Leaderboard

How to Install a Windows Intrusion Detection System (WinIDS) Running IIS and logging events to a local PostgreSQL Database Windows 10 / 11 / 2016 SE / 2019 SE / 2022 SE / 2025 SE Last Date Revised: July 22, 2023 Written by: Michael E. Steele Get Community Support! Introduction Take Note: Winsnort has phased out support for the 32bit architecture. During my research and development for the past 20 plus years I've found a lot of tutorials, including blogs describing the installation process for the UNIX environment, but nothing specifically detailed for setting up an intrusion detection system in a Windows environment. These tutorials gives all the basic instructions on how to create a complete and all inclusive standalone Windows Intrusion Detection System (WinIDS), including remote sensors. This is all made possible by simply wrapping Snort, a very powerful Intrusion Detection Engine into a multitude of free open source programs. Best of all, other than the cost of the Windows operating system, it's completely free. The goal of these tutorials was not just to create a Windows Intrusion Detection System (WinIDS) using the most advanced intrusion detection engine known as Snort, but to understand how all the parts work together and to get a deeper understanding of all the components so that troubleshooting and modifying the Windows Intrusion Detection System (WinIDS) can be completed with confidence. If there are any doubts which tutorial should be used, there is a posted topic HERE that will provide the basics so an informed decision can be made based on which combination of software packages are best suited for the installation. Copyright Notice This document is Copyright © 2003-2025 Michael Steele. All rights reserved. Permission to distribute this document is hereby granted providing that distribution is electronic, in it's original form, no money is involved and this copyright notice is maintained. Other requests for distribution will be considered. Use the information in this document at your own risk. Michael Steele disavows any potential liability of this document. Use of the concepts, examples and/or other content of this document are entirely at your own risk. This tutorial is written in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. All copyrights are owned by their owners, unless specifically noted otherwise. Third party trademarks or brand names are the property of their owners. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements. Get Support All general support questions related to a specific tutorial MUST be directed to the specific forum for that particular tutorial. If there is any confusion just click on the 'Get Community Support' button at the top of each tutorial to get transported to the correct forum! There is a Client Only Lounge where all advanced questions/problems should be posted not related to the general installation of any of the tutorials. By request, there is a premium fee service available for one on one support, including remote installs. If this tutorial has not been directly acquired from the winsnort.com website, then is most likely not the latest revision of this tutorial! This is a basic Windows Intrusion Detection System (WinIDS) deployment Microsoft's Windows operating systems are used exclusively for these tutorials. It is highly recommended to start with a fresh install of one of the supported Windows operating systems listed below. If this is a commercial installation and Windows 10 or Windows 11 is a requirement, it is recommended that Windows Enterprise LTSC (Long Term Servicing Channel) version is used. With the LTSC servicing model, customers can delay receiving feature updates and instead only receive monthly quality updates on devices. Features that could be updated with new functionality, including Edge. Make note that all in-box Universal Windows apps are not included in the LTSC channel updates. Feature updates are offered in new LTSC releases every 2–3 years instead of every 6 months and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle. Microsoft is committed to providing bug fixes and security patches for each LTSC release during this 10 year period. The Long Term Servicing Channel is not intended for deployment on most or all the PCs in an organization. The LTSC edition of Windows provides customers with access to a deployment option for their special-purpose devices and environments. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. These devices are also typically not heavily dependent on support from external apps and tools. Since the feature set for LTSC does not change for the lifetime of the release, over time there might be some external tools that do not continue to provide legacy support. See LTSC: What is it and when it should be used. Windows x64 10 Professional / LTSC Windows x64 11 Professional / LTSC Windows x64 Server 2016 Standard Edition Windows x64 Server 2019 Standard Edition Windows x64 Server 2022 Standard Edition Windows x64 Server 2025 Standard Edition All the operating systems listed above have been tested using this tutorial. However, any another Windows operating system listed above, under the same framework will most likely work. Major support programs used in this install Npcap allows 3rd party applications such as Snort to capture and transmit network packets bypassing the protocol stack. Snort performs real-time traffic analysis and network packet logging on Internet Protocol (IP) networks data streams. Barnyard2 is a dedicated spooler for Snort's unified2 binary output format and on-forwarding to a PostgreSQL database. Pulledpork automates the rule updating process. Strawberry