Welcome to the home of WinIDS - Windows Intrusion Detection System!
header

Thank you for visiting WINSNORT.com

32/64bit Windows Intrusion Detection System (WinIDS) Guided Install

Written by: Michael E. Steele

IIS 7.5 / 8 Web-Server
PostgreSQL Database Server

Last Date Revised: May 20, 2013

Introduction

When it comes to deploy an IDS (Intrusion Detection System), many network engineers automatically think of Snort. Why? First of all, it's a highly-capable full-featured Intrusion Detection System (that can even act as an Intrusion Prevention System with the appropriate tweaks). Second of all, it's completely free, both its binary and source code tree. Snort can also run in many platforms, including Linux, MS Windows and FreeBSD, so there are plenty of options to deploy this system.

However, installing the Windows Intrusion Detection System (WinIDS) with a production-ready setup always takes a while, moreover when you have to "discover" many things and solve many issues on your own in order to complete the setup. I've managed to get through that process in the Windows environment and now I'd like to share my process with you. During my research I found a lot of guides and blogs like this describing the installation process. Yet, none of them specifically detailed setting this up in a Windows environment, so I had to gather a lot of information and I had to generate some information as well.

Copyright Notice

This document is Copyright © 2002-2013 Michael Steele. All rights reserved. Permission to distribute this document is hereby granted providing that distribution is electronic, in it's original form, no money is involved, and this copyright notice is maintained. Other requests for distribution will be considered.

Use the information in this document at your own risk. Michael Steele disavows any potential liability of this document. Use of the concepts, examples, and/or other content of this document are entirely at your own risk.

This guide is written in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose.

All copyrights are owned by their owners, unless specifically noted otherwise. Third party trademarks or brand names are the property of their owners. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements.

Support Questions and Help

All support questions MUST be directed to the support forums. This is a way to address the masses, instead of a single person.

If you haven't acquired this guide directly from the Winsnort.com website, then you most likely don't have the latest revision!

My setup is a classical Windows Intrusion Detection System (WinIDS) deployment:

The Snort detection engine will be running in passive mode, logging events to a unified2 log file.
Barnyard2 will be processing the Windows Intrusion Detection Systems (WinIDS) unified2 log files.
A PostgreSQL-driven database will store processed events/logs for further analysis.
Internet Information Services 7.5 / 8 web-server will drive the Windows Intrusion Detection Systems (WinIDS) analysis GUI console.
BASE will serve as the web-based Windows Intrusion Detection Systems (WinIDS) events analysis GUI console.

I have to say that even when this guided install is written to seamlessly integrate these tools, I've made my best at describing the installation process of each component as general as possible. This way, you can take important elements to develop your own setup integrating other tools.

Although I created this guide using a single computer, it's very easy to extend the deployment to multiple computers (multi-tier approach), each one in charge of one task (i.e. sensors, database server, web server).

Operating System and Configuration Setup

Supported 32/64bit operating systems for this Windows Intrusion Detection System (WinIDS) guided install

It is imperative that any of the supported Microsoft operating systems listed below have all the latest services packs and security updates installed from the Microsoft Windows update site. Failure to complete this task will most likely cause the Windows Intrusion Detection Systems (WinIDS) guided install to fail.

Windows XP Professional (SP3)
Windows 7 Professional (SP1)
Windows Server 2003 Standard Edition (SP2)
Windows Server 2008 Standard Edition (SP2)
Windows Server 2012 Standard Edition

Only the support Microsoft operating systems listed above have been thoroughly tested in both the 32bit and 64bit environments for this particular guided install. It is highly recommended to install the Windows Intrusion Detection System (WinIDS) on a fresh, clean Windows installation. Making sure all the latest service packs and security updates from the Microsoft update center have been installed.

This is how I've setup and tested the Windows Intrusion Detection System (WinIDS). Make sure that all the necessary changes are made if you configuration is different. Failure to make the appropriate changes will most likely cause a failure.

I'll be using Windows XP Pro (SP3) 32bit, but any 32/64bit Version of Windows listed above in will do.
I've created a user named 'Operator', set the password to 'z1pp3r', and assigned user 'Operator' Administrative privileges.
I'm installing the complete Windows Intrusion Detection System (WinIDS) logged on as user 'Operator'.
I have 3GB of memory installed, but anything over 2GB should be fine, but the absolute minimum is 2GB (more is better).
I'm using two partitions - C: (System) with 300GB, and D: (WinIDS) with 1TB.
I'm installing the complete Windows Intrusion Detection System (WinIDS) into the 'd:\winids' folder.

Pre-installation Tasks

Downloading and extracting the 'Windows Intrusion Detection Systems (WinIDS) Software Pack'

Only use the files in the 'WinIDS - (32/64bit) Software Pack'. These files have been thoroughly tested in all the Windows Intrusion Detection Systems (WinIDS) guided installs. Using other files, not included in the appropriate Windows Intrusion Detection System (WinIDS) Software Pack will most likely cause the Windows Intrusion Detection System (WinIDS) guided install to fail. There may be more recent version of the support packages available, but they have either not been tested, or there is a problem which could cause the guided install to fail.

Depending on the processors architecture download the appropriate 'WinIDS - (32/64bit) Software Pack' below!

32bit: Download The 'WinIDS - 32bit Software Pack' to 'd:\' drive.

64bit: Download The 'WinIDS - 64bit Software Pack' to 'd:\' drive.

Open a CMD window and type 'd:\winids-sp-xxx-xx.xx.xx.exe' (less the outside quotes), and tap the 'Enter' key.

In the above, replace the 'winids-sp-xxx-xx.xx.xx.exe' filename with the actual filename that was downloaded to the 'd:\' drive from above.

The WinIDS self-extracting archive wizard appears, in the 'Destination folder' dialog box type 'd:\temp' (less the outside quotes), left-click 'Extract', in the 'Enter password' dialog box type 'w1nsn03t.c0m' (less the outside quotes), left-click 'OK' allowing all the Windows Intrusion Detection Systems (WinIDS) files to be extracted to the 'd:\temp' folder, and the WinIDS self-extracting archive wizard automatically closes.

