All Activity

This stream auto-updates   

  1. Today
  2. Yesterday
  3. Last week
  4. Attach your pulledpork.conf, and snort.conf files. Are there any files in the pulledpork/temp folder?
  5. I believe I have everything setup correctly but when I run C:\>perl d:\winids\pulledpork\pulledpork.pl -c d:\winids\pulledpork\etc\pulledpo rk.conf -nPT I get the following error. Use of uninitialized value $rule_file_path in string eq at d:\winids\pulledpork\ pulledpork.pl line 562. Reading rules... Use of uninitialized value $rule_file_path in string eq at d:\winids\pulledpork\ pulledpork.pl line 562. FLY PIGGY FLY! shows up but I do not see any new rules or updates??
  6. Earlier
  7. As long as Pulled Pork finishes with Fly Piggy Fly! the process completed. I see there are some problems finding some files in the ET part. There is a different oinkcode for the ET rules. What are your concerns?
  8. I sent a txt file of the output which shows errors. not sure if any of the errors are config uses yes I used my oinkcode for both of the snort rules bases
  9. Don't for get your oinkcode assignments for any of the other rule sets.
  10. I want to try the other 2 rule sets emerging and community. I uncomment the 2 and ran a update and I get the following output, is there something else I need to do beside uncomment the rules in pulledpork.conf file pulled.txt
  11. Oops. I didn't notice that the new lines were commented out. It's kind of hard to see, with the way the text is formatted. Thanks.
  12. #1: Original Line(s): var SO_RULE_PATH ../so_rules Change to: # var SO_RULE_PATH ../so_rules Yes, there is a change, as indicated above. #2: Original Line(s): dynamicdetection directory /usr/local/lib/snort_dynamicrules Change to: # dynamicdetection directory /usr/local/lib/snort_dynamicrules Yes, there is a change, as indicated above. Follow the tutorial, and don't make any changes. If you have to make changes there is something wrong.
  13. That is correct. Those two files are used by the Reputation preprocessor. Both files needs to exist or there will be a fatal error.
  14. There are a couple of path adjustments in the procedure that seem to be not quite correct. #1: Original Line(s): var SO_RULE_PATH ../so_rules Change to: # var SO_RULE_PATH ../so_rules This is not actually a change, since the two lines are identical. Presumably it's supposed to be 'd:\winids\Snort\so_rules'. Is that right? #2: Original Line(s): dynamicdetection directory /usr/local/lib/snort_dynamicrules Change to: # dynamicdetection directory /usr/local/lib/snort_dynamicrules This is not actually a change, since the two lines are identical. And when I run the Snort test, I get this fatal error: 'ERROR: f:\winids\snort\etc\snort.conf(258) Could not stat dynamic module path "/usr/local/lib/snort_dynamicrules": No such file or directory.' I was going to change the path to 'f:\winids\snort\lib\snort_dynamicrules', bu that directory doesn't exist. Any ideas?
  15. I'm at this step: 'Configuring Snort, the Heart of the Windows Intrusion Detection System (WinIDS)'. At this point there are two commands, the point of which seems to be to clear the blacklist and whitelist files that are included with Snort. Here's the first one: 'type NUL > d:\winids\snort\rules\black_list.rules' This actually creates a *new* file called 'black_list.rules', with no content (size zero). I think perhaps the intention was to clear the contents of the existing file, which is actually named 'blacklist.rules'. I don't see 'white_list.rules' or 'whitelist.rules', so the other command just creates an empty 'white_list.rules'.
  16. Look on Snort.org in the documentation section. There are usually a collection of different installs.
  17. That's the conclusion I came to as well, but I looked around in the tutorials and didn't see one that looked right. In my case, the Master will be on a 64-bit Linux server. Can you perhaps point me to the appropriate tutorial?
  18. This is a Slave install, and it requires a master sensor being installed. The natural order of things would be to install a Master. Than a slave would be installed into any remote network not directly connected to the Master sensor.
  19. I'm at the point in the tutorial where access to the master's MySQL server is tested. But the tool used (portqry) is nowhere to be found in the downloaded files (winids-cssp-x64.zip).