Perl is everything needed to run perl scripts (.pl) and applications such as PulledPork. ADOdb allows the same code to be used when accessing a wide range of databases. PostgreSQL-driven database stores processed events from Barnyard2 for analysis. Microsoft's Internet Information Services will drive the web based Windows Intrusion Detection Systems (WinIDS) GUI security console. BASE serves as the Windows Intrusion Detection Systems (WinIDS) web based GUI security console. NSSM is the Non-Sucking Service Manager used to start Barnyard2 as a service. History of Internet Information Services (IIS) IIS 10.0 - included with Workstation 10, 11, Server 2016, 2019, 2022 and 2025 How this Hardware and Software was prepped for this Windows Intrusion Detection System (WinIDS) tutorial A fresh install of any version of Windows listed above is highly recommended. All available Service Packs and updates MUST be applied from the Microsoft Download Center. For this tutorial there are two disks: C:/ (Disk1 - System) with 300GB and D:/ (Disk2 - WinIDS) with 1TB. Installed memory should be no less than 4GB (more is always better). For this tutorial there are two disks being used. Disk1: This is where the Windows operating system will be installed into and should not require more that 100GB of space. Disk2: This is where The Windows Intrusion detection System will be installed and will require at least 1TB of space as a starting point. Note: For Disk2 more space is always recommended for future growth. The default installation paths are hard coded into this tutorial and is also hard coded into some of the install scripts. If the default installation path for the Windows Intrusion Detection System is anything other then 'd:\winids', or the support files are located anywhere other than the 'd:\temp' folder then the appropriate changes will need to be made to this tutorial and possibly any script that might need to be ran in order to accommodate the non-standard folder locations. The Windows Intrusion Detection System (WinIDS) will fail if the default installation path is not Implemented correctly! Prepping for the Windows Intrusion Detection System (WinIDS) Tutorial Downloading and extracting the core Windows Intrusion Detection Systems (WinIDS) Software Support Pack It is imperative to only use the files included in the 'WinIDS - Core Software Support Pack' below. These files have been thoroughly tested and compatible with this particular Windows Intrusion Detection Systems (WinIDS) tutorial. Download the 'WinIDS - Core Software Support Pack'. Open File Explore and navigate to the location of the 'winids-core.zip' file, right-click the 'winids-core.zip' file, highlight and left-click 'Extract all...', in the 'Files will be extracted to this folder:' dialog box type 'd:\temp' (less the outside quotes), left-click and uncheck the 'Show extracted files when complete' radio box, left-click extract, in the 'Password:' dialog box type 'w1nsn03t.c0m' (less the outside quotes), left-click 'OK' and eXit File Explorer. Downloading additional and required support files for this tutorial It is imperative to only use the files downloaded from the URL links below. All the files have been verified as compatible with this particular Windows Intrusion Detection Systems (WinIDS) tutorial. All the files below will need to be downloaded into the folder (d:\temp) that was created when the files from the above 'WinIDS - Core Software Support Pack' were extracted. npcap-1.86: Download and save the file to the d:\temp folder. Snort 2.9.20: Download and save the file to the d:\temp folder. There are two items that are mandatory and requires access to a registered account on the snort.org website. Without these two items the Windows Intrusion Detection System (WinIDS) will fail. Item 1: Open a browser, navigate to the snort.org website and either create an account or Sign into an account that has already been created. Once signed in, on the left menu there is an 'Oinkcode' button and select that and a Window opens displaying the Oinkcode that is linked to the signed in account. Either write that code down exactly as displayed or copy and paste it somewhere for later retrieval. That same code will be displayed every time the account is signed into. There is a regenerate button and if selected will remove the old Oinkcode and be replaced with the new Oinkcode. If a new Oinkcode is generated then it must be changed in the Pulledpork.conf file in order to continue getting new rules. Item 2: Sign into the snort.org website if not signed in. Minimize the Browser to the task bar but do not sign out. Continue to the next download (snortrules-snapshot-29200). Once the download is complete the browser can be closed. Note: If the account is not signed into and active from the same place the download is initiated, the download will fail. snortrules-snapshot-29200: Download and save the file to the d:\temp folder. Pulledpork 8.0: Download and save the file to the d:\temp folder. Strawberry Perl 5.42.0.1: Download and save the file to the d:\temp folder. PostgreSQL Database 18.1-1: Download and save the file to the d:\temp folder. PHP 8.5.1 NTS (VS17): Download and save the file to the d:\temp folder. ADOdb 5.22.11: Download and save the file to the d:\temp folder. nssm 2.24: Download and save the file to the d:\temp folder. Installing the Modder files The modder file preforms several tasks: Disables Universal Access Control (UAC) Installs Microsoft Visual C++ x86/x64 (VS18) 2017-2026 Installs Notepad2 Installs scripts and Tools Installs 7zip Inserts 'winids' hostname into hosts file Inserts 'IGMP and SCTP' into the protocol file for Snort