All Activity

This stream auto-updates   

  1. Yesterday
  2. Last week
  3. Earlier
  4. Go back to the section below and do over. Configuring IIS for PHP, and the Windows Intrusion Detection Systems security console If that fails then zip up all the files in the Windows\System32\inetsrv\config folder and attach. Also attach the php.ini file
  5. New installation and right now I'm at the point where IIS and the PHP installation is tested. The tutorial states to run TEST.PHP but I'm getting this error: HTTP Error 401.3 - Unauthorized You do not have permission to view this directory or page because of the access control list (ACL) configuration or encryption settings for this resource on the Web server. Most likely causes: The user authenticated by the Web server does not have permission to open the file on the file system. If the resource is located on a Universal Naming Convention (UNC) share, the authenticated user may not have sufficient share and NTFS permissions, or the permissions on the share may not match the permissions on the physical path. The file is encrypted. Things you can try: Open File Explorer and check the ACLs for the file that is being requested. Make sure that the user accessing the Web site is not being explicitly denied access, and that they do have permission to open the file. Open File Explorer and check the ACLs for the share and the physical path. Ensure that both ACLs allow the user to access the resource. Open File Explorer and check the encryption properties for the file that is being requested. (This setting is located in the Advanced attribute properties dialog.) Create a tracing rule to track failed requests for this HTTP status code. For more information about creating a tracing rule for failed requests, click here. Detailed Error Information: Module CgiModule Notification ExecuteRequestHandler Handler PHP Error Code 0x80070005 Requested URL http://winids:80/test.php Physical Path d:\winids\inetpub\wwwroot\base\test.php Logon Method Anonymous Logon User Anonymous More Information: The user trying to access the page was successfully logged on, but the user does not have permission to access the resource. This means the access control list (ACL) for the resource either does not include the user or explicitly denies the user. Check the ACL for the resource and add the user to the ACL. If the content is located on a share, ensure both NTFS and share permissions allow the user access. It is also possible that the user is part of a group that is denied access. View more information » Microsoft Knowledge Base Articles: 907273 332142
  6. the wrapper password for winids-cssp-x64 is not working..thank you

    1. Morpheus

      Morpheus

      All fixed...

  7. LOL! Thank You! I didn't even notice the Hash Tags. Slaps Forehead with palm of hand . . . .
  8. I am editing the snort.conf file with notepad2 and I am confused by this section of the Tutorial for x64 MySQL install: Original Line(s):# include $PREPROC_RULE_PATH/preprocessor.rules# include $PREPROC_RULE_PATH/decoder.rules# include $PREPROC_RULE_PATH/sensitive-data.rulesChange to:include $PREPROC_RULE_PATH/preprocessor.rulesinclude $PREPROC_RULE_PATH/decoder.rulesinclude $PREPROC_RULE_PATH/sensitive-data.rules There is no change here!? Would I be correct in changing to the 'Change to:' section to this? include $PREPROC_RULE_PATH d:\winids\snort\etc\preprocessor.rules include $PREPROC_RULE_PATH d:\winids\snort\etc\decoder.rules include $PREPROC_RULE_PATH d:\winids\snort\etc\sensitive-data.rules Or is there a different path for these rules? Thank You! Jeffegg
  9. No you don't need to do anything. What you are seeing is correct. I made an error in the tutorial and have since corrected it. Check out the tutorial, and it should match your install.
  10. Hi, Thanks for replying that everything is fixed but: I apologize for being dense, but I am not sure what to do next to fix my barnyard2 installation so that snort does show exiting. I downloaded the latest Winids Barnyard2 Software Development Pack, winids-b2sdp.zip. Do I unzip it and use the barnyard2.master.zip in place of the other builds? Do I need to start over and redo my installation? Is there another file I should download? Thanks for all your help! Bob
  11. Hi, In the tutorial, it shows this: If all the tests are passed, the following is a confirmation that the Barnyard2 configuration file is good. Barnyard2 successfully loaded configuration file! Snort exiting database: Closing connection to database "snort" ********************* I ran the test. Barnyard2 spooler: Event cache size set to [32768] INFO database: Defaulting Reconnect/Transaction Error limit to 10 INFO database: Defaulting Reconnect sleep time to 5 second database: compiled support for (postgresql) database: configured to use postgresql database: schema version = 107 database: host = winids database: user = snort database: database name = snort database: sensor name = WinIDS-Home database: sensor id = 1 database: sensor cid = 1 database: data encoding = hex database: detail level = full database: ignore_bpf = no database: using the "log" facility --== Initialization Complete ==-- ______ -*> Barnyard2 <*- / ,,_ \ Version 2.1.14 (Build 337) |o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/ + '''' + (C) Copyright 2008-2013 Ian Firns <firnsy@securixlive.com> This is what my configuration showed at the end of test. Barnyard2 successfully loaded configuration file! Barnyard2 exiting database: Closing connection to database "snort" Does it have to say “snort exiting” to show that the Barnyard2 configuration is good? If so, what do I need to check to make Barnyard2 test work correctly? Thanks for your help, Bob
  12. i'm already try to add that rule to the local.rule but the same error "ERROR: 1 alerts have NOT found their way into acid_event with sid = 4 " are still appear.