  20. I'm working through this tutorial and have hit a bit of a roadblock. Starting at 'Prepping the Windows Intrusion Detection System (WinIDS) Master Sensor', there seems to be an assumption that I already have mySQL installed, and that there's already a database called 'snort'. But I can't find anything in the tutorial about installing MySQL or creating that database or its tables. I checked the various scripts in the WinIDS package (winids-cssp-x64.zip), and didn't find anything there either. What am I missing?
  21. Windows Intrusion Detection System - Companion Add-On Tutorial Installing Slave Sensor Rule Management Using PulledPork Written by: Michael E. Steele Get Support! Introduction This tutorial is a simple to understand, step-by-step tutorial for adding automated rule management using the PulledPork into an existing Windows Intrusion Detection System (WinIDS) slave sensor. Copyright Notice This document is Copyright © 2002-2017 Michael Steele. All rights reserved. Permission to distribute this document is hereby granted providing that distribution is electronic, in it's original form, no money is involved, and this copyright notice is maintained. Other requests for distribution will be considered. Use the information in this document at your own risk. Michael Steele disavows any potential liability of this document. Use of the concepts, examples, and/or other content of this document are entirely at your own risk. This guide is written in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. All copyrights are owned by their owners, unless specifically noted otherwise. Third party trademarks or brand names are the property of their owners. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements. Support Questions and Help All support questions related to this specific tutorial MUST be directed to the specific forum for which this Windows Intrusion Detection System (WinIDS) tutorial resides, and this is a FREE service. By request, there is a premium fee service available for one on one support. If you haven't acquired this tutorial directly from the winsnort.com website, then you most likely don't have the latest revision of this tutorial! Operating System and Configuration Setup All existing Windows Intrusion Detection Systems (WinIDS are supported. This is how I've setup and tested Pulledpork into my Windows Intrusion Detection System (WinIDS). Make sure that all the necessary changes are made if you configuration is different. Failure to make the appropriate changes will most likely cause a failure. Internet access to the outside. An internet connection to the outside is required for This tutorial to work. It could take up to 45 minutes for the process to complete. We are working on a quicker way to do this using the existing support programs. Any help would be grateful. There is a bottle-neck extracting over 20k signatures using Perl for the process. Install into any existing Windows Intrusion Detection System (WinIDS) slave sensor. I'm installing the Pulledpork rule management solution logged on as user 'Operator' with 'Administrator' privileges. I'm installing the Pulledpork rule management solution into the existing 'd:\winids' folder. The Windows Intrusion Detection System (WinIDS) will fail if the default installation path is not Implemented correctly! The default installation path noted above is hard coded into this tutorial, and is also hard coded into some of the install scripts. Installers will need to make the appropriate changes in both places if the default installation path is anything other then 'd:\winids', or the support files are located anywhere other than the 'd:\temp' folder. The Windows Intrusion Detection System (WinIDS) will fail if the default installation path is not Implemented correctly! Prepping for the Pulledpork Tutorial Backing up the current Snort Installation Open a CMD window and type 'xcopy /E /I d:\winids\snort d:\winids\snort-old' (less the outside quotes), and tap the 'Enter' key. The above procedure will create a backup of the original installation. Acquiring your unique Oinkcode In order for PulledPork to work you MUST; open an account on the snort.org web-site, and acquire a unique Oinkcode. Once an account has been setup, 'Sign In' to the account, left-click your user login in the top right, Under 'Accounts' left-click 'Oinkcode', in the center under 'Oinkcode' your unique 'Oinkcode is in red, and you will need this exact code to complete this tutorial, so write it down somewhere as it will need to be entered in later on, and you can close the browser. Downloading and extracting the WinIDS Companion Software Development Pack This tutorial assumes one of the Windows Intrusion Detection System (WinIDS) tutorials were used to create the Windows Intrusion Detection System (WinIDS) that this tutorial is being implemented into. The files from the original Windows Intrusion Detection System (WinIDS) tutorial may be required for this tutorial. It is imperative to only use the files included in the 'WinIDS Companion Software Development Pack' below. These files have been thoroughly tested, and found compatible with all the