rules Inserts 'Nodosfilewarning' into User ENV to suppress CYGWIN warning message when starting Barnyard2 Exclude '.rules' in Defender (seen as a virus) Sets TCP/IPv4 as the default protocal Sets Show File Extensions and Hidden Files Reboots system At the Windows Desktop press Win + R to open the Run dialog box. In the Run dialog box type 'cmd' (less the outside quotes) and then press CTRL+SHIFT+ENTER to open a command window as Administrator. At the CMD prompt type 'd:\temp\modder.bat' (less the outside quotes) and tap the 'Enter' key. Allow the script to automatically reboot the system! DO NOT INTERVENE! Installing the Windows Intrusion Detection System (WinIDS) Installing Npcap Open a CMD window and type 'd:\temp\npcap-1.86.exe' (less the outside quotes) and tap the 'Enter' key. The 'License Agreement' window opens and left-click 'I Agree'. The 'Installation Options' window opens, make sure the only checked select box is 'Install Npcap in WinPcap API-compatible Mode' and left-click 'Install'. The 'Installation Complete' window opens and left-click 'Next'. The 'Finished' window opens and left-click 'Finish'. Installing Snort, the Traffic Detection and Inspection Engine At the CMD prompt type 'd:\temp\Snort_2_9_20_Installer.x64.exe' (less the outside quotes) and tap the 'Enter' key. The 'License Agreement' window opens and left-click 'I Agree'. The 'Choose Components' window opens and left-click 'Next'. The 'Choose Install Location' window opens, in the 'Destination Folder' dialog box, type 'd:\winids\snort' (less the outside quotes), left-click 'Next'. The install completes with 'Completed' and left-click 'Close'. The install finishes with 'Snort has been successfully installed.' and left-click 'OK'. Installing Strawberry Perl At the CMD prompt type 'd:\temp\strawberry-perl-5.42.0.1-64bit.msi' (less the outside quotes) and tap the 'Enter' key. The 'Welcome to the Setup Wizard for Strawberry Perl...' window opens and left-click 'Next'. The 'End-User License Agreement' window opens, left-click checking the 'I accept the terms...' check box and left-click 'Next'. The 'Destination Folder' window opens, in the 'Install Strawberry Perl to:' dialog box type 'd:\winids\strawberry\' (less the outside quotes) and left-click 'Next'. The 'Ready to install Strawberry Perl..' window opens, left-click 'Install'. The 'Install Strawberry Perl..' window opens, allow the install to complete and left-click 'Next'. The 'Completed the Strawberry Perl...' window opens, uncheck the 'Read README file.' check box and left-click 'Finish'. At the CMD prompt type 'exit' (less the outside quotes) and tap the 'Enter' key. Open a CMD window and type 'cpan install Sys::Syslog' (less the outside quotes) and tap the 'Enter' key. Installing Pulledpork At the CMD prompt type '7z x d:\temp\pulledpork-master.zip -od:\winids\' (less the outside quotes) and tap the 'Enter' key. At the CMD prompt type 'ren d:\winids\pulledpork-master pulledpork' (less the outside quotes) and tap the 'Enter' key. At the CMD prompt type 'mkdir d:\winids\pulledpork\temp' (less the outside quotes) and tap the 'Enter' key. Installing PHP At the CMD prompt type '7z x d:\temp\php-8.5.1-nts-Win32-vs17-x64.zip -od:\winids\php' (less the outside quotes) and tap the 'Enter' key. Installing Internet Information Services At the CMD prompt type 'd:\winids\scripts\iis-install.bat' (less the outside quotes) and tap the 'Enter' key. Installing BASE, the Windows Intrusion Detection Systems (WinIDS) Security Console At the CMD prompt type '7z x d:\temp\base.zip -od:\winids\wwwroot\base' (less the outside quotes) and tap the 'Enter' key. Installing Barnyard2 At the CMD prompt type '7z x d:\temp\barnyard2-2.1.14-b337.zip -od:\winids\barnyard2' (less the outside quotes) and tap the 'Enter' key. Installing the PostgreSQL Database Server At the CMD prompt type 'd:\temp\postgresql-18.1-1-windows-x64.exe' (less the outside quotes) and tap the 'Enter' key. The 'Setup - PostgreSQL' window opens and left-click 'Next'. the 'Installation Directory' window opens. In the dialog box type 'D:\winids\postgresql\18' (less the outside quotes) and left-click 'Next'. The 'Select Components' window opens. In the list of selected Components uncheck 'Stack Builder' and left-click 'Next'. The 'Data Directory' window opens. The dialog box should already be populated with 'D:\winids\postgresql\18\data' (less the outside quotes) and left-click 'Next'. The 'Password' window opens. In the 'Password' dialog box type 'd1ngd0ng' (less the outside quotes) and tap the 'TAB' key. In the 'Retype password' dialog box type 'd1ngd0ng' (less the outside quotes), tap the 'TAB' key and left-click 'Next'. The 'Port' window opens. The listening port dialog box should already be populated with '5432' and left-click 'Next'. The 'Advanced Options' window opens. The 'Locale' pull-down select box should already be populated with 'DEFAULT' (less the outside quotes) and left-click 'Next'. The 'Pre Installation Summery' window opens. Verify all the below pre select settings are correct and left-click 'Next'. Installation Directory: D:\winids\postgresql\18 Server Installation Directory: D:\winids\postgresql\18 Data Directory: D:\winids\postgresql\18\data Database Port: 5432 Database Superuser: postgres Operating System Account: NT AUTHORITY\NetworkService Database Service: postgresql-x64-18 Command Line Tools Installation Directory: D:\winids\postgresql\18 pgAdmin4 Installation Directory: D:\winids\postgresql\18\pgAdmin 4 Installation Log: C:\Users\*\AppData\Local\temp\install-postgresql.log The 'Ready to Install' window opens and left-click 'Next' allowing the installation to complete. The 'Completing the PostgreSQL Setup