System configuration changes

At the CMD prompt type 'd:\temp\modder.vbs' (less the outside quotes), and tap the 'Enter' key.

Do not proceed until the above script has rebooted the system, and this could take several minutes.

The modder.vbs file preforms several tasks:

Turns 'UAC' off for Windows 7, Server 2008, and Server 2012
Installs 'Microsoft .NET Framework 4.0' for Windows XP, and Server 2003
Installs 'IP Version 6' for Windows XP, and Server 2003
Installs 'Notepad2' to Windows\System32
Installs 'unzip' to Windows\System32
Installs 'tartool' to Windows\System32
Inserts 'winids' hostname to hosts file
Sets 'Hidden Files' as off in registry
Sets 'Show File Extensions' as on in registry
Sets 'Visual Effects' as minimal in registry
Reboots system

I strongly suggest after the reboot, the Microsoft Baseline Security Analyzer (MBSA) be used to identify and correct common security miss configurations. Each issue should be resolved prior to starting this guided install.

Installing the Basic Windows Intrusion Detection System (WinIDS)

Installing WinPcap

Open a CMD window and type 'd:\temp\WinPcap_4_1_3.exe' (less the outside quotes), and tap the 'Enter' key.

In the above, replace the 'WinPcap_4_1_3.exe' filename with the actual filename located in the 'd:\temp' folder.

If the 'Program Compatibility Assistant' appears, left-click 'Run the program without getting help'.

The WinPcap installation wizard appears, left-click 'Next', left-click 'Next', left-click the 'I Agree' button, make SURE the 'Automatically start the WinPcap driver at boot time' is checked, left-click install, and left-click 'Finish'.

Installing Snort, the Traffic Detection and Inspection Engine

At the CMD prompt type 'd:\temp\Snort_2_9_4_6_Installer.exe' (less the outside quotes), and tap the 'Enter' key.

In the above, replace the 'Snort_2_9_4_6_Installer.exe' filename with the actual filename located in the 'd:\temp' folder.

The Snort installation wizard appears, left-click the 'I Agree' button, left-click 'Next', left-click 'Next', in the 'Destination Folder' dialog box, type 'd:\winids\snort' (less the outside quotes), left-click 'Next' allowing Snort to install, left-click the 'Close' button, left-click 'OK'.

Testing the Windows Intrusion Detection System (WinIDS) for network traffic

At the CMD prompt type 'd:\winids\snort\bin\snort -W' (less the outside quotes) and tap the 'Enter' key.

The following is a partial example of what might be listed as valid Network Interface Cards.

Index	Physical Address	IP Address
-----	----------------	----------
    1	00:0C:29:25:B4:96	0000:0000:fe80:0000:0000:0000:ad63:31cf

In the above list, the 'Index' number is important, and will need to be remembered for later use in the guided install. There may be several Network Interface Cards listed, and it will be up to the installer to determine the correct Network Interface Card (Index number) that will be monitoring the Windows Intrusion Detection System (WinIDS).

The switch for the Network Interface Card will always be '-ix' (less the outside quotes), and the 'x' (less the outside quotes) will always represent the 'Index' number of Network Interface Card that will be monitoring the Windows Intrusion Detection System (WinIDS).

At the CMD prompt type 'd:\winids\snort\bin\snort -v -ix' (less the outside quotes), and tap the 'Enter' key.

The above run line will require the 'Index' number of the monitoring Network Interface Card added to the 'x' in the '-ix' switch. This will start Snort in verbose mode, verifying there is network traffic on interface 'x'.

There should now be multiple packets passing through the CMD window, and something similar to the following output is a confirmation indicating that everything is ready to proceed.

10/08-12:12:32.131826 10.0.0.29:1068 -> 65.55.121.241:80
TCP TTL:128 TOS:0x0 ID:1586 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x7430B82E  Ack: 0x1850214F  Win: 0xFAF0  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

After verifying active network traffic, eXit the web browser, activate the CMD window, and press the 'CTRL/C' keys to stop the Snort process.

If no traffic is passing through the CMD window, and there was multiple Network Interface Cards listed, try another 'Index' number.

Do not proceed until network traffic is being displayed in the CMD window.

Installing Latest Rule Set

At the CMD prompt type 'tartool d:\temp\snortrules-snapshot-2941.tar.gz d:\winids\snort' (less the outside quotes), and tap the 'Enter' key.

In the above replace the 'snortrules-snapshot-2941.tar.gz' filename with the actual filename located in the 'd:\temp' folder.

Installing Strawberry Perl

32bit: At the CMD prompt type 'd:\temp\strawberry-perl-5.14.2.1-32bit.msi' (less the outside quotes), and tap the 'Enter' key.

In the above, replace the 'strawberry-perl-5.14.2.1-32bit.msi' filename with the actual filename located in the 'd:\temp' folder.

64bit: At the CMD prompt type 'd:\temp\strawberry-perl-5.14.2.1-64bit.msi' (less the outside quotes), and tap the 'Enter' key.

In the above, replace the 'strawberry-perl-5.14.2.1-64bit.msi' filename with the actual filename located in the 'd:\temp' folder.

The Strawberry Perl installation wizard appears, left-click 'Next', left-click the 'I accept the terms...' radio button, left-click 'Next', in the 'Install Strawberry Perl to:' dialog box type 'd:\winids\strawberry\' (less the outside quotes), left-click 'Next', left-click 'Install', left-click and uncheck the 'Read README file.' radio box, and left-click 'Finish'.

At the CMD prompt type 'exit' (less the outside quotes), and tap the 'Enter' key.

Installing Perl Pre-Requisites

Open a CMD window and type 'perl -MCPAN -e shell' (less the outside quotes), and tap the 'Enter' key.

At the 'cpan' CMD prompt type 'install Sys::Syslog' (less the outside quotes), and tap the 'Enter' key.

In the above command, it will take several minutes to preform the install.

At the 'cpan' CMD prompt type 'quit' (less the outside quotes), and tap the 'Enter' key.

