My issue is that I am struggling to figure out how to make this happen within the context of your guide.  Any help that anyone could give me would be greatly appreciated.  

 I have also seen bridging NICS can sort of lead to a similar result, but I wasn't sure if that was a viable option.

I get the following error:

Original Line(s):
# include $PREPROC_RULE_PATH/preprocessor.rules
# include $PREPROC_RULE_PATH/decoder.rules
# include $PREPROC_RULE_PATH/sensitive-data.rules
Change to:
include $PREPROC_RULE_PATH/preprocessor.rules
include $PREPROC_RULE_PATH/decoder.rules
include $PREPROC_RULE_PATH/sensitive-data.rules

There is no change here!?  Would I be correct in changing to the 'Change to:' section to this?

include $PREPROC_RULE_PATH d:\winids\snort\etc\preprocessor.rules

include $PREPROC_RULE_PATH d:\winids\snort\etc\decoder.rules

include $PREPROC_RULE_PATH d:\winids\snort\etc\sensitive-data.rules

Or is there a different path for these rules?

Thank You!

Jeffegg

let me say first : I'm really a novice in all the sense of the world, that aside I have fallow every single part of the tutorial triple check all setting but I'm still getting that error, the weird part is that the test.php is successful but after I finish the tutorial and went to http://winidis/ I get the directory and http://winids/base_main.php I get error 500, I check in the IIS and notice the directory browsing was enable so I turn it off and I got error 403.

so to sum it up:

with Directory browsing disable http://winidis/ give me = error 403 + error 500 on http://winids/base_main.php

with Directory browsing enable http://winidis/ give me = get the page on the attachment + error 500 on http://winids/base_main.php

thx in advance;

ATT: Raymer Rodríguez

Edit:  forgot to mention i check the forum for my tutorial and read all post but still no dice
Edit 2: I try to reinstall the whole configuration and testing and went I was around the Pear process I notices the warning and is asking me to run a regedit entry as well as it only install 3 out the 11  PEAR packages (it install it all of them the first time  I run it) (did run the update after I notice the msg and still same result).

I finished the tutorial. Snort, baryard2 and sql looks OK, but when i try to "http://winids/" i can't connect to the DB

I checked base_conf.php and it looks good.

Any help?

Thank you!

base_conf.php

Is there the way that can scan all PC's in the network.

I mean that i see traffic only for my PC IP 192.168.1.161 but i wanna see other PC's traffic.

Thank you.

However I get this when I type http://winids (cut off like that):

nk_field_string, $add_button_string) in D:\WinIDS\inetpub\wwwroot\base\includes\base_state_citems.inc.php on line 1398 PHP Warning: Declaration of ICMPFieldCriteria::Description() should be compatible with ProtocolFieldCriteria::Description($human_fields) in D:\WinIDS\inetpub\wwwroot\base\includes\base_state_citems.inc.php on line 1438 PHP Warning: Declaration of ICMPFieldCriteria::PrintForm() should be compatible with MultipleElementCriteria::PrintForm($field_list, $blank_field_string, $add_button_string) in D:\WinIDS\inetpub\wwwroot\base\includes\base_state_citems.inc.php on line 1438 PHP Warning: Declaration of DataCriteria::PrintForm() should be compatible with MultipleElementCriteria::PrintForm($field_list, $blank_field_string, $add_button_string) in D:\WinIDS\inetpub\wwwroot\base\includes\base_state_citems.inc.php on line 1634 PHP Fatal error: Uncaught Error: Cannot use string offset as an array in D:\WinIDS\inetpub\wwwroot\base\includes\base_state_common.inc.php:47 Stack trace: #0 D:\WinIDS\inetpub\wwwroot\base\base_main.php(60): InitArray('', 1, 3, '') #1 {main} thrown in D:\WinIDS\inetpub\wwwroot\base\includes\base_state_common.inc.php on line 47

Exactly cut off like that.

Any ideas?

I've created a portscan.log file since did not exist

Also my php.ini does not have a extension=php_mysql.dll but a extension=php_mysqli.dll with an i. Probably because it's the latest version.

Windows 10 64bit, Firefox or Internet Explorer, barnyard and snort services running

BTW This is the most comprehensive install tutorial I've seen

Edit 1

After some double checking I realized that the Barnyard2 service is running (svrany) but not the barnyard2.exe. I am now launching barnyard2.exe manually with the following command:

barnyard2.exe -c d:\winids\barnyard2\etc\barnyard2.conf -d c:\snort\log -f merged.log -l d:\winids\barnyard2 -w c:\snort\log\barnyard.waldo

which works fine. The IIS still does not work!

Thank you for the amazing tutorial! I searched and found another user with this same issue I'm having in the posts.He said he modified the VB script and the only vb script I saw was modder.vbs - and it was true it referenced drive d: throughout. I use drive c so I modified that script, BUT still no luck.

c:\winids\activators\by2-test returns success as it should: (I think)

>c:\winids\barnyard2\barnyard2.exe -c c:\winids\barnyard2\etc\barnyard2.conf -d c:\winids\snort\log -f merged.log -l c:\winids\barnyard2 -w c:\winids\snort\log\barnyard.wald
Running in Test mode

        --== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "c:\winids\barnyard2\etc\barnyard2.conf"

+[ Signature Suppress list ]+
----------------------------
+[No entry in Signature Suppress List]+
----------------------------
+[ Signature Suppress list ]+

Barnyard2 spooler: Event cache size set to [32768]
INFO database: Defaulting Reconnect/Transaction Error limit to 10
INFO database: Defaulting Reconnect sleep time to 5 second