  13. No, i don't add that rule on my local.rules file, because that rule already active in preprocessor.rules in folder d:\winids\snort\preproc_rules. what i do is configure my snort.config file, im delete the # on this line and change the host ip address : # ARP spoof detection. For more information, see the Snort Manual - Configuring Snort - Preprocessors - ARP Spoof Preprocessor preprocessor arpspoof preprocessor arpspoof_detect_host: 192.168.43.79 f0:0f:00:f0:0f:00 i'm generate the alert usinh angry ip scanner to scan the ip address and port address. thank you so much.
  14. What is the process you used and I'll check it on another build. Did you just add the below to your local.rules file? alert ( msg: "ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK"; sid: 4; gid: 112; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) Did you use something to generate the alert?
  15. sorry to bother you all, i trying to check arp spoofing on my winids system so i'm active the prepocrule used to detect arp spoofing. the rule look like this : alert ( msg: "ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK"; sid: 4; gid: 112; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) and it work it shown and give alert on barnyard2 & visual syslog server it give alert like this : 05/16-13:31:06.553294 [**] [112:4:1] spp_arpspoof: ARP Cache Overwrite Attack [**] but the alert can't show on BASE it give error on BASE, the error look like this : "D:\winids\Apache24\htdocs\base\includes\base_cache.inc.php:776: ERROR: 3 alerts have NOT found their way into acid_event with sid = 4" "D:\winids\Apache24\htdocs\base\includes\base_cache.inc.php:521: ERROR: Alert "4 - 9618" could NOT be found in acid_event" what should i do to fix the error and make the alert can shown on BASE? thank you so much - Fahmi
  16. thank you i'm already make sure that my setting are right like that. do you have any suggestion malware software attacker to test the winids system because im already trying to attack using beast trojan and my winids system didn't show any alert. thank you so much for your help
  17. thank you, but when i'm trying to checking my winids system using angry ip scanner it doesn't give any alert. i try to ip scan my computer that installed with winids security control using angry ip scanner but the winids doesn't give any alert. what should i do to make my ids can detect any attack especially with icmp packet? thank you so much for your help.
  18. thank you and i'm already try that, and it work it gives many udp and icmp alert. so what should I do next. do I have to delete test.rule from snort.conf? because its give thousand alert.
  19. Hello everyone, sorry to bother you.I'm following the tutorial "Installing an Apache2 Web Server logging events to a MySQL Database" by Morpheus to my computer using windows 10 and it work, i can access the 'http://winids' on my browser. But i'm realize that my winids console dont show any alert for icmp and udp packet, so what i need to do to make the winids security console can work with icmp and udp packet. thank you so much.