supported Windows Intrusion Detection Systems (WinIDS) tutorials. Windows All: Download and save the 'WinIDS Companion Software Development Pack' to a temporary location. Open an Explorer window and navigate to the location of the 'winids-csdp.zip' file, right-click the 'winids-csdp.zip' file, highlight and left-click 'Extract all...', in the 'Files will be extracted to this folder:' dialog box type 'd:\temp' (less the outside quotes), left-click and uncheck the 'Show extracted files when complete' radio box, left-click extract, in the 'Password:' dialog box type 'w1nsn03t.c0m' (less the outside quotes), and left-click 'OK'. How to automatically update the rules using PulledPork Installing PulledPork During this updating procedure the Windows Intrusion Detection System (WinIDS) will continue to monitor the network. At the CMD prompt type 'unzip -oq d:\temp\pulledpork-0.7.2.zip -d d:\winids\pulledpork' (less the outside quotes), and tap the 'Enter' key. Installing Perl Pre-Requisites At the CMD prompt type 'cpan install Sys::Syslog' (less the outside quotes), and tap the 'Enter' key. It could take several minutes to install the Syslog module. Configuring the existing Windows Intrusion Detection System (WinIDS) Prepping the Rules At the CMD prompt type 'del d:\winids\snort\rules\*.* /Q' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'rd d:\winids\snort\so_rules /S /Q' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'rd d:\winids\snort\preproc_rules /S /Q' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'xcopy d:\winids\snort-old\rules\*_list.* d:\winids\snort\rules /Q /Y' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'xcopy d:\winids\snort-old\rules\local.* d:\winids\snort\rules /Q /Y' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'xcopy d:\winids\snort-old\rules\experimental.* d:\winids\snort\rules /Q /Y' (less the outside quotes), and tap the 'Enter' key. Prepping the Configuration File At the CMD prompt type 'notepad2 d:\winids\snort\etc\snort.conf' (less the outside quotes), and tap the 'Enter' key. Use the Replace option in Notepad2 to Find and Replace the following sections below. Original: var PREPROC_RULE_PATH d:\winids\snort\preproc_rules Change to: # var PREPROC_RULE_PATH d:\winids\snort\preproc_rules In Step #7 replace ALL the 'include $RULE_PATH/...' lines with the next 3 lines below. include $RULE_PATH/experimental.rules include $RULE_PATH/local.rules include $RULE_PATH/winids.rules Use the Find in Notepad2 to locate and change the variables below. Original Line(s): include $PREPROC_RULE_PATH/preprocessor.rules include $PREPROC_RULE_PATH/decoder.rules include $PREPROC_RULE_PATH/sensitive-data.rules Change to: # include $PREPROC_RULE_PATH/preprocessor.rules # include $PREPROC_RULE_PATH/decoder.rules # include $PREPROC_RULE_PATH/sensitive-data.rules Save the file, and eXit Notepad2. Configuring PulledPork At the CMD prompt type 'mkdir d:\winids\pulledpork\temp' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'notepad2 d:\winids\pulledpork\etc\pulledpork.conf' (less the outside quotes), and tap the 'Enter' key. Use the Find option in Notepad2 to locate and change the variables below. Original Line(s): rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode> Change to: rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|insert your unique oinkcode Original Line(s): rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community Change to: # rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community Original Line(s): rule_url=https://www.snort.org/reg-rules/|opensource.gz|<oinkcode> Change to: # rule_url=https://www.snort.org/reg-rules/|opensource.gz|<oinkcode> Original Line(s): temp_path=/tmp Change to: temp_path=d:\winids\pulledpork\temp Original Line(s): rule_path=/usr/local/etc/snort/rules/snort.rules Change to: rule_path=d:\winids\snort\rules\winids.rules Original Line(s): local_rules=/usr/local/etc/snort/rules/local.rules Change to: local_rules=d:\winids\snort\rules\local.rules Original Line(s): sid_msg=/usr/local/etc/snort/sid-msg.map Change to: sid_msg=d:\winids\snort\etc\sid-msg.map Original Line(s): sid_changelog=/var/log/sid_changes.log Change to: sid_changelog=d:\winids\snort\log\sid_changes.log Original Line(s): black_list=/usr/local/etc/snort/rules/iplists/default.blacklist Change to: # black_list=/usr/local/etc/snort/rules/iplists/default.blacklist Original Line(s): IPRVersion=/usr/local/etc/snort/rules/iplists Change to: # IPRVersion=/usr/local/etc/snort/rules/iplists Original Line(s): snort_control=/usr/local/bin/snort_control Change to: # snort_control=/usr/local/bin/snort_control Original Line(s): # snort_version=2.9.8.0 Change to: snort_version=x.x.x.x For this to work correctly; Snort version and the rule set version MUST be in sync. If the Windows Intrusion Detection System is running Snort version 2_9_8_0, then the above must be 'snort_version=2.9.8.0'. There are two 'Official Snort Rule sets' available for download: Subscriber Release: There is an annual fee associated with this type of account. However, paid users are privy to the very latest in new and modified rules (Zero Day). Registered User Release: There is