[CacheSynchronize()],INFO: No system was found in cache (from signature map file), will not process or synchronize informations found in the database

database: compiled support for (postgresql)
database: configured to use mysql
database: schema version = 107
database:           host = winids
database:           user = snort
database:  database name = snort
database:    sensor name = WinIDS-Home
database:      sensor id = 1
database:     sensor cid = 1
database:  data encoding = hex
database:   detail level = full
database:     ignore_bpf = no
database: using the "log" facility

        --== Initialization Complete ==--

  ______   -*> Barnyard2 <*-
 / ,,_  \  Version 2.1.14 (Build 337)
 |o"  )~|  By Ian Firns (SecurixLive): http://www.securixlive.com/
 + '''' +  (C) Copyright 2008-2013 Ian Firns <firnsy@securixlive.com>

Barnyard2 successfully loaded configuration file!
Barnyard2 exiting
database: Closing connection to database "snort"

There is nothing in event viewer referencing this crash.

when I try net start baryard2:

C:\>net start barnyard2
The Barnyard2 service is starting.
The Barnyard2 service could not be started.

The service did not report an error.

More help is available by typing NET HELPMSG 3534.

Is there anywhere else to look? Does anyone have any ideas?

Thank you in advance!

~Blaine

I'm following the tutorial to install WinSnort on Windows 7 x64. I've reached the part "Configuring the MySQL Database Server". When I try creating the snort database it does not seem to take the command when I tap the 'Enter' key as shown below.

C:\Users\idsid>mysql -u root -pd1ngd0ng
Warning: Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 4
Server version: 5.6.23-log MySQL Community Server (GPL)

Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> create database snort
    -> create database archive
    -> show databases
    ->

Do you have any suggestions?

Thank you.

d:\>d:\winids\activators\by2-test

d:\>d:\winids\barnyard2\barnyard2.exe -c d:\winids\barnyard2\etc\barnyard2.conf
-d d:\winids\snort\log -f merged.log -l d:\winids\barnyard2 -w d:\winids\snort\l
og\barnyard.waldo -T
Running in Test mode

        --== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "d:\winids\barnyard2\etc\barnyard2.conf"

+[ Signature Suppress list ]+
----------------------------
+[No entry in Signature Suppress List]+
----------------------------
+[ Signature Suppress list ]+

WARNING: invalid Reference spec 'url,'. Ignored
WARNING: invalid Reference spec 'url,'. Ignored
WARNING: invalid Reference spec 'url,'. Ignored
WARNING: invalid Reference spec 'url,'. Ignored
Barnyard2 spooler: Event cache size set to [32768]
INFO database: Defaulting Reconnect/Transaction Error limit to 10
INFO database: Defaulting Reconnect sleep time to 5 second
database mysql_error: Unknown MySQL server host 'winids' (8)
Barnyard2 exiting
database: Closing connection to database "snort"

Hello everyone

When checking the verification of the following link Do not load http: //winids/test.php, I do not load the browser page and it stays blank

Is this error due?
Who can help me with the subject?

This is the message of the navigate
  Internet Explorer can not display the webpage
   
    You can try the following:
     Diagnose connection problems

Where I have a fundamental problem is that no traffic/alerts are going into BASE and on closer inspection found nothing is going into the MySQL database.

SNORT appears to be running ok, its scanning the traffic and logs are created (alert.ids, portscan.log and snort.log) and all have data.  The SNORT configuration check also comes back ok. A test rule has been setup so that port 80 traffic generates an alert.

Where I think the problem lies is with BARNYARD, the configuration test comes back ok, but when its run it states that it can not find the waldo file. 

From looking at some of the forums and other documentation there should be two log files that are required merge.log and barnyard.waldo, neither of these appear to exist.

I have gone through the instructions again and checked all of the modifications needed for the various config files, while I found a few typos there was nothing I could find related to this issue.

Appreciate if you can offer any help.

snort.conf

barnyard2.conf

php.ini

base_conf.php

barnyard output.txt

snort.conf

WARNING:  No preprocessors configured for policy 0.

I went back through the snort.config file and I think it's correct.  Is this usual?

Thanks, linda

i get this error when i am at the last step of the tutorial

Re-installing the os is not a option right now.

Thanks!

i joind capture page. help me again

i config well under these steps ,but failed until i can't access the page:  http://winids/test.php .

i used the guide " IIS Web Server logging events to a MySQL Database "

my OS is windows 10 proffessional.

pls help me ,thanks!

I completed the installation of WinSnort on Windows 7 64bit using the tutorial. After the machine rebooted, I started a browser session to http://winids and got this error:

The website cannot display the page
 
  HTTP 500
    
Most likely causes:
•The website is under maintenance.
•The website has a programming error.
 

I was careful to validate each step before moving to the next. I revisited the steps under "Configuring IIS for PHP, and the Windows Intrusion Detection Systems security console" and confirmed them. The PHP test passed successfully.

Do you have any suggestion?

Thank you.

1. The snort package has been updated, and the tutorial link to version 2.9.7.6 returns a file not found message. I went ahead and downloaded version 8.0 instead.

2. Perl is not added to the environment PATH and hence will only execute from its home directory.

3. 2 of the signature files will cause McAfee to quarantine them as Exploit-InvCSS Trojans. They are 18174.txt and 18175.txt. I did return them from "exile". 

Other than that, I look forward playing with it.

I also noticed the \sources\sxs folder does not exist on the CD (e:\). Do I need to use one of the versions specified in the tutorial?