Install Internet Information Services 7.5 - Windows 7

At the CMD prompt type 'appwiz.cpl' (less the outside quotes), and tap the 'Enter' key.

The 'Uninstall or Change a program' control panel opens, under 'Control Panel Home', left-click 'Turn Windows features on or off'. In the 'Turn Windows features on or off' expand 'Internet Information Services', to the left of 'Web Management tools' left-click the radio box (it may only turn blue), to the left of the 'World Wide Web Services left-click check the radio box (it may only turn blue), expand 'World Wide Web Services', expand 'Application Development Features', left-click and check all features, except 'Server-Side Includes', left-click 'OK' allowing windows to make changes, and eXit the 'Uninstall or Change a program' control panel.

At the CMD prompt type 'd:\temp\moveiis7-8.bat' (less the outside quotes), and tap the 'Enter' key.

Install Internet Information Services 7.5 - Server 2008

At the CMD prompt type 'appwiz.cpl' (less the outside quotes), and tap the 'Enter' key.

The 'Uninstall or Change a program' control panel opens, under 'Control Panel Home', left-click 'Turn Windows features on or off', and the 'Server Manager' opens. In the 'Server Manager' window, scroll down to Roles Summary, and left-click 'Add Roles'. The 'Add Roles Wizard' starts, and left-click 'Next' opening the 'Select Server Roles page'. Left-click the select box to the left of 'Web Server (IIS)', and left-click 'Next'. At the 'Web Server (IIS)' page left-click 'Next'. At the 'Select Role Services' page scroll down and expand 'Application Development'. Left-click the select box to the left of 'Application Development' selecting all server roles. To the left of 'Server Side Includes' left-click unselecting 'Server Side Includes', and lefgt-click 'Next'. At the 'Confirm Installation Selections' page left-click 'Install', left-click 'Close', exit the 'Server Manager', and exit 'Programs and Features'.

At the CMD prompt type 'd:\temp\moveiis7-8.bat' (less the outside quotes), and tap the 'Enter' key.

Install Internet Information Services 8 - Server 2012

At the CMD prompt type 'appwiz.cpl' (less the outside quotes), and tap the 'Enter' key.

The 'Program and Features' control panel opens, left-click 'Turn Windows features on or off'. The 'Server Manager' opens, and the 'Add Roles and Features Wizard' opens. At the 'Before you begin' selection window, Left-click 'Next'. At the 'Select installation Type' selection window, left-click 'Next'. At the 'Select destination server' selection window, left-click 'Next'. At the 'Select server roles' selection window under 'Roles' scroll down left-click 'Web Server (IIS)'. The 'Add features that are required for Web Server (IIS)?' windows opens, left-click 'Add Features', and left-click 'Next'. At the 'Select features' selection window, left-click 'Next'. At the 'Web Server Role (IIS)' selection window, left-click 'Next'. At the 'Select roles services' selection window scroll down and expand 'Application Development'. Under 'Application Development' scroll down and left-click the select box titled 'CGI', and left-click 'Next'. At the 'Confirm installation selections' selection window, left-click 'Install' allowing IIS to complete the features installation, left-click 'Close', eXit 'Programs and Features', and eXit the 'Server Manager'.

At the CMD prompt type 'd:\temp\moveiis7-8.bat' (less the outside quotes), and tap the 'Enter' key.

Installing the Windows Intrusion Detection Systems (WinIDS) Security Console

BASE is used for the Windows Intrusion Detection Systems (WinIDS) Security Console, and is security analysis web tool. It is a tiny application which only task is to display/report Snort events. Windows Intrusion Detection Systems (WinIDS) Security Console uses a database backend to get the data. This database is the same database that will get directly populated by Snorts output database routine.

At the CMD prompt type 'unzip -oqq d:\temp\base-1.4.5.zip -d d:\winids\inetpub\wwwroot\base' (less the outside quotes), and tap the 'Enter' key.

In the above, replace the 'base-1.4.5.zip' filename with the actual filename located in the 'd:\temp' folder.

Installing Barnyard2

Barnyard2 will run and reside in a terminal window located in the Windows taskbar on boot. Barnyard2 is in charge of parsing and processing Snort's unified2 log files sending them to a specified destination (where they will be used for security analysis and monitoring) such as, a database server. As Barnyard2 runs independently of Snort, it doesn't need to process the logs/alert in real time, that is, at the same time that Snort generates them. Barnyard2 only needs to keep track of how many events it has processed at a given time. For this purpose, Barnyard2 uses a "waldo" file, where it saves the name of the log/alert file being process, and the offset within the log/alert file.

Barnyard2 is capable of processing Snorts Unified2 log files. For this guided install, Barnyard2 will be sending processed unified2 log data to a PostgreSQL database backend server.

At the CMD prompt type 'unzip -oqq d:\temp\barnyard2-2-1.13.zip -d d:\winids\barnyard2' (less the outside quotes), and tap the 'Enter' key.

In the above, replace the 'barnyard2-2-1.13.zip' filename with the actual filename located in the 'd:\temp' folder.

Installing PostgreSQL Database Server

32bit: At the CMD prompt type 'd:\temp\postgresql-9.2.3-1-windows.exe' (less the outside quotes), and tap the 'Enter' key.

In the above, replace the 'postgresql-9.2.3-1-windows.exe' filename with the actual filename located in the 'd:\temp' folder.

64bit: At the CMD prompt type 'd:\temp\postgresql-9.2.3-1-windows-x64.exe' (less the outside quotes), and tap the 'Enter' key.

In the above, replace the 'postgresql-9.2.3-1-windows-x64.exe' filename with the actual filename located in the 'd:\temp' folder.

The PostgreSQL Database server installation wizard appears, left-click 'Next', in the 'Installation Directory' dialog box type 'd:\winids\postgresql' (less the outside quotes), left-click 'Next', in the 'Data Directory' dialog box it should already be populated with 'd:\winids\postgresql\data' (less the outside quotes), left-click 'Next', in the 'Password' dialog box for user 'postgres' type 'd1ngd0ng' (less the outside quotes), in the 'Retype password' dialog box type 'd1ngd0ng' (less the outside quotes), left-click 'Next', the listening port dialog box is populated with '5432', left-click 'Next', the 'Locale' pulldown select box is populated with '[Default local]', left-click 'Next', left-click 'Next' allowing the installation to complete, untick the 'Launch Stack Builder at exit?' select box, and left-click 'Finish'.