Wizard' window opens and left-click 'Finish'. Installing ADODB At the CMD prompt type '7z x d:\temp\adodb-5.22.11.zip -od:\winids\' (less the outside quotes) and tap the 'Enter' key. At the CMD prompt type 'ren d:\winids\adodb-5.22.11 adobd5' (less the outside quotes) and tap the 'Enter' key. Verifying Snort is detecting Network traffic Snort monitors traffic on a specific NIC and Npcap assigns Index numbers to every NIC. This procedure will determine which Index number Snort is attached too, so write it down as it will be needed several times for testing and final configuration! At the CMD prompt type 'd:\winids\snort\bin\snort -W' (less the outside quotes) and tap the 'Enter' key. The following is a partial example of what might be listed as valid Network Interface Cards. Index Physical Address IP Address Device Name Description ----- ---------------- ---------- ----------- ----------- 1 20:41:53:59:4E:FF disabled \Device\NPF_{78032B7E-4968-42D3-9F37-287EA86C0AAA} RAS Async Adapter 2 00:0C:29:27:2C:1F 0000:0000:fe80:0000:0000:0000:e0ef:e77d \Device\NPF_{A5EB8922-B7D4-49A8-A30D-E0C8863F1B2D} Intel(R) PRO/1000 MT Network Connection 3 00:00:00:00:00:00 disabled \Device\NPF_Loopback Adapter for loopback traffic capture Note: There may be several Network Interface Cards listed. Snort needs to know which Index number is attached to the NIC that is monitoring the network traffic. At the CMD prompt type 'd:\winids\snort\bin\snort -v -ix' (less the outside quotes) and tap the 'Enter' key. Note: In the interface switch above (-ix), the x will be substituted for the Index number of the monitoring NIC. There should now be multiple packets passing through he CMD window (example packet below). If there is no traffic passing through, then open a web browser and generate some web traffic. If there is still no traffic passing through, then activate the CMD window, press the CRTL/C to stop the Snort process and try another Index number. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 10/08-12:12:32.131826 10.0.0.29:1068 -> 65.55.121.241:80 TCP TTL:128 TOS:0x0 ID:1586 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x7430B82E Ack: 0x1850214F Win: 0xFAF0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ If all Index numbers have been exhausted then there could be a couple of issues: No Internet connection NIC not compatible NIC drivers need updating Configuring wrong (snort -v -ix) Note: In the interface switch above (-ix), the x will be substituted for the Index number of the monitoring NIC. After verifying the Index number, eXit the web-browser, activate the CMD window and press the CTRL/C keys to stop the Snort process exiting back to the CMD prompt. Do not proceed until network traffic is being displayed in the CMD window. Processing task dependencies pre Snort configuration At the CMD prompt type '7z x d:\temp\snortrules-snapshot-29200.tar.gz -od:\temp' (less the outside quotes) and tap the 'Enter' key. At the CMD prompt type '7z e d:\temp\snortrules-snapshot-29200.tar -aoa -od:\winids\snort\etc etc\*.*' (less the outside quotes) and tap the 'Enter' key. At the CMD prompt type 'del d:\temp\snortrules-snapshot-29200.tar /Q' (less the outside quotes) and tap the 'Enter' key. At the CMD prompt type 'perl -pi -e "s/include \$RULE\_PATH/# include \$RULE\_PATH/" d:\winids\snort\etc\snort.conf' (less the outside quotes) and tap the 'Enter' key. At the CMD prompt type 'type NUL > d:\winids\snort\rules\white_list.rules' (less the outside quotes) and tap the 'Enter' key. At the CMD prompt type 'type NUL > d:\winids\snort\rules\black_list.rules' (less the outside quotes) and tap the 'Enter' key. At the CMD prompt type 'type NUL > d:\winids\snort\rules\winids.rules' (less the outside quotes) and tap the 'Enter' key. At the CMD prompt type 'rd d:\winids\snort\preproc_rules /S /Q' (less the outside quotes) and tap the 'Enter' key. At the CMD prompt type 'copy d:\winids\scripts\local.rules d:\winids\snort\rules\local.rules' (less the outside quotes) and tap the 'Enter' key. Configuring Snort, the Heart of the Windows Intrusion Detection System (WinIDS) At the CMD prompt type 'notepad2 d:\winids\snort\etc\snort.conf' (less the outside quotes) and tap the 'Enter' key. Use the Find option in Notepad2 to locate and change the variables below. Original Line(s): ipvar HOME_NET any Change to: ipvar HOME_NET 192.168.1.0/24 In the above HOME_NET example (192.168.1.0/24), using a CIDR of 24 the Windows Intrusion Detection System (WinIDS) will monitor addresses 192.168.1.1 - 192.168.1.254. It is important to specify the correct internal IP segment or segments of the Windows Intrusion Detection System (WinIDS) network that needs monitoring and to set the correct CIDR/S. Original Line(s): var RULE_PATH ../rules Change to: var RULE_PATH d:\winids\snort\rules Original Line(s): var SO_RULE_PATH ../so_rules Change to: # var SO_RULE_PATH ../so_rules Original Line(s): var PREPROC_RULE_PATH ../preproc_rules Change to: # var PREPROC_RULE_PATH ../preproc_rules Original Line(s): var WHITE_LIST_PATH ../rules Change to: var WHITE_LIST_PATH d:\winids\snort\rules Original Line(s): var BLACK_LIST_PATH ../rules Change to: var BLACK_LIST_PATH d:\winids\snort\rules Original Line(s): dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ Change to: dynamicpreprocessor directory d:\winids\snort\lib\snort_dynamicpreprocessor Original Line(s): dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so Change to: dynamicengine d:\winids\snort\lib\snort_dynamicengine\sf_engine.dll Original Line(s): decompress_swf { deflate lzma } \ Change to: decompress_swf { deflate } \ Original Line(s): # preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } Change