  20. Windows Intrusion Detection System - Companion Add-On Tutorial Logging Events to a Remote Syslog Server Written by: Michael E. Steele Get Community Support! Introduction This tutorial is a simple to understand, step-by-step tutorial for logging events from a Windows Intrusion Detection System (WinIDS) to a remote Windows or UNIX Syslog Server. Copyright Notice This document is Copyright © 2002-2019 Michael Steele. All rights reserved. Permission to distribute this document is hereby granted providing that distribution is electronic, no money is involved, and this copyright notice is maintained. Other requests for distribution will be considered. Use the information in this document at your own risk. Michael Steele disavows any potential liability of this document. Use of the concepts, examples, and/or other content of this document are entirely at your own risk. This guide is written in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. All copyrights are owned by their owners, unless specifically noted otherwise. Third party trademarks or brand names are the property of their owners. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements. Support Questions and Help All support questions related to this specific tutorial MUST be directed to the specific forum for which this Windows Intrusion Detection System (WinIDS) tutorial resides! By request, there is a premium fee service available for one on one support. If you have not acquired this tutorial directly from the winsnort.com website, then you most likely do not have the latest revision of this tutorial! How to use this guide This installation is based on the installer being logged on with 'Administrator' privileges for the entire installation. The Windows Intrusion Detection System (WinIDS) will fail if the default installation path is not Implemented correctly! The default installation path noted above is hard coded into this tutorial, and is also hard coded into some of the install scripts. Installers will need to make the appropriate changes in both places if the default installation path is anything other then 'd:\winids', or the support files are located anywhere other than the 'd:\temp' folder. The Windows Intrusion Detection System (WinIDS) will fail if the default installation path is not Implemented correctly! An existing Windows Intrusion Detection System (WinIDS) using one of the tutorials, either a stand alone Windows Intrusion Detection System (WinIDS), or a remote Windows Intrusion Detection System (WinIDS). It is important when asked to 'Open a CMD window with Administrator privileges' it is done, or the install will fail. It is also important when asked to 'Close a CMD window' it is done, or the install will fail. Note: The user installing this tutorial MUST be a member of the Administrators group. Note: If the User Account Control dialog box appears at ANY time during this install ALWAYS left-click 'Yes' to continue, or the install will fail. Instructions on starting a command prompt as an Administrator In the Windows Search box, type cmd, and then press CTRL+SHIFT+ENTER. Prepping for the Windows Intrusion Detection System (WinIDS) Tutorial Assumptions being made prior to starting tutorial An existing Windows Intrusion Detection System (WinIDS) has been installed. A Windows or UNIX Syslog Server has been installed on the remote PC. The IP address is known of the remote PC where the Syslog Server has been installed. The Syslog listening port is known on the remote Syslog Server (suggest 514). The status of listening port for the remote Syslog Server MUST be open for connections. Testing for an open listening port on the remote Syslog Server From the Windows Intrusion Detection System (WinIDS) go to the 'You Get Signal' website. Replace the local IP address with the IP Address of the remote Syslog Server in the 'Remote Address' dialog box. In the 'Port Number' dialog box type the listening port number of the remote Syslog Server, and left-click 'Check'. *** If the above response is closed then do not proceed until the status is open. *** Configuring the Windows Intrusion Detection System (WinIDS) for Remote Syslog logging Configuring Snort to include Syslog logging Open a CMD window with Administrator privileges and type 'notepad2 d:\winids\snort\etc\snort.conf' (less the outside quotes), and tap 'Enter' key. Use the Find in Notepad2 to locate and change the variables below. Original Line(s): # output alert_syslog: LOG_AUTH LOG_ALERT Change to: output alert_syslog: host=SYSLOG_SVR_IP_ADDR:PORT, LOG_AUTH LOG_ALERT Make SURE the SYSLOG_SVR_IP_ADDR above reflects the IP Address of the remote Syslog server, and the PORT above reflects the listening port of the remote Syslog Server. Now save the file and eXit Notepad2. Testing the Snort configuration file At the CMD prompt type 'd:\winids\snort\bin\snort -W' (less the outside quotes), and tap the 'Enter' key. The following is a partial example of what might be listed as valid Network Interface Cards. Index Physical Address IP Address ----- ---------------- ---------- 1 00:0C:29:25:B4:96 0000:0000:fe80:0000:0000:0000:ad63:31cf In the above list, the 'Index' number is important, and will need to be remembered for later use in this tutorial. There may be several Network Interface Cards listed, and it will be up to the installer to determine the correct Network Interface Card (Index number) that will be monitoring the Windows Intrusion Detection System (WinIDS). The switch for the Network Interface Card will always be '-ix' (less the outside quotes), and the 'x' (less the outside quotes) will always represent the 'Index' number of Network Interface Card that will be monitoring the Windows Intrusion Detection System (WinIDS). At the CMD prompt type 'd:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix -T' (less the outside quotes), and tap the 'Enter' key. The above run line will require the 'Index' number of the monitoring Network Interface Card added to the 'x' above. This will start Snort