Installing ADODB

At the CMD prompt type 'unzip -oqq d:\temp\adodb518a.zip -d d:\winids' (less the outside quotes), and tap the 'Enter' key.

In the above, replace the 'adodb518a.zip' filename with the actual filename located in the 'd:\temp' folder.

Installing PHP

At the CMD prompt type 'unzip -oqq d:\temp\php-5.4.15-nts-Win32-VC9-x86.zip -d d:\winids\php' (less the outside quotes), and tap the 'Enter' key.

In the above, replace the 'php-5.4.15-nts-Win32-VC9-x86.zip' filename with the actual filename located in the 'd:\temp' folder, and it has '-nts-' in the filename.

Updating the 'sid-msg.map' file

At the CMD prompt type 'unzip -oqq d:\temp\activators.zip -d d:\winids\activators' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'unzip -oqq d:\temp\create-sidmap.zip -d d:\winids\create-sidmap' (less the outside quotes), and tap the 'Enter' key.

Information about the sid-msg.map file:

The 'sid-msg.map' file essentially maps the Rule MSG alert name to the sid number assigned to the rule.

This really comes into play when the output method from Snort is in unified2 format, taking that output, and reading it with Barnyard2 for input into the database.

Since the rule msg is not stored in the unified2 file format, it's necessary for Barnyard2 to read the sid-msg.map file to correctly input the names of the events into the database when associated with an alert by sid.

Without the 'sid-msg.map' being read by barnyard2, the events in the database will show up only as gid:sid. (1:2133 for example). Also, updating the rules and not updating the 'sid-msg.map' will also show events from all new rules as gid:sid. (1:2133 for example).

At the CMD prompt type 'd:\winids\create-sidmap\create-sidmap.pl d:\winids\snort\rules\ > d:\winids\snort\etc\sid-msg.map' (less the outside quotes), and tap the 'Enter' key.

Configuring the Snort Detection Engine

At the CMD prompt type 'type NUL > d:\winids\snort\rules\white_list.rules' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'type NUL > d:\winids\snort\rules\black_list.rules' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'notepad2 d:\winids\snort\etc\snort.conf' (less the outside quotes), and tap the 'Enter' key.

Use the Find in Notepad2 to locate and change the variables below.

The home network variable below defines the network you wish to monitor, like the local LAN segment for instance It is set by specifying one or more networks in the form of a CIDR.

The IP address below is fictitious and must be changed to the correct IP Address and CIDR that reflects the actual network that the Windows Intrusion Detection System (WinIDS) will be monitoring.

Original Line(s): ipvar HOME_NET any
Change to: ipvar HOME_NET 192.168.1.0/24

In the above HOME_NET example, Windows Intrusion Detection System (WinIDS) will monitor addresses 192.168.1.1 - 192.168.1.254. It is important to specify the correct range of internal network addresses that Windows Intrusion Detection System (WinIDS) will need to monitor.

Original Line(s): var RULE_PATH ../rules
Change to: var RULE_PATH d:\winids\snort\rules

Original Line(s): var SO_RULE_PATH ../so_rules
Change to: # var SO_RULE_PATH ../so_rules

Original Line(s): var PREPROC_RULE_PATH ../preproc_rules
Change to: var PREPROC_RULE_PATH d:\winids\snort\preproc_rules

Original Line(s): var WHITE_LIST_PATH ../rules
Change to: var WHITE_LIST_PATH d:\winids\snort\rules

Original Line(s): var BLACK_LIST_PATH ../rules
Change to: var BLACK_LIST_PATH d:\winids\snort\rules

Original Line(s): dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
Change to: dynamicpreprocessor directory d:\winids\snort\lib\snort_dynamicpreprocessor

Original Line(s): dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
Change to: dynamicengine d:\winids\snort\lib\snort_dynamicengine\sf_engine.dll

Original Line(s): dynamicdetection directory /usr/local/lib/snort_dynamicrules
Change to: # dynamicdetection directory /usr/local/lib/snort_dynamicrules

Original Line(s):
preprocessor normalize_ip4
preprocessor normalize_tcp: ips ecn stream
preprocessor normalize_icmp4
preprocessor normalize_ip6
preprocessor normalize_icmp6

Change to:
# preprocessor normalize_ip4
# preprocessor normalize_tcp: ips ecn stream
# preprocessor normalize_icmp4
# preprocessor normalize_ip6
# preprocessor normalize_icmp6

Original Line(s): # preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low }
Change to: preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low }

Original Line(s): # output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
Change to: output unified2: filename merged.log, limit 128

Original Line(s): include classification.config
Change to: include d:\winids\snort\etc\classification.config

Original Line(s): include reference.config
Change to: include d:\winids\snort\etc\reference.config

Original Line(s):
# include $PREPROC_RULE_PATH/preprocessor.rules
# include $PREPROC_RULE_PATH/decoder.rules
# include $PREPROC_RULE_PATH/sensitive-data.rules

Change to:
include $PREPROC_RULE_PATH/preprocessor.rules
include $PREPROC_RULE_PATH/decoder.rules
include $PREPROC_RULE_PATH/sensitive-data.rules

Original Line(s): include threshold.conf
Change to: include d:\winids\snort\etc\threshold.conf

Save the file, and eXit Notepad2.

Testing the Snort configuration file

At the CMD prompt type 'd:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix -T' (less the outside quotes), and tap the 'Enter' key.

The above run line will require the 'Index' number of the monitoring Network Interface Card added to the 'x' in the '-ix' switch. This will start Snort in self-test mode for configuration and rule file testing.

If all the tests are passed, the following is a confirmation that the Snort configuration file and rules have tested good.

Snort successfully validated the configuration!
Snort exiting

Do not proceed until 'Snort successfully validated the configuration!'