to: preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } logfile { portscan.log } Original Line(s): # output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types Change to: output unified2: filename merged.log, limit 128 Original Line(s): # include $RULE_PATH/local.rules Change to: include $RULE_PATH/local.rules Just below the line 'include $RULE_PATH/local.rules', add the next three line. include $RULE_PATH/winids.rules include $RULE_PATH/white_list.rules include $RULE_PATH/black_list.rules Save the file and eXit Notepad2. Testing the Snort configuration file At the CMD prompt type 'd:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix -T' (less the outside quotes) and tap the 'Enter' key. Note: In the interface switch above (-ix), the x will be substituted for the Index number of the monitoring NIC. This will test the Snort configuration and depending on the resources used and/or available, it could take several minutes to run the self-test mode. If all the tests are passed, the following is a confirmation that the Snort configuration file and rules have tested good. Snort successfully validated the configuration! Snort exiting Do not proceed until 'Snort successfully validated the configuration!' Now to test a rule. Scrolling up through the output from the Snort configuration test in the CMD window should show 1 Snort rules read as shown in the example below. +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... 1 Snort rules read 1 detection rules 0 decoder rules 0 preprocessor rules 1 Option Chains linked into 1 Chain Headers +++++++++++++++++++++++++++++++++++++++++++++++++++ At the CMD prompt type 'd:\winids\snort\bin\snort -A console -q -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix' (less the outside quotes) and tap the 'Enter' key. Note: In the interface switch above (-ix), the x will be substituted for the Index number of the monitoring NIC. Once Snort has started with the above command, go to another computer or open another CMD window and ping the IP of the interface that Snort is listening on. Output similar to the below should appear in the CMD window if the ping was successful. 02/02-14:25:23.413383 [**] [1:10000001:1] ICMP test detected [**] [Classification: Generic ICMP event] [Priority: 3] {ICMP} 192.168.1.3 -> 192.168.1.26 02/02-14:25:28.037797 [**] [1:10000001:1] ICMP test detected [**] [Classification: Generic ICMP event] [Priority: 3] {ICMP} 192.168.1.3 -> 192.168.1.26 02/02-14:25:33.038644 [**] [1:10000001:1] ICMP test detected [**] [Classification: Generic ICMP event] [Priority: 3] {ICMP} 192.168.1.3 -> 192.168.1.26 02/02-14:25:38.041163 [**] [1:10000001:1] ICMP test detected [**] [Classification: Generic ICMP event] [Priority: 3] {ICMP} 192.168.1.3 -> 192.168.1.26 *** Caught Int-Signal Note: If the ping is not successful, check the HOME_NET setting in the snort.conf file to make sure it has been configured correctly. Do not proceed until the ping has been detected!' Activate the CMD window and press CTRL/C to exit back to the CMD prompt. Note: After the above ping test was successful the rule that generated the events must be disabled. If the rule is not disabled the database will fill up with millions of useless events. At the CMD prompt type 'perl -pi -e "s/include \$RULE\_PATH\/local.rules/# include \$RULE\_PATH\/local.rules/" d:\winids\snort\etc\snort.conf' (less the outside quotes) and tap the 'Enter' key. Configuring Pulledpork At the CMD prompt type 'notepad2 d:\winids\pulledpork\etc\pulledpork.conf' (less the outside quotes) and tap the 'Enter' key. Use the Find option in Notepad2 to locate and change the variables below. Original Line(s): rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode> Change to: rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|x Note: Insert your unique Oinkcode into the x position above. Original Line(s): rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community Change to: # rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community Original Line(s): temp_path=/tmp Change to: temp_path=d:/winids/pulledpork/temp Original Line(s): rule_path=/usr/local/etc/snort/rules/snort.rules Change to: rule_path=d:/winids/snort/rules/winids.rules Original Line(s): local_rules=/usr/local/etc/snort/rules/local.rules Change to: local_rules=d:/winids/snort/rules/local.rules Original Line(s): sid_msg=/usr/local/etc/snort/sid-msg.map Change to: sid_msg=d:/winids/snort/etc/sid-msg.map Original Line(s): sid_changelog=/var/log/sid_changes.log Change to: sid_changelog=d:/winids/snort/log/sid_changes.log Original Line(s): block_list=/usr/local/etc/snort/rules/iplists/default.blocklist Change to: # block_list=/usr/local/etc/snort/rules/iplists/default.blocklist Original Line(s): IPRVersion=/usr/local/etc/snort/rules/iplists Change to: # IPRVersion=/usr/local/etc/snort/rules/iplists Original Line(s): snort_control=/usr/local/bin/snort_control Change to: # snort_control=/usr/local/bin/snort_control Original Line(s): # snort_version=2.9.0.0 Change to: snort_version=2.9.20.0 Original Line(s): # enablesid=/usr/local/etc/snort/enablesid.conf # dropsid=/usr/local/etc/snort/dropsid.conf # disablesid=/usr/local/etc/snort/disablesid.conf # modifysid=/usr/local/etc/snort/modifysid.conf Change to: enablesid=d:/winids/pulledpork/etc/enablesid.conf dropsid=d:/winids/pulledpork/etc/dropsid.conf disablesid=d:/winids/pulledpork/etc/disablesid.conf modifysid=d:/winids/pulledpork/etc/modifysid.conf Original Line(s): # ips_policy=security Change to: ips_policy=security In the above, the 'ips_policy' switch is set to 'security'. There are three pre-configured policies (connectivity, balanced and security) that can be