in self-test mode for configuration and rule file testing, and depending on the resources used, and/or available, it could take several minutes to run the self-test mode. If all the tests are passed, the following is a confirmation that the Snort configuration file and rules have tested good. Snort successfully validated the configuration! Snort exiting Do not proceed until 'Snort successfully validated the configuration!' Configuring the Snort service run line for the Syslog Server logging At the CMD prompt type 'net stop snort' (less the outside quotes), and tap 'Enter' key. At the CMD prompt type 'cd /d d:\winids\snort\bin' (less the outside quotes), and tap 'Enter' key. At the CMD prompt type 'snort /SERVICE /SHOW' (less the outside quotes), and tap 'Enter' key. The output display will be the full run line that Snort uses in the startup, and might look like the below: Snort is currently configured to run as a Windows service using the following command-line parameters: -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -i1 At the CMD prompt type 'snort /SERVICE /UNINSTALL' (less the outside quotes), and tap 'Enter' key. The following is a confirmation that the Snort service was successfully removed from the services database. [SNORT_SERVICE] Attempting to uninstall the Snort service. [SNORT_SERVICE] Successfully removed registry keys from: \HKEY_LOCAL_MACHINE\SOFTWARE\Snort\ [SNORT_SERVICE] Successfully removed the Snort service from the Services database. The new Snort auto start configuration line needs to be added that contains the switch to turn on the option to log all events to the Syslog Server. The Snort run line that should be entered in below should be exactly what was displayed when the snort /SERVICE /SHOW command was ran previously, except adding ' -s' (less the outside quotes) to the end. At the CMD prompt type 'snort /SERVICE /INSTALL -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -i1 -s' (less the outside quotes), and tap the 'Enter' key. The following as a confirmation that the Snort service was successfully added to the services database. [SNORT_SERVICE] Attempting to install the Snort service. [SNORT_SERVICE] The full path to the Snort binary appears to be: D:\winids\snort\bin\snort /SERVICE [SNORT_SERVICE] Successfully added registry keys to: \HKEY_LOCAL_MACHINE\SOFTWARE\Snort\ [SNORT_SERVICE] Successfully added the Snort service to the Services database. At the CMD prompt type 'sc config snortsvc start= auto' (less the outside quotes), and tap the 'Enter' key. The following as a confirmation that the Snort auto start service has been successfully activated. [SC] ChangeServiceConfig SUCCESS At the CMD prompt type 'net start snort' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'exit' (less the outside quotes), and tap the 'Enter' key. In Conclusion At this point, it could take several minutes before seeing events arriving in the remote Syslog Server. Optional Companion Documents Be SURE to check out the available 'Companion Add-on Documents' to enhance the Windows Intrusion Detection System (WinIDS) experience. How to Install Pulledpork for rule management in an existing Windows Intrusion Detection System (WinIDS) Master/Slave sensor. This tutorial will show how to Install Pulledpork for rule management in an existing Windows Intrusion Detection System (WinIDS) Master/Slave sensor. How to add Event Logging to a local Syslog Server. This tutorial will show how to configure Snort to send events to a local Syslog Server, on an existing Windows Intrusion Detection System (WinIDS). How to add Event Logging to a remote Syslog Server. This tutorial will show how to configure Snort to send events to a remote Syslog Server from an existing Windows Intrusion Detection System (WinIDS). How to compile Barnyard2 on Windows using Cygwin for PostgreSQL database support This tutorial is a simple to understand, step-by-step tutorial for Compiling Barnyard2 on Windows using Cygwin (UNIX emulator) for PostgreSQL database support. How to build and deploy a passive Ethernet tap This tutorial will show how to build and deploy a passive Ethernet tap. Updating the Windows Intrusion Detection Systems (WinIDS) Major components How to update the Snort Intrusion Detection Engine This tutorial will show How to update the Windows Intrusion Detection Systems Snort Intrusion Detection Engine. How to update the Rules, Signatures, and sig-msg.map file This tutorial will show how to update the Windows Intrusion Detection Systems rules, signatures, and the 'sig-msg.map' file. Debugging Installation errors Check the Event Viewer as most of the support programs will throw FATAL errors into the Windows Application log. General tutorial issues For general problem issues that pertain to this specific tutorial, left-click the community support button at the top of this tutorial, or manually navigate to the correct community support forum pertaining to this specific tutorial. Feedback I would love to get feedback from you about this tutorial. Any recommendations, or ideas, please leave feedback HERE. Michael E. Steele | Microsoft Certified System Engineer (MCSE) Email Support: support@winsnort.com Snort: Open Source Network IDS - www.snort.org
  21. I have updated the tutorial on installing a local Syslog Server. IT was a major revision and has been tested.
  22. im already open the URL but it show that port 514 is closed so after that i'm adjust my firewall to allow tcp and udp for port 514. but after i check the port forwarding test the port 514 its still closed. what should i do? or i must doing something with the vss? Thank you so much, and have a nice day.
  23. On the PC with VSS go to this URL. The IP address will be displayed and populated in the Remote Address dialog box. Just add port 514 to Port Number dialog box, and left-click 'Check'. This will check to make sure the VSS port is open. If the port is not open then you will need adjust the firewall to allow TCP/UDP traffic for port 514
  1. Load more activity