no annual fee associated with this type of account. However, Registered account users are always 30 days behind in modified and new rules (no Zero Day). Updating the rules is crucial for both of the above groups. However, there is a definite plus to becoming a 'Subscriber' (paid user). As a 'Subscriber' (paid user) the update process can be executed once every minute. For 'Registered' (non-paid) users the update process can only be ran once every 15 minutes. Once the update session reaches the update server your session is logged, and for whatever reason the update session ends before the new rule set is downloaded 'Registered' (non-paid) users MUST wait 15 minutes before another session can be started. Your unique Oinkcode tells the rule set repository which rule set you belong too, and pushes the correct rule set. By no means is this a lesson in rule updating. I can't state how IMPORTANT it is to read the documentation for PulledPork, and Snort. It is also IMPORTANT to join the Snort-users list, and the PulledPork-users list. The rules are the life blood of the Windows Intrusion Detection System (WinIDS). Original Line(s): # enablesid=/usr/local/etc/snort/enablesid.conf # dropsid=/usr/local/etc/snort/dropsid.conf # disablesid=/usr/local/etc/snort/disablesid.conf # modifysid=/usr/local/etc/snort/modifysid.conf Change to: enablesid=d:\winids\pulledpork\etc\enablesid.conf dropsid=d:\winids\pulledpork\etc\dropsid.conf disablesid=d:\winids\pulledpork\etc\disablesid.conf modifysid=d:\winids\pulledpork\etc\modifysid.conf Original Line(s): # ips_policy=security Change to: ips_policy=security In the above, the 'ips_policy' switch is set to 'security'. There are three pre-configured policies (connectivity, balanced, and security) that can be used. Change the above to your specific needs. Each policy has the Sourcefire recommended rules applied, and the 'ips_policy' switch is only an option. By placing a hash '#' (less the outside quotes) mark in front of the 'ips_policy' switch PulledPork will process the stock rules as they are. Connectivity: Means "Connectivity over Security". Meaning this is a speedy policy for people that insist on blocking only the really known bad with no false positives. Balanced: Means "Balanced between Connectivity and Security". Meaning that this is a good starter policy for everyone. It's quick, has a good base coverage level, and covers the latest threats of the day. The policy contains everything that is in Connectivity. Security: Means "Security over Connectivity". Meaning that this is a stringent policy that everyone should strive to get to through tuning. It's quick, but has some policy-type rules in it. Rules that will alert on Flash contained within an Excel file and things like that. This policy contains everything that is in Connectivity, and Balanced. Save the file, and eXit Notepad2. If the Windows Intrusion Detection System (WinIDS) was monitoring prior to starting this tutorial, it should still be monitoring while Pulledpork is updating the rules. At the CMD prompt type 'perl d:\winids\pulledpork\pulledpork.pl -c d:\winids\pulledpork\etc\pulledpork.conf -nPT' (less the outside quotes), and tap the 'Enter' key. The above procedure could take less than a minute to complete! The below is displayed in the terminal window after a successful update. Done Please review d:\winids\snort\log\sid_changes.log for additional details Fly Piggy Fly! Do not continue or intervene until 'Fly Piggy Fly!' is displayed in the terminal window. Testing the Snort configuration and rules At the CMD prompt type 'd:\winids\snort\bin\snort /service /show' (less the outside quotes), and tap the 'Enter' key. The current Snort run line will be displayed as an example below. Snort is currently configured to run as a Windows service using the following command-line parameters: -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -i1 The above run line will need to be replaced in the procedure outlined below in red. Be SURE to use your own unique run line as the above is only an example. At the CMD prompt type 'd:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -i1 -T' (less the outside quotes), and tap the 'Enter' key. The above command will cause Snort to start up in self-test mode, checking all the supplied command line switches and rules that are passed to it and indicating that everything is ready to proceed. If all the tests are passed, the following is a confirmation that the snort configuration file is good. Snort successfully validated the configuration! Snort exiting Do not continue until 'Snort successfully validated the configuration!' At the CMD prompt type 'net stop barnyard2 & net stop snort' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'net start snort & net start barnyard2' (less the outside quotes), and tap the 'Enter' key. Snort will drop the old rule set from memory and grab the new rule set. Verifying Barnyard2, and Snort is running as a process It could take 1-2 minutes for the Barnyard2 process to display after restarting the process as it is on a delayed start. Open a CMD window and type 'taskmgr.exe' (less the outside quotes), and tap the 