used. Change the above to your specific needs. Each policy has the Sourcefire recommended rules applied and the 'ips_policy' switch is only an option. By placing a hash '#' (less the outside quotes) mark in front of the 'ips_policy' switch Pulledpork will process the stock rules as they are. Connectivity: Means "Connectivity over Security". Meaning this is a speedy policy for people that insist on blocking only the really known bad with no false positives. Balanced: Means "Balanced between Connectivity and Security". Meaning that this is a good starter policy for everyone. It's quick, has a good base coverage level and covers the latest threats of the day. The policy contains everything that is in Connectivity. Security: Means "Security over Connectivity". Meaning that this is a stringent policy that everyone should strive to get to through tuning. It's quick, but has some policy-type rules in it. Rules that will alert on Flash contained within an Excel file and things like that. This policy contains everything that is in Connectivity and Balanced. Save the file and eXit Notepad2. Rule activation and testing with Pulledpork At the CMD prompt type 'perl d:\winids\pulledpork\pulledpork.pl -c d:\winids\pulledpork\etc\pulledpork.conf -T' (less the outside quotes) and tap the 'Enter' key. This will not only test the Pulledpork configuration file, but will install the latest ruleset. Depending on the resources used and/or available, it could take several minutes to process. If the test passed, the following is a confirmation that the Pulledpork configuration file passed and the rules were successfully installed. Please review d:\winids\snort\log\sid_changes.log for additional details Fly Piggy Fly! Do not proceed until 'Fly Piggy Fly!' has appeared Testing the Snort configuration file At the CMD prompt type 'd:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix -T' (less the outside quotes) and tap the 'Enter' key. Note: In the interface switch above (-ix), the x will be substituted for the Index number of the monitoring NIC. Pulledpork modified/added new rules and Snort will need to test the new rules to verify there are no errors. The following is a confirmation that the Snort configuration file and rules have tested good. Snort successfully validated the configuration! Snort exiting Do not proceed until 'Snort successfully validated the configuration!' Configuring PHP At the CMD prompt type 'mkdir d:\winids\php\logs' (less the outside quotes) and tap the 'Enter' key. At the CMD prompt type 'copy d:\winids\php\php.ini-production d:\winids\php\php.ini' (less the outside quotes) and tap the 'Enter' key. Should display '1 file(s) copied.' and returns to the CMD prompt. At the CMD prompt type 'notepad2 d:\winids\php\php.ini' (less the outside quotes) and tap the 'Enter' key. Use the Find option in Notepad2 to locate and change the variables below. Original Line(s): max_execution_time = 30 Change to: max_execution_time = 60 Original Line(s): ;error_log = php_errors.log Change to: error_log = d:\winids\php\logs\php_errors.log Original Line(s): ;include_path = ".;c:\php\includes" Change to: include_path = "d:\winids\php" Original Line(s): ;extension_dir = "ext" Change to: extension_dir = "d:\winids\php\ext" Original Line(s): ;cgi.force_redirect = 1 Change to: cgi.force_redirect = 0 Original Line(s): ;extension=gd Change to: extension=gd Original Line(s): ;extension=gmp Change to: extension=gmp Original Line(s): ;extension=pgsql Change to: extension=pgsql Original Line(s): ;date.timezone = Change to: date.timezone = America/New_York In the above date.timezone setting, America/New_York is only the default. Inserting the correct Timezone setting where the Windows Intrusion Detection System (WinIDS) will be located is essential. Check out the PHP website for the List of Supported Timezones. Original Line(s): ;session.save_path = "/tmp" Change to: session.save_path = "c:\windows\temp" Save the file and eXit Notepad2. Configuring IIS for PHP and the Windows Intrusion Detection Systems security console At the CMD prompt type 'c:\windows\system32\inetsrv\inetmgr' (less the outside quotes), tap the 'Enter' key and the 'Internet Information Services (IIS) Manager' opens. If the 'Internet Information Services (IIS) Manager' opens and asks 'Do you want to get started with...' left-click 'No'. Setting up FastCGI for the WinIDS Security Console On the left under 'Connections' left-click and expand '<server name>'. On the left under '<server name>' left-click and expand 'Sites'. On the left under 'Sites' left-click highlighting 'Default Web Site'. In the center window titled 'Default Web Site Home' go down to the section labeled 'IIS', right-click 'Handler Mappings' and left-click 'Open Feature'. On the right under 'Actions' left-click 'Add Module Mapping...'. In the 'Request Path:' dialog box type '*.php' (less the outside quotes). In the 'Module' drop-down list select 'FastCgiModule'. In the 'Executable (optional):' dialog box type 'd:\winids\php\php-cgi.exe' (less the outside quotes). In the 'Name:' dialog box type 'PHP-FastCGI' (less the outside quotes). Left-click opening 'Request Restrictions...'. To the left of 'Invoke handler only if request is mapped to:' left-click and place a check mark as the selected option, if one is not already there. Under the 'Invoke handler only if request is mapped to:', left-click selecting the 'File or Folder' radio button, left-click 'OK' to exit 'Request Restrictions' and left-click 'OK' to exit 'Add Module Mapping'. The 'Add Module Mappings' information window opens, left-click 'Yes' to create a FastCGI application. In the center window titled 'Handler Mappings' in the 'Name' column PHP-FastCGI must be listed. In the 'Path' column for 'PHP-FastCGI' *.php must be listed. In the 'State' column for 'PHP-FastCGI' Enabled must be listed. Setting the Default Document type for the WinIDS Security Console On the left under 'Connections' left-click highlighting 'Default Web Site'. In the center window titled 'Default Web Site Home' go down to the section labeled 'IIS', right-click 'Default Document' and left-click 'Open Feature'. On the right under 'Actions' left-click 'Add...'