Configuring PHP

At the CMD prompt type 'copy d:\winids\php\php.ini-production d:\winids\php\php.ini' (less the outside quotes), and tap the 'Enter' key.

Should display '1 file(s) copied.', and return to the CMD prompt.

At the CMD prompt type 'notepad2 d:\winids\php\php.ini' (less the outside quotes), and tap the 'Enter' key.

Use the Find in Notepad2 to locate and change the variables below.

Original Line(s): max_execution_time = 30
Change to: max_execution_time = 60

Original Line(s): error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
Change to: ; error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT

Original Line(s): ;include_path = ".;c:\php\includes"
Change to: include_path = "d:\winids\php;d:\winids\php\pear"

Original Line(s): ; extension_dir = "ext"
Change to: extension_dir = "d:\winids\php\ext"

Original Line(s):; cgi.force_redirect = 1
Change to:cgi.force_redirect = 0

Original Line(s): ; extension=php_gd2.dll
Change to: extension=php_gd2.dll

Original Line(s): ; extension=php_pgsql.dll
Change to: extension=php_pgsql.dll

Original Line(s): ;date.timezone =
Change to: date.timezone = America/New_York

In the above date.timezone setting, America/New_York is only the default. Inserting the correct Timezone setting where the Windows Intrusion Detection System (WinIDS) will be located is essential. Check out the PHP website for the List of Supported Timezones.

Original Line(s): ;session.save_path = "/tmp"
Change to: session.save_path = "c:\windows\temp"

Save the file, and eXit Notepad2.

Configuring Internet Information Services for PHP

At the CMD prompt type 'c:\windows\system32\inetsrv\iis.msc' (less the outside quotes), and tap the 'Enter' key.

The 'Internet Information Services (IIS) Manager' opens, in the left pane under 'Connections' expand servername.

If the 'Internet Information Services (IIS) Manager' appears asking 'Do you want to get started with...' left-click 'No'.

Under 'Connections' expand Sites, left-click 'Default Web Site', in the center pane under 'IIS' left-click 'Handler Mappings', under 'Actions' left-click 'Open Feature', under 'Actions' left-click 'Add Script Map...', in the 'Request Path:' dialog box type '*.php' (less the outside quotes), in the 'Executable:' dialog box type 'd:\winids\php\php-cgi.exe' (less the outside quotes), in the 'Name:' dialog box type 'PHP' (less the outside quotes), left-click 'OK', the 'Add Script Map' notification message appears and left-click 'Yes'.

In the 'Handler Mappings' under the 'Enabled' section there will be a new 'PHP' entry in the 'Name' column, highlight and right-click 'PHP', left-click 'Edit...', and Verify all three dialog box settings match what was entered above, left-click 'OK', and eXit the 'Internet Information Services (IIS) Manager'.

Do not proceed until the 'Handler Mappings' for PHP have been set correctly!'

At the CMD prompt type 'iisreset /restart' (less the outside quotes), and tap the 'Enter' key.

Testing Internet Information Services, and the PHP installation

Open a CMD window and type 'copy d:\temp\test.php d:\winids\inetpub\wwwroot' (less the outside quotes), and tap the 'Enter' key.

Should display '1 file(s) copied.', and return to the CMD prompt.

Open a web-browser and type 'http://winids/test.php' (less the outside quotes) into the URL Address box, and tap the 'Enter' key.

Several sections of information concerning the status and install of PHP should be displayed.

In the first section of information make SURE that the item labeled 'Loaded Configuration File' is pointing to 'd:\winids\php\php.ini' (less the outside quotes).

In the section labeled 'Configuration - PHP Core' (less the outside quotes) make SURE that the item labeled 'extension_dir' is pointing to 'd:\winids\php\ext' (less the outside quotes) in columns 'Local Values' (less the outside quotes) and 'Master Values' (less the outside quotes).

In the section labeled 'Configuration - PHP Core' (less the outside quotes) make SURE that the item labeled 'include_path' is pointing to 'd:\winids\php\pear' (less the outside quotes) in columns 'Local Values' (less the outside quotes) and 'Master Values' (less the outside quotes).

In the section labeled 'session' (less the outside quotes) make SURE that the item labeled 'session.save_path' is pointing to 'c:\windows\temp' (less the outside quotes) in columns 'Local Values' (less the outside quotes) and 'Master Values' (less the outside quotes).

Do not proceed until all the above paths are correct!

eXit the web-browser.

At the CMD prompt type 'del d:\winids\inetpub\wwwroot\test.php' (less the outside quotes), and tap the 'Enter' key.

Adding Snort to the Windows Services Database

At the CMD prompt type 'cd /d d:\winids\snort\bin' (less the outside quotes) and tap the 'Enter' key.

At the CMD prompt type 'snort /SERVICE /INSTALL -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix' (less the outside quotes), and tap the 'Enter' key.

The above run line will require the 'Index' number of the monitoring Network Interface Card added to the 'x' in the '-ix' switch.

The following is a confirmation that the Snort service was successfully added to the Windows Services Database.

 [SNORT_SERVICE] Attempting to install the Snort service.

 [SNORT_SERVICE] The full path to the Snort binary appears to be:
    D:\winids\snort\bin\snort /SERVICE

 [SNORT_SERVICE] Successfully added registry keys to:
    \HKEY_LOCAL_MACHINE\SOFTWARE\Snort\

 [SNORT_SERVICE] Successfully added the Snort service to the Windows Services Database.

Do not proceed until the Snort service has been successfully added to the Windows Services Database.

At the CMD prompt type 'sc config snortsvc start= auto' (less the outside quotes), and tap the 'Enter' key.

The following as a confirmation that the Snort auto-start service has been successfully activated.

[SC] ChangeServiceConfig SUCCESS

Do not proceed until the Snort auto-start service has been SUCCESSfully activated.

Configuring the PostgreSQL Database Server

At the CMD prompt type 'notepad2 d:\winids\postgresql\data\pg_hba.conf' (less the outside quotes), and tap the 'Enter' key.

