rulesets.... Done Modifying Sids.... Done! Processing d:\winids\pulledpork\etc\enablesid.conf.... Modified 20480 rules Skipped 0 rules (already disabled) Done Processing d:\winids\pulledpork\etc\dropsid.conf.... Modified 0 rules Skipped 0 rules (already disabled) Done Processing d:\winids\pulledpork\etc\disablesid.conf.... Modified 0 rules Skipped 0 rules (already disabled) Done Setting Flowbit State.... Done Writing d:\winids\snort\rules\winids.rules.... Done Generating sid-msg.map.... Done Writing v1 d:\winids\snort\etc\sid-msg.map.... Done Writing d:\winids\snort\log\sid_changes.log.... Done Rule Stats... New:-------4 Deleted:---0 Enabled Rules:----32501 Dropped Rules:----0 Disabled Rules:---0 Total Rules:------32501 No IP Blacklist Changes Done Please review d:\winids\snort\log\sid_changes.log for additional details Fly Piggy Fly!
  7. Attached is my Pulled Pork folder and the temp folder was cleared out. I also cleared out the folder and tried to run the command again, and in the picture attached that shows the files getting downloaded there. So it is grabbing something at least. My OinkCode also looks good. This device is also not sitting behind a proxy. pulledpork.zip
  8. Make SURE you are ONLY using the Pulledpork from here. I have to modify it to work on windows. Make sure your oink code is correct. If you are behind a proxy there may be problems. Try removing everything in the pulledpork/temp folder. If there is still problems zip up the pulledpork folder and attach it. Don't forget to delete everything in the pulledpork/temp folder before compressing.
  9. Hi attached is my pulled pork config file pulledpork.conf
  10. Hi, I have recently went to upgrade my Snort version and Pulled Pork version. Those seem to have upgraded just fine. What I am having an issue with is trying to update pulled pork after the update. When I run the update command it seems like it can't connect to Talos which is a first time I am seeing that issue. Has anyone seen an issue like this before. In the attached screenshot I am able to browse to the website shown. It almost seems like the Talos side might not allow me in to download said file. Thanks in advance.
  11. Pulledpork runs a specific set of rules based on policy set in the pulledpork.conf. There are 4 conf files located in the etc folder that will include, exclude, disable, or drop rules based on your specific needs. The default set of activated rules prior to installing PulledPork has more rules activated by default. PulledPork drills down into the more relevant rules based on policy. You will need to figure out what is best to include or exclude based on your needs using the . There is a Pulledpork user group that could be very helpful here. Also, you can ask questions in the Snort-Mailing list.
  12. I have followed your excellent tutorials and installed WinIDS with MySQL, Barnyard2 and Pulled Pork. Before I got Pulled Pork installed, I had lots of alerts, but after applying it, I haven't seen any new alerts since last thing on Friday. I hope that is a good thing!. To keep the rules up to date, do I create a Schedule Task to run a batch file with: rd d:\winids\snort-old /S /Q xcopy /E /I d:\winids\snort d:\winids\snort-old perl d:\winids\pulledpork\pulledpork.pl -c d:\winids\pulledpork\etc\pulledpork.conf -T net stop snort & net start snort Perhaps once per day?