. The 'Add Default Document' request for dialog box opens. In the 'Name:' dialog box type 'index.php' (less the outside quotes) and left-click 'OK'. In center window titled 'Default Document' index.php musty be listed at the top entry under 'Name' and Local must be listed under 'Entry Type'. Note: As an option all the other entries can be removed! Setting the Default Website Path for the WinIDS Security Console On the left under 'Connections' right-click 'Default Web Site', mouse over 'Manage Web Site' and left-click 'Advanced Settings'. The 'Advanced Settings' window opens. Under '(General)' left-click highlighting 'Physical Path'. In the dialog box to the right of 'Physical Path' type 'd:\winids\wwwroot\base' (less the outside quotes) and left-click 'OK'. eXit the 'Internet Information Services (IIS) Manager' applet. At the CMD prompt type 'iisreset /restart' (less the outside quotes) and tap the 'Enter' key. Testing IIS and the PHP installation Open a CMD window and type 'copy d:\winids\scripts\test_php.php d:\winids\wwwroot\base' (less the outside quotes) and tap the 'Enter' key. Should display '1 file(s) copied.' and returns to the CMD prompt. Open a web-browser and type 'http://winids/test_php.php' (less the outside quotes) into the URL Address box and tap the 'Enter' key. Several sections of information concerning the status and install of PHP should be displayed. In the first section of information make SURE that the item labeled 'Server API' is pointing to 'CGI/FastCGI'. In the first section of information make SURE that the item labeled 'Loaded Configuration File' is pointing to 'd:\winids\php\php.ini'. In the section labeled 'Configuration - PHP Core' make SURE that the item labeled 'extension_dir' is pointing to 'd:\winids\php\ext' in columns 'Local Values' and 'Master Values'. In the section labeled 'Configuration - PHP Core' make SURE that the item labeled 'include_path' is pointing to 'd:\winids\php' in columns 'Local Values' and 'Master Values'. In the section labeled 'session' make SURE that the item labeled 'session.save_path' is pointing to 'c:\windows\temp' in columns 'Local Values' and 'Master Values'. Do not proceed until all the above paths are correct! eXit the web-browser. At the CMD prompt type 'del d:\winids\wwwroot\base\test_php.php' (less the outside quotes) and tap the 'Enter' key. Adding Snort to the Windows Services Database At the CMD prompt type 'cd /d d:\winids\snort\bin' (less the outside quotes) and tap the 'Enter' key. At the CMD prompt type 'snort /SERVICE /INSTALL -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix' (less the outside quotes) and tap the 'Enter' key. Note: In the interface switch above (-ix), the x will be substituted for the Index number of the monitoring NIC. This will install Snort into the Windows Services Database and the below is a confirmation that the Snort service was successfully added to the Windows Services Database. [SNORT_SERVICE] Attempting to install the Snort service. [SNORT_SERVICE] The full path to the Snort binary appears to be: D:\winids\snort\bin\snort /SERVICE [SNORT_SERVICE] Successfully added registry keys to: \HKEY_LOCAL_MACHINE\SOFTWARE\Snort\ [SNORT_SERVICE] Successfully added the Snort service to the Windows Services Database. Do not proceed until the Snort service has been successfully added to the Windows Services Database. At the CMD prompt type 'sc config snortsvc start= auto' (less the outside quotes) and tap the 'Enter' key. The following is a confirmation that the Snort auto-start service has been successfully activated. [SC] ChangeServiceConfig SUCCESS Do not proceed until the Snort auto-start service has been SUCCESSfully activated. Configuring the PostgreSQL Database Server At the CMD prompt type 'd:\winids\postgresql\18\bin\psql -U postgres' (less the outside quotes) and tap the 'Enter' key. At the 'Password for user postgres: " prompt type 'd1ngd0ng' (less the outside quotes) and tap the 'Enter' key. Key presses will not echo the characters! Creating the Windows Intrusion Detection System Databases At the 'postgres=#' prompt type 'create database archive;' (less the outside quotes) and tap the 'Enter' key. At the 'postgres=#' prompt type 'create database snort;' (less the outside quotes) and tap the 'Enter' key. Creating the Windows Intrusion Detection System Authenticated Users At the 'postgres=#' prompt type 'create user snort with password 'l0gg3r';' (less the outside quotes) and tap the 'Enter' key. At the 'postgres=#' prompt type 'create user base with password 'an@l1st';' (less the outside quotes) and tap the 'Enter' key. Creating the Windows Intrusion Detection System Database Tables At the 'postgres=#' prompt type '\connect archive;' (less the outside quotes) and tap the 'Enter' key. At the 'archive=#' prompt type '\i d:/winids/barnyard2/schemas/create_postgresql;' (less the outside quotes) and tap the 'Enter' key. At the 'archive=#' prompt type '\i d:/winids/wwwroot/base/sql/create_base_tbls_pgsql.sql;' (less the outside quotes) and tap the 'Enter' key. At the 'archive=#' prompt type '\i d:/winids/wwwroot/base/sql/enable_RI.sql;' (less the outside quotes) and tap the 'Enter' key. At the 