Use the Find in Notepad2 to locate and change the variables below.

Original Line(s):

host    all             all             127.0.0.1/32            md5

Change to:

host    all             all             127.0.0.1/32            trust
host    all             all               x.x.x.x/24            trust

In the above, replace the 'x.x.x.x' to your networks IP address scheme.

Save the file, and eXit Notepad2.

At the CMD prompt type 'd:\winids\postgresql\bin\pg_ctl restart -w -t 10 -D d:\winids\postgresql\data\ -m f' (less the outside quotes) and tap the 'Enter' key.

A 'Windows Security Alert' warning dialog box may appear stating 'Windows firewall may have blocked some features of this program', left-click 'Cancel'.

Creating the Windows Intrusion Detection System Databases

At the CMD prompt type 'd:\winids\postgresql\bin\psql -U postgres' (less the outside quotes) and tap the 'Enter' key.

At the 'Password for user postgres: " prompt type 'd1ngd0ng' (less the outside quotes) and tap the 'Enter' key.

Key presses will not echo the charecters!

At the 'postgres=# ' prompt type 'create database archive;' (less the outside quotes) and tap the 'Enter' key.

At the 'postgres=# ' prompt type 'create database snort;' (less the outside quotes) and tap the 'Enter' key.

Creating the Windows Intrusion Detection System Authenticated Users

At the 'postgres=# ' prompt type 'create user snort with password 'l0gg3r';' (less the outside quotes) and tap the 'Enter' key.

At the 'postgres=# ' prompt type 'create user base with password 'an@l1st';' (less the outside quotes) and tap the 'Enter' key.

Creating the Windows Intrusion Detection System Database Tables

At the 'postgres=# ' prompt type '\connect archive;' (less the outside quotes) and tap the 'Enter' key.

At the 'archive=# ' prompt type '\i d:/winids/barnyard2/schemas/create_postgresql;' (less the outside quotes) and tap the 'Enter' key.

At the 'archive=# ' prompt type '\i d:/winids/inetpub/wwwroot/base/sql/create_base_tbls_pgsql.sql;' (less the outside quotes) and tap the 'Enter' key.

At the 'archive=# ' prompt type '\i d:/winids/inetpub/wwwroot/base/sql/create_base_tbls_pgsql_extra.sql;' (less the outside quotes) and tap the 'Enter' key.

At the 'archive=# ' prompt type '\i d:/temp/base_user.sql;' (less the outside quotes) and tap the 'Enter' key.

At the 'archive=# ' prompt type '\connect snort;' (less the outside quotes) and tap the 'Enter' key.

At the 'snort=# ' prompt type '\i d:/winids/barnyard2/schemas/create_postgresql;' (less the outside quotes) and tap the 'Enter' key.

At the 'snort=# ' prompt type '\i d:/winids/inetpub/wwwroot/base/sql/create_base_tbls_pgsql.sql;' (less the outside quotes) and tap the 'Enter' key.

At the 'snort=# ' prompt type '\i d:/winids/inetpub/wwwroot/base/sql/create_base_tbls_pgsql_extra.sql;' (less the outside quotes) and tap the 'Enter' key.

At the 'snort=# ' prompt type '\i d:/temp/snort_user.sql;' (less the outside quotes) and tap the 'Enter' key.

At the 'snort=# ' prompt type '\i d:/temp/base_user.sql;' (less the outside quotes) and tap the 'Enter' key.

At the 'snort=# ' prompt type '\q' (less the outside quotes) and tap the 'Enter' key.

Confirming PostgreSQL and Snort are operational

At the CMD prompt type 'd:\winids\postgresql\bin\pg_ctl restart -w -t 10 -D d:\winids\postgresql\data\ -m f' (less the outside quotes) and tap the 'Enter' key.

At the CMD prompt type 'net start snort' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'taskmgr.exe' (less the outside quotes), and tap the 'Enter' key.

The 'Windows Task Manager' starts, left-click the 'Processes' tab, in the 'Image name' category there should be a 'snort.exe', and several instances of 'postgres.exe' listed as a process.

Do not proceed until the processes above are running!

eXit the 'Task Manager'.

Configuring the Windows Intrusion Detection Systems (WinIDS) Security Console

At the CMD prompt type 'copy d:\winids\inetpub\wwwroot\base\base_conf.php.dist d:\winids\inetpub\wwwroot\base\base_conf.php' (less the outside quotes), and tap the 'Enter' key.

Should display '1 file(s) copied.', and return to the CMD prompt.

At the CMD prompt type 'tartool d:\temp\opensource.gz d:\winids\inetpub\wwwroot\base\signatures' (less the outside quotes), and tap the 'Enter' key.

The above command may take a few minutes to complete as its moving several thousand files.

At the CMD prompt type 'notepad2 d:\winids\inetpub\wwwroot\base\base_conf.php' (less the outside quotes), and tap the 'Enter' key.

Use the Find in Notepad2 to locate and change the variables below.

Original Line(s): $BASE_urlpath = '';
Change to: $BASE_urlpath = 'http://winids';

Original Line(s): $DBlib_path = '';
Change to: $DBlib_path = 'd:\winids\adodb5';

Original Line(s): $DBtype = '?????';
Change to: $DBtype = 'postgres';

Original Line(s):

$alert_dbname   = 'snort_log';
$alert_host     = 'localhost';
$alert_port     = '';
$alert_user     = 'snort';
$alert_password = 'mypassword';

Change to:

$alert_dbname   = 'snort';
$alert_host     = 'winids';
$alert_port     = '';
$alert_user     = 'base';
$alert_password = 'an@l1st';

Original Line(s):

$archive_exists   = 0; # Set this to 1 if you have an archive DB
$archive_dbname   = 'snort_archive';
$archive_host     = 'localhost';
$archive_port     = '';
$archive_user     = 'snort';
$archive_password = 'mypassword';

Change to:

$archive_exists   = 1; # Set this to 1 if you have an archive DB
$archive_dbname   = 'archive';
$archive_host     = 'winids';
$archive_port     = '';
$archive_user     = 'base';
$archive_password = 'an@l1st';