'Enter' key. The 'Windows Task Manager' starts, in the bottom left-click and check 'Show processes from all users' or left click 'More Details', left-click the 'Details' tab, in the 'Status' column 'Barnyard2.exe', and 'Snort.exe' should be listed as running. Do not proceed until both processes shows to be running! eXit the 'Task Manager'. At the CMD prompt type 'exit' (less the outside quotes), and tap the 'Enter' key. It may take several minutes for events to start showing up in the Windows Intrusion Detection Systems (WinIDS) Security Console. If no events start to show up in a reasonable length of time, come visit the forums for help on manually generating events. An emergency backup was mirrored to 'd:\winids\snort-old'. If this add-on was a complete failure all that is needed to revert back to the original Snort installation is to delete the new 'd:\winids\snort' folder, rename the 'd:\winids\snort-old' to 'd:\winids\snort', return to the section labeled 'Testing the Snort configuration file', and complete. If the updating process has been successful and the backup is no longer needed the below process will scrub the backup folder Open a CMD window and type 'rd d:\winids\snort-old /S /Q' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'exit' (less the outside quotes), and tap the 'Enter' key. In conclusion Congratulations, you have just completed setting up your Windows Intrusion Detection System(WinIDS) to automatically update the rules. I hope this tutorial has been of great assistance. Windows Intrusion Detection System (WinIDS) - Future Updating Updating the rules and signatures The rules should be updated frequently. New and modified rules are being added to the Subscriber's (paid) rule set, and rules are being moved from the Subscriber's rule set to the Registered rule set hourly or daily. It's important to keep the rule set updated to minimize exposure to inside/outside threats to your network. During this updating procedure the Windows Intrusion Detection System (WinIDS) will continue to monitor the network using the existing set of rules, as long as The Windows Intrusion System continues to run. On the initial execution PulledPork downloaded the latest rules, and corresponding MD5 file. On future updating pulledPork first retrieves the latest MD5 file for the rules, then compares that MD5 checksum with the existing rules tarball, and if the MD5 check sum does not match the new rules file is downloaded and processed. It only takes about 10-15 seconds to process the rules. The Windows Intrusion Detection System (WinIDS) is still monitoring under the old rules. At the end of the update it will take about 10 seconds to recycle the Windows Intrusion Detection System (WinIDS) in order to drop the old rules, and pick-up the new rules. If the Windows Intrusion Detection System (WinIDS) was monitoring prior to starting this tutorial, it should still be monitoring while Pulledpork is updating the rules. Open a CMD window and type 'xcopy /E /I d:\winids\snort d:\winids\snort-old' (less the outside quotes), and tap the 'Enter' key. The above procedure will create a backup of the original installation. At the CMD prompt type 'perl d:\winids\pulledpork\pulledpork.pl -c d:\winids\pulledpork\etc\pulledpork.conf -nPT' (less the outside quotes), and tap the 'Enter' key. The above procedure could take less than a minute to complete! The below is displayed in the terminal window after a successful update. Done Please review d:\winids\snort\log\sid_changes.log for additional details Fly Piggy Fly! Do not continue or intervene until 'Fly Piggy Fly!' is displayed in the terminal window. If there was no update the CMD window can be closed, and this tutorial can be exited! Subscribers (paid) can check for rule set updates once every minute but Registered users are limited to once every 15 minutes. If you are a registered user and your rule set update fails instantly, there will be a 15 minutes wait before the update can be ran again. Testing the Snort configuration and rules At the CMD prompt type 'd:\winids\snort\bin\snort /service /show' (less the outside quotes), and tap the 'Enter' key. The current Snort run line will be displayed as an example below. Snort is currently configured to run as a Windows service using the following command-line parameters: -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -i1 The above run line will need to be replaced in the procedure outlined below in red. Be SURE to use your own unique run line as the above is only an example. At the CMD prompt type 'd:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -i1 -T' (less the outside quotes), and tap the 'Enter' key. The above command will cause Snort to start up in self-test mode, checking all the supplied command line switches and rules files that are passed to it and indicating that everything is ready to proceed. If all the tests are passed, the following is a confirmation that the snort configuration file is good. Snort successfully validated the configuration! Snort exiting Do not continue until 'Snort successfully validated the configuration!' At the CMD prompt type 'net stop barnyard2 & net stop