  13. I'm not sure because this is a custom install. If you follow the guide you will get a working Windows Intrusion Detection System. However it looks like you have an incomparable version of PHP installed. The Windows intrusion Detection security console (base) ONLY works with PHP 5.x
  14. Why I got this error during BASE installation? Do I have something that I miss or wrong configuration?? anyone know any solution pls let me know Strict Standards: Declaration of MultipleElementCriteria::SanitizeElement() should be compatible with BaseCriteria::SanitizeElement() in C:\xampp\htdocs\SnortV2\base-1.4.5\includes\base_state_citems.inc.php on line 292Strict Standards: Declaration of MultipleElementCriteria::PrintForm() should be compatible with BaseCriteria::PrintForm() in C:\xampp\htdocs\SnortV2\base-1.4.5\includes\base_state_citems.inc.phpon line 292Strict Standards: Declaration of MultipleElementCriteria::AddFormItem() should be compatible with BaseCriteria::AddFormItem() in C:\xampp\htdocs\SnortV2\base-1.4.5\includes\base_state_citems.inc.php on line 292Strict Standards: Declaration of MultipleElementCriteria::SetFormItemCnt() should be compatible with BaseCriteria::SetFormItemCnt() in C:\xampp\htdocs\SnortV2\base-1.4.5\includes\base_state_citems.inc.php on line 292Strict Standards: Declaration of ProtocolFieldCriteria::Description() should be compatible with BaseCriteria::Description() in C:\xampp\htdocs\SnortV2\base-1.4.5\includes\base_state_citems.inc.php on line 337Strict Standards: Declaration of TimeCriteria::PrintForm() should be compatible with MultipleElementCriteria::PrintForm($field_list, $blank_field_string, $add_button_string) in C:\xampp\htdocs\SnortV2\base-1.4.5\includes\base_state_citems.inc.php on line 932Strict Standards: Declaration of IPAddressCriteria::SanitizeElement() should be compatible with MultipleElementCriteria::SanitizeElement($i) in C:\xampp\htdocs\SnortV2\base-1.4.5\includes\base_state_citems.inc.php on line 1109Strict Standards: Declaration of IPAddressCriteria::PrintForm() should be compatible with MultipleElementCriteria::PrintForm($field_list, $blank_field_string, $add_button_string) in C:\xampp\htdocs\SnortV2\base-1.4.5\includes\base_state_citems.inc.php on line 1109Strict Standards: Declaration of IPFieldCriteria::Description() should be compatible with ProtocolFieldCriteria::Description($human_fields) in C:\xampp\htdocs\SnortV2\base-1.4.5\includes\base_state_citems.inc.php on line 1152Strict Standards: Declaration of IPFieldCriteria::PrintForm() should be compatible with MultipleElementCriteria::PrintForm($field_list, $blank_field_string, $add_button_string) in C:\xampp\htdocs\SnortV2\base-1.4.5\includes\base_state_citems.inc.php on line 1152Strict Standards: Declaration of TCPPortCriteria::Description() should be compatible with ProtocolFieldCriteria::Description($human_fields) in C:\xampp\htdocs\SnortV2\base-1.4.5\includes\base_state_citems.inc.php on line 1190Strict Standards: Declaration of TCPPortCriteria::PrintForm() should be compatible with MultipleElementCriteria::PrintForm($field_list, $blank_field_string, $add_button_string) in C:\xampp\htdocs\SnortV2\base-1.4.5\includes\base_state_citems.inc.php on line 1190Strict Standards: Declaration of TCPFieldCriteria::Description() should be compatible with ProtocolFieldCriteria::Description($human_fields) in C:\xampp\htdocs\SnortV2\base-1.4.5\includes\base_state_citems.inc.php on line 1234Strict Standards: Declaration of TCPFieldCriteria::PrintForm() should be compatible with MultipleElementCriteria::PrintForm($field_list, $blank_field_string, $add_button_string) in C:\xampp\htdocs\SnortV2\base-1.4.5\includes\base_state_citems.inc.php on line 1234Strict Standards: Declaration of UDPPortCriteria::Description() should be compatible with ProtocolFieldCriteria::Description($human_fields) in C:\xampp\htdocs\SnortV2\base-1.4.5\includes\base_state_citems.inc.php on line 1361Strict Standards: Declaration of UDPPortCriteria::PrintForm() should be compatible with MultipleElementCriteria::PrintForm($field_list, $blank_field_string, $add_button_string) in C:\xampp\htdocs\SnortV2\base-1.4.5\includes\base_state_citems.inc.php on line 1361Strict Standards: Declaration of UDPFieldCriteria::Description() should be compatible with ProtocolFieldCriteria::Description($human_fields) in C:\xampp\htdocs\SnortV2\base-1.4.5\includes\base_state_citems.inc.php on line 1398Strict Standards: Declaration of UDPFieldCriteria::PrintForm() should be compatible with MultipleElementCriteria::PrintForm($field_list, $blank_field_string, $add_button_string) in C:\xampp\htdocs\SnortV2\base-1.4.5\includes\base_state_citems.inc.php on line 1398Strict Standards: Declaration of ICMPFieldCriteria::Description() should be compatible with ProtocolFieldCriteria::Description($human_fields) in C:\xampp\htdocs\SnortV2\base-1.4.5\includes\base_state_citems.inc.php on line 1438Strict Standards: Declaration of ICMPFieldCriteria::PrintForm() should be compatible with MultipleElementCriteria::PrintForm($field_list, $blank_field_string, $add_button_string) in C:\xampp\htdocs\SnortV2\base-1.4.5\includes\base_state_citems.inc.php on line 1438Strict Standards: Declaration of DataCriteria::PrintForm() should be compatible with MultipleElementCriteria::PrintForm($field_list, $blank_field_string, $add_button_string) in C:\xampp\htdocs\SnortV2\base-1.4.5\includes\base_state_citems.inc.php on line 1634Warning: Cannot modify header information - headers already sent by (output started at C:\xampp\htdocs\SnortV2\base-1.4.5\includes\base_state_citems.inc.php:1361) in C:\xampp\htdocs\SnortV2\base-1.4.5\includes\base_auth.inc.php on line 331Warning: Cannot modify header information - headers already sent by (output started at C:\xampp\htdocs\SnortV2\base-1.4.5\includes\base_state_citems.inc.php:1361) in C:\xampp\htdocs\SnortV2\base-1.4.5\index.php on line 53
  15. I actually did get this working using the tutorial. So the latest Snort plus Barnyard2 will provide me the data and info I need to continue to use Puresecure WFE. (I'm so happy!)