Original Line(s): $use_referential_integrity = 0;
Change to: $use_referential_integrity = 1;

Original Line(s): $show_rows = 48;
Change to: $show_rows = 90;

Original Line(s): $show_expanded_query = 0;
Change to: $show_expanded_query = 1;

Original Line(s): $colored_alerts = 0;
Change to: $colored_alerts = 1;

Original Line(s): $priority_colors = array ('FF0000','FFFF00','FF9900','999999','FFFFFF','006600');
Change to: $priority_colors = array('000000','FF0000','FF9900','FFFF00','999999');

Original Line(s): // $graph_font_name = "Verdana";
Change to: $graph_font_name = "Verdana";

Original Line(s): $graph_font_name = "DejaVuSans";
Change to: // $graph_font_name = "DejaVuSans";

Original Line(s): //$Geo_IPfree_file_ascii = "/var/www/html/ips-ascii.txt";
Change to: $Geo_IPfree_file_ascii = "d:\winids\inetpub\wwwroot\base\ips-ascii.txt";

Save the file, and eXit Notepad2.

Configuring Graphing for the Windows Intrusion Detection Systems (WinIDS) Security Console

Open a CMD window and type 'copy d:\temp\go-pear.phar d:\winids\php' (less the outside quotes), and tap the 'Enter' key.

Should display '1 file(s) copied.', and return to the CMD prompt.

At the CMD prompt type 'cd /d d:\winids\php' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'php go-pear.phar' (less the outside quotes), and tap the 'Enter' key.

At the next prompt tap the 'Enter' key to install 'System-Wide' PEAR.

At the next prompt tap the 'Enter' key.

At the 'Press any key to continue . . .', press any key to exit back to the CMD prompt.

At the CMD prompt type 'pear install Image_Color-alpha' (less the outside quotes), and tap the 'Enter' key.

A successful install will display 'install ok: channel://pear.php.net/Image_Color-...' prior to dropping back to the CMD prompt.

At the CMD prompt type 'pear install Image_Canvas-alpha' (less the outside quotes), and tap the 'Enter' key.

A successful install will display 'install ok: channel://pear.php.net/Image_Canvas-...' prior to dropping back to the CMD prompt.

At the CMD prompt type 'pear install Image_Graph-alpha' (less the outside quotes), and tap the 'Enter' key.

A successful install will display 'install ok: channel://pear.php.net/Image_Graph-...' prior to dropping back to the CMD prompt.

At the CMD prompt type 'pear install Log-alpha' (less the outside quotes), and tap the 'Enter' key.

A successful install will display 'install ok: channel://pear.php.net/Log-...' prior to dropping back to the CMD prompt.

At the CMD prompt type 'pear install Math_BigInteger-alpha' (less the outside quotes), and tap the 'Enter' key.

A successful install will display 'install ok: channel://pear.php.net/Math...' prior to dropping back to the CMD prompt.

At the CMD prompt type 'pear install Numbers_Roman-alpha' (less the outside quotes), and tap the 'Enter' key.

A successful install will display 'install ok: channel://pear.php.net/Numbers_Roman-...' prior to dropping back to the CMD prompt.

At the CMD prompt type 'pear install Numbers_Words-alpha' (less the outside quotes), and tap the 'Enter' key.

A successful install will display 'install ok: channel://pear.php.net/Numbers_Words-...' prior to dropping back to the CMD prompt.

At the CMD prompt type 'pear install Mail-alpha' (less the outside quotes), and tap the 'Enter' key.

A successful install will display 'install ok: channel://pear.php.net/Mail-...' prior to dropping back to the CMD prompt.

At the CMD prompt type 'pear install Mail_Mime-alpha' (less the outside quotes), and tap the 'Enter' key.

A successful install will display 'install ok: channel://pear.php.net/Mail_Mime-...' prior to dropping back to the CMD prompt.

At the CMD prompt type 'copy d:\winids\inetpub\wwwroot\base\world_map6.* d:\winids\php\pear\image\graph\images\maps' (less the outside quotes), and tap the 'Enter' key.

Should display '2 file(s) copied.', and return to the CMD prompt.

Configuring IIS for the Windows Intrusion Detection Security Console

At the CMD prompt type 'c:\windows\system32\inetsrv\iis.msc' (less the outside quotes), and tap the 'Enter' key.

The 'Internet Information Services (IIS) Manager' opens, in the left pane under 'Connections' expand servername.

If the 'Internet Information Services (IIS) Manager' appears asking 'Do you want to get started with...' left-click 'No'.

Under servername left-click 'Default Web Site', in the center pane under 'IIS' left-click 'Default Document', under 'Actions' left-click 'Open Feature', under 'Actions' left-click 'Add...', in the 'Add Default Document' applet appears, in the 'Name:' dialog box type 'base_main.php' (less the outside quotes), left-click 'OK'.

In the 'Default Document' under the 'Name' column 'base_main.php' (less the outside quotes) should be listed at the very top, and the 'Entry Type' should be 'Local'.

Under 'Connections' right-click 'Default Web Site', highlight 'Manage Web Site', highlight and left-click 'Advanced Settings', in the 'Advanced Settings' applet under (General) left-click 'Physical Path', in the dialog box to the right of 'Physical Path' type 'd:\winids\inetpub\wwwroot\base' (less the outside quotes), left-click 'OK', and eXit the 'Internet Information Services (IIS) Manager' applet.

Configuring Barnyard2

At the CMD prompt type 'notepad2 d:\winids\barnyard2\etc\barnyard2.conf' (less the outside quotes), and tap the 'Enter' key.

Use the Find in Notepad2 to locate and change the variables below.

Original Line(s):

config reference_file:      /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file:            /etc/snort/gen-msg.map
config sid_file:            /etc/snort/sid-msg.map

Change to:

config reference_file:      d:\winids\snort\etc\reference.config
config classification_file: d:\winids\snort\etc\classification.config
config gen_file:            d:\winids\snort\etc\gen-msg.map
config sid_file:            d:\winids\snort\etc\sid-msg.map

Original Line(s): # config event_cache_size: 4096
Change to: config event_cache_size: 32768

Original Line(s): # output database: alert, postgresql, user=snort dbname=snort
Change to: output database: log, postgresql, user=snort password=l0gg3r dbname=snort host=winids sensor_name=WinIDS-Home

Save the file, and eXit Notepad2.