snort' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'net start snort & net start barnyard2' (less the outside quotes), and tap the 'Enter' key. Snort will drop the old rule set from memory and grab the new rule set. At the CMD prompt type 'exit' (less the outside quotes), and tap the 'Enter' key. It may take several minutes for events to start showing up in the Windows Intrusion Detection Systems (WinIDS) Security Console. If no events start to show up in a reasonable length of time, come visit the forums for help on manually generating events. An emergency backup was mirrored to 'd:\winids\snort-old'. If this add-on was a complete failure all that is needed to revert back to the original Snort installation is to delete the new 'd:\winids\snort' folder, rename the 'd:\winids\snort-old' to 'd:\winids\snort', return to the section labeled 'Testing the Snort configuration file', and complete. If the updating process has been successful and the backup is no longer needed the below process will scrub the backup folder Open a CMD window and type 'rd d:\winids\snort-old /S /Q' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'exit' (less the outside quotes), and tap the 'Enter' key. In conclusion Congratulations, you have just completed setting up your Windows Intrusion Detection System(WinIDS) to automatically update the rules. I hope this tutorial has been of great assistance. Optional Companion Documents Be SURE to check out the available 'Companion Add-on Documents' to enhance the Windows Intrusion Detection System (WinIDS) experience. How to update the Master Sensor rules, signatures, and sig-msg.map using PulledPork This tutorial will show how to update the Master Sensor rules, signatures, and the sig-msg.map file using PulledPork on an existing Windows Intrusion Detection System (WinIDS). How to update the Slave sensor rules using PulledPork This tutorial will show how to update the Slave Sensor rules using PulledPork on an existing Windows Intrusion Detection System (WinIDS). How to add Email Alerting to an existing Windows Intrusion Detection System (WinIDS) This tutorial will show how to send user defined priority events sent to a Windows Application Log file being eMailed to user defined eMail accounts, on an existing Windows Intrusion Detection System (WinIDS). How to add Event Logging to a remote Syslog server This tutorial will show how to configure Snort to send events to a remote UNIX syslog server, on an existing Windows Intrusion Detection System (WinIDS). How to install MySQL Tools into a MySQL enabled Windows Intrusion Detection System (WinIDS) This tutorial will show how to install the 'MySQL System Tray Monitor' as a service to monitor the condition of the MySQL database in real time, on an existing Windows Intrusion Detection System (WinIDS). This will allow starting and stopping of the database. The 'MySQL System Tray Monitor' has two tools associated with it that can be accessed directly from the 'MySQL System Tray Monitor'. These tools will allow editing, maintaining, and repairing of the MySQL database. Use extreme caution using these tools. How to compile Barnyard2 on Windows using Cygwin for PostgreSQL database support This tutorial is a simple to understand, step-by-step tutorial for Compiling Barnyard2 on Windows using Cygwin (UNIX emulator) for PostgreSQL database support. How to build and deploy a passive Ethernet tap This tutorial will show how to build and deploy a passive Ethernet tap. Updating the Windows Intrusion Detection Systems (WinIDS) Major components How to update the Snort Intrusion Detection Engine This tutorial will show How to update the Windows Intrusion Detection Systems Snort Intrusion Detection Engine. How to update the Rules, Signatures, and sig-msg.map file This tutorial will show how to update the Windows Intrusion Detection Systems rules, signatures, and the 'sig-msg.map' file. How to update the PHP General-Purpose Scripting Language This tutorial will show how to update the Windows Intrusion Detection Systems PHP General-Purpose Scripting Language. Debugging Installation errors Check the Event Viewer as most of the support programs will throw FATAL errors into the Application log. General problems For general help, left-click the support button at the top of this tutorial, or manually navigate to the correct forum. Michael E. Steele | Microsoft Certified System Engineer (MCSE) Email Support: support@winsnort.com Snort: Open Source Network IDS - www.snort.org
  22. There is a new tutorial specifically for the slave sensor. Some of the questions above will be moot by using the new tutorial. //--\\ Sourcefire determines which rules are activated for each of the three policies. Note: Rules are managed by using the 4 .conf file located in the pulledpork\etc folder. Read each file for a description. Never modify the winids.rules file at any time. //--\\ Winsnort.com does not furnish script files for automating the processing of the rules. However this doesn't prevent users from posting their script/s. //--\\ PS - Yes, I did see the PM, and will get back to you on that. I'm being squeezed for time in other things right now.