  16. Greetings folks, Many years ago (when I didn't realize I was still young) I set up an IDS using Snort and Demarc PureSecure. I really liked Demarc because of the user interface and the ability to manage snort, rulesets and monitor hosts. I also figured out how to add plugins to extend the features. Sadly they went out of business really quickly. When Snort finally dumped DB output I was really bummed. I found WinSnort (which is a fantastic site. I tip my hat to the group of people that keep this site going) and see that Barnyard can log snort data to a MySQL database. Does Barnyard log data like snort used to? By that I mean is the table structure still this same? If so this is exactly what I'm looking for. I appreciate any feedback this group has. Thanks, -Matt
  17. The config files look good. It's usually quicker to start fresh.
  18. I've check the ports and nothing appears to be using port 80 ... ive checked to see if it might be some residual setting from a previous instance of IIS or apache but that doesn't seem to be it.... If you see nothing wrong with these conf files Ill just re-start fresh... php.ini httpd.conf
  19. To completely remove Apache2 remove the service using httpd -k uninstall then delete the Apache24 directory, and then look in the services to make sure the service is gone. Looks like something else is using port 80?
  20. I decided to do a fresh install removing all associated programs/services and registry entries however I am now unable to start the apache service without errors: I checked error log which is as follows: C:\Users\Operator>d:\winids\apache24\bin\httpd.exe -w (OS 10048)Only one usage of each socket address (protocol/network address/port) is normally permitted. : AH00072: make_sock: could not bind to address 127.0.0.1:80 AH00451: no listening sockets available, shutting down AH00015: Unable to open logs Note the errors or messages above, and press the <ESC> key to exit. 0.... C:\Users\Operator>d:\winids\apache24\bin\httpd.exe (OS 10048)Only one usage of each socket address (protocol/network address/port) is normally permitted. : AH00072: make_sock: could not bind to address 127.0.0.1:80 AH00451: no listening sockets available, shutting down AH00015: Unable to open logs I should note that even though I uninstalled apache and its registry entries I received an apache already installed notification...
  21. C:\Users\Operator>d:\winids\barnyard2\barnyard2.exe -c d:\winids\barnyard2\etc\barnyard2.conf -d d:\winids\snort\log -f merged.log -l d:\winids\barnyard2 -w d:\winids\snort\log\barnyard.waldo -T Running in Test mode --== Initializing Barnyard2 ==-- Initializing Input Plugins! Initializing Output Plugins! Parsing config file "d:\winids\barnyard2\etc\barnyard2.conf" +[ Signature Suppress list ]+ ---------------------------- +[No entry in Signature Suppress List]+ ---------------------------- +[ Signature Suppress list ]+ WARNING: invalid Reference spec 'url,'. Ignored WARNING: invalid Reference spec 'url,'. Ignored WARNING: invalid Reference spec 'url,'. Ignored WARNING: invalid Reference spec 'url,'. Ignored Barnyard2 spooler: Event cache size set to [32768] INFO database: Defaulting Reconnect/Transaction Error limit to 10 INFO database: Defaulting Reconnect sleep time to 5 second .............................................. just seems to go on forever from here... When I open task manager I can see the processes apache, PostgreSQL, and snort are all there but there appears to be no activity....
  22. In line 105 of your base_conf.php change: $$alert_user = 'base'; to $alert_user = 'base'; In line 434 of your base_conf.php change: $priority_colors = array('000000','FF0000','FF9900','FFFF00','999999'); to $priority_colors = array ('000000','FF0000','FF9900','FFFF00','999999');
  23. Hi, I finished the tutorial. Snort, baryard2 and sql looks OK, but when i try to "http://winids/" i can't connect to the DB I checked base_conf.php and it looks good. Any help? Thank you! base_conf.php
  1. Load more activity