Testing the Barnyard2 configuration file

At the CMD prompt type 'd:\winids\activators\by2-test' (less the outside quotes), and tap the 'Enter' key.

Running the above batch file will cause Barnyard2 to start up in self-test mode, checking all the supplied command line switches that are passed to it and indicating that everything is ready to proceed.

If all the tests are passed, the following is a confirmation that the Barnyard2 configuration file is good.

Barnyard2 successfully loaded configuration file!
Snort exiting
database: Closing connection to database "snort"

Do not proceed until Barnyard2 has successfully loaded configuration file, eXited Snort, and closed the connection to database!

Adding Barnyard2 to auto-run on user login

At the CMD window type 'd:\temp\auto-local-barnyard2.reg' (less the outside quotes), and tap the 'Enter' key.

The 'auto-barnyard.reg' file contains the run line for Barnyard2.

The Registry Editor selection box opens and asks; 'Are you sure you want to add...', left-click 'Yes', and at the next input selection left-click 'OK'.

At the CMD prompt type 'shutdown /r /t 10' (less the outside quotes), and tap the 'Enter' key to reboot.

When the system is rebooted, Barnyard2 will be running in a Minimized window located in the Windows task bar. Opening the Barnyard2 CMD window will display the events as they are being shuttled to the database.

Starting the Windows Intrusion Detection Systems (WinIDS) Security Console

After the reboot open a web-browser and type 'http://winids' (less the outside quotes) into the URL Address box, and tap the 'Enter' key.

It may take a little while to start seeing events in the Windows Intrusion Detection Systems (WinIDS) Security Console. If no events start to show up in a reasonable length of time, come visit the forums for help on manually generating events.

In Conclusion

Congratulations, you have just completed setting up your first complete Windows Intrusion Detection System (WinIDS), and I hope this guided install has been of great assistance.

At this point you are done with this guided install, events should be arriving into the database, and you should be seeing events in the local Windows Intrusion Detection Systems (WinIDS) Security Console. I encourage you to perform some post-installation tasks needed to get a fully production-ready 'Windows Intrusion Detection System (WinIDS)'.

This includes:

Tuning your rules and preprocessors.
Tuning Snort thresholds and limit values.
Adding user authentication to the Windows Intrusion Detection Systems (WinIDS) Security Console.
Securing your host (Maybe changing the default database user access, disabling unneeded services, etc.).
Configure a system, such as PulledPork to auto-update the Windows Intrusinon Detection Systems (WinIDS) rules and signatures.

Security Issues

Lets review what has happens so far:

All support programs, including 'IIS 7.5/8' have been installed to a separate partition, which closed a multitude of security holes.
The Windows Intrusion Detection Systems (WinIDS) Security Console can ONLY be accessed locally.

Optional Companion Documents

Be SURE to check out the other 'Companion Documents' located in the WinIDS Guided Installs area of 'WINSNORT.com' to enhance your Windows Intrusion Detection System (WinIDS).

Manually updating the rules, signatures, and sig-msg.map file
This guided install will show how to manually update the rules, signatures, and the 'sig-msg.map' file on an existing Windows Intrusion Detection System (WinIDS).

Automatically updating the rules, signatures, and sig-msg.map file using PulledPork
This guided install will show how to automatically update the rules, signatures, and the 'sig-msg.map' file using PulledPork on an existing Windows Intrusion Detection System (WinIDS).

Installing an eMail alerting client (EventWatchNT)
This guided install will show how to send user defined priority events sent to a Windows Application Log file being eMailed to user defined eMail accounts, on an existing Windows Intrusion Detection System (WinIDS).

Sending events to a remote Unix Syslog Server
This guided install will show how to configure Snort to send events to a remote UNIX syslog server, on an existing Windows Intrusion Detection System (WinIDS).

Installing MySQL Tools as an add-in to a MySQL enabled Windows Intrusion Detection System (WinIDS)
This guided install will show how to install the 'MySQL System Tray Monitor' as a service to monitor the condition of the MySQL database in real time, on an existing Windows Intrusion Detection System (WinIDS). This will allow starting and stopping of the database. The 'MySQL System Tray Monitor' has two tools associated with it that can be accessed directly from the 'MySQL System Tray Monitor'. These tools will allow editing, maintaining, and repairing of the MySQL database. Use extreme caution using these tools.

Compiling Barnyard2 on Windows using Cygwin
This guided install will show how to manually or automatically compile your very own copy of Barnyard2 on any modern Windows system.

Debugging Installation errors

Check the Event Viewer as most of the support programs will throw FATAL errors into the Application log.

General problems

Please visit the support forums if you have problems.

Places of interest

Websites	Users Mailing Lists	Support Programs	Security tools and info
Snort Home Page Snort FAQ Snort Users Manual Official Snort Blog Site Snort-users list archive Snort.conf Configurations PulledPork and Flowbits	Barnyard2-users pulledpork-users Snort-announce Snort-users Snort-sigs Snort-devel	BASE Home Page Barnyard2 Home Page MySQL Home Page PostgreSQL Home Page PulledPork Home Page MySQL Tools PHP Home Page ADODB Home Page WinPcap Home Page Apache2 Home Page	XP Security Checklist NSA Securing XP

Michael E. Steele | Microsoft Certified System Engineer (MCSE)
Email Me: : michaels@winsnort.com
Our Support Forums - www.winsnort.com
Snort: Open Source Network IDS - www.snort.org

7352 total words in this text | 3737 reads

All logos and trademarks in this site are property of their respective owner. The comments are property of their posters.
All the rest Copyright © 2001-2013 Dynamic Data Solutions - Terms of use :: Privacy policy
This web site was made with Zikula, a web portal system written in PHP. Zikula is Free Software released under the GNU/GPL license.