  23. You failed to follow the tutorial, which is the reason for this problem. Stop barnyard2, stop Snort, delete everything in the snort/log folder, and restart.
  24. Hello, The my AWS setup continues to progress. I've managed to get success (I think) in running the pulledpork tutorial, however, I do have some lingering questions that concern me where I needed to deviate from the tutorial instructions: 1.) I'm using a Linux mySQL instance for the database. The Apache2 server is also running on the Linux box. Not std for the Winsnort tutorial where it comments on IIS Vs. Apache2 customizations The first instruction in question is to delete all files from a directory structure that is not present on my winIDS snort slave install: C:\IDS\Apache24\htdocs\base\signatures\ The cmd to del all files in the dir does not bother me. after seeing the file path referenced in the pulledpork.conf file I created the file structure to accommodate the update process. I'm curious if these "signatures" are intended to be added somehow to the MySQL database via apache? The front end I'm using, Snorby, has a listing of signatures that it pulls from the MySQL DB. the front end only reports the original 522 signatures. Any thoughts on how the concepts work for a standard WinIDS deployment? Does Base have an updated sig count of 12000+ signatures after running pulledpork? 2.) When I ran the pulledpork cmd it seemed to go ok - the questions in the forums resolved some concerns - the downloaded signature files totaled 23,499 in the C:\IDS\Apache24\htdocs\base\signatures\ path. when running the pulledpork in ips_policy=security the pp script determines that out of 30577 rules 12275 will be enabled and 18302 will be disabled. I'd like to know more as to why the script decides on which rules to enable / disable 3.) This is the thing that is of highest concern to me - I know the OS evnironment for the tutorial was a Win 7 machine and I'm installing on the Server counterpart, 2008 R2, but there is a box toward the bottom of the tutorial that claims after restarting the snort server that a Barnyard2 CMD window will just be running minimized in the taskbar area: " When the system is rebooted, Barnyard2 will be running in a Minimized window located in the Windows task bar. Opening the Barnyard2 CMD window will display the events as they are being shuttled to the database. " I don't think I missed any steps, but this is not going to happen in my current install - I'd like to know where I went wrong. 4.) Finally, my last question is concerning automating the Pulledpork updating process. Can WINsnort.com endorse the practice of having a .bat file called by a scheduled task to execute the CMD below on a daily basis? If yes why not include this in the pulledpork tutorial? Perl d:\winids\pulledpork\pulledpork.pl -c d:\winids\pulledpork\etc\pulledpork.conf -T Thanks in advance for the feedback. JVinson PS - @ Mopheus - did you see my private message? just wanted to confirm you did or not. Thanks.
  25. Well, configuration is validated but now after restarting system I get an error in barnyard2, warning can't extract timestamp extension from 'merged.log' using base 'merged.log'. I really dont know where to go from there, maybe I should do a fresh install (instead of update from old version) with latest version (2990)? when I installed it initially I did not run in so many errors. Thank you
  26. It worked. But then I got another error on line 509, blacklist $BLACK_LIST_PATH/black_list.rules because in rules folder the black_list.rules file does not exist, it is now bkacklist.rules, so I had to change to blacklist $BLACK_LIST_PATH/blacklist.rules, and now the configuration was validated. Thank you again.
  27. The merged log file is where Barnyard2 get the events from. and sends to the specified database. The Waldo file is only created after Snort detects and logs the first event to the merged.log.<time stamp> file. The problem is that Snort has yet to detect any events from the setting specified in the snort.conf. There could be several reasons, but it's ALL related to the Snort, which creates the logs. Try here
  1. Load more activity