'archive=#' prompt type 'GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO base;' (less the outside quotes) and tap the 'Enter' key. At the 'archive=#' prompt type 'GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO base;' (less the outside quotes) and tap the 'Enter' key. At the 'archive=#' prompt type '\connect snort;' (less the outside quotes) and tap the 'Enter' key. At the 'archive=#' prompt type '\i d:/winids/barnyard2/schemas/create_postgresql;' (less the outside quotes) and tap the 'Enter' key. At the 'snort=#' prompt type '\i d:/winids/wwwroot/base/sql/create_base_tbls_pgsql.sql;' (less the outside quotes) and tap the 'Enter' key. At the 'snort=#' prompt type '\i d:/winids/wwwroot/base/sql/enable_RI.sql;' (less the outside quotes) and tap the 'Enter' key. At the 'snort=#' prompt type 'GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO base;' (less the outside quotes) and tap the 'Enter' key. At the 'snort=#' prompt type 'GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO base;' (less the outside quotes) and tap the 'Enter' key. At the 'snort=#' prompt type 'GRANT INSERT, SELECT, UPDATE ON ALL TABLES IN SCHEMA public TO snort;' (less the outside quotes) and tap the 'Enter' key. At the 'snort=#' prompt type 'GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO snort;' (less the outside quotes) and tap the 'Enter' key. At the 'snort=#' prompt type '\q' (less the outside quotes) and tap the 'Enter' key. Confirming PostgreSQL and Snort are operational At the CMD prompt type 'net stop postgresql-x64-18 & net start postgresql-x64-18 & net start snort' (less the outside quotes) and tap the 'Enter' key. Do not proceed until the PosgreSQL Database has successfully restarted and Snort has successfully started! At the CMD prompt type 'taskmgr.exe' (less the outside quotes) and tap the 'Enter' key to start the Windows Task Manager. Left-click the 'Processes' tab. At the bottom, left-click 'Show processes from all users' or 'More Details' to view all running processes. In the 'Name' or 'Image Name' column 'snort.exe' and several instances of 'postgres.exe' should be listed. Do not proceed until the processes above are running! eXit the 'Task Manager'. Configuring BASE the Windows Intrusion Detection Systems (WinIDS) Security Console At the CMD prompt type 'copy d:\winids\wwwroot\base\base_conf.php.dist d:\winids\wwwroot\base\base_conf.php' (less the outside quotes) and tap the 'Enter' key. Should display '1 file(s) copied.' and returns to the CMD prompt. At the CMD prompt type 'notepad2 d:\winids\wwwroot\base\base_conf.php' (less the outside quotes) and tap the 'Enter' key. Use the Find option in Notepad2 to locate and change the variables below. Original Line(s): $DBlib_path = ''; Change to: $DBlib_path = 'd:\winids\adodb5'; Original Line(s): $DBtype = '?????'; Change to: $DBtype = 'postgres'; Original Line(s): $alert_dbname = 'snort_log'; $alert_host = 'localhost'; $alert_port = ''; $alert_user = 'snort'; $alert_password = 'mypassword'; Change to: $alert_dbname = 'snort'; $alert_host = 'winids'; $alert_port = ''; $alert_user = 'base'; $alert_password = 'an@l1st'; Original Line(s): $archive_exists = 0; # Set this to 1 if you have an archive DB $archive_dbname = 'snort_archive'; $archive_host = 'localhost'; $archive_port = ''; $archive_user = 'snort'; $archive_password = 'mypassword'; Change to: $archive_exists = 1; # Set this to 1 if you have an archive DB $archive_dbname = 'archive'; $archive_host = 'winids'; $archive_port = ''; $archive_user = 'base'; $archive_password = 'an@l1st'; Original Line(s): $use_referential_integrity = 0; Change to: $use_referential_integrity = 1; Original Line(s): $resolve_IP = 0; Change to: $resolve_IP = 1; Original Line(s): $show_expanded_query = 0; Change to: $show_expanded_query = 1; Original Line(s): $portscan_file = ''; Change to: $portscan_file = 'd:\winids\snort\log\portscan.log'; Original Line(s): $colored_alerts = 0; Change to: $colored_alerts = 1; Save the file and eXit Notepad2. Configuring Barnyard2 At the CMD prompt type 'notepad2 d:\winids\barnyard2\etc\barnyard2.conf' (less the outside quotes) and tap the 'Enter' key. Use the Find option in Notepad2 to locate and change the variables below. Original Line(s): config reference_file: /etc/snort/reference.config config classification_file: /etc/snort/classification.config config gen_file: /etc/snort/gen-msg.map config sid_file: /etc/snort/sid-msg.map Change to: config reference_file: d:\winids\snort\etc\reference.config config classification_file: d:\winids\snort\etc\classification.config config gen_file: d:\winids\snort\etc\gen-msg.map config sid_file: d:\winids\snort\etc\sid-msg.map Original Line(s): # config event_cache_size: 4096 Change to: config event_cache_size: 32768 Original Line(s): # output database: alert, postgresql, user=snort dbname=snort Change to: output database: log, postgresql, user=snort password=l0gg3r dbname=snort host=winids sensor_name=WinIDS_Master Save the file and eXit Notepad2. Testing the Barnyard2 configuration file At the CMD prompt type 'd:\winids\scripts\by2-test.bat' (less the outside quotes) and tap the 'Enter' key. This will start Barnyard2 in self-test mode for configuration testing and depending on the resources used and/or available it could take from 10 minutes to 1 hour to run the self-test mode. If all the tests are passed, the following is a confirmation that the Barnyard2 configuration file is good. Barnyard2 successfully loaded configuration file! Barnyard2 exiting database: Closing connection to database "snort" Do not proceed until Barnyard2 has successfully loaded the configuration file, eXited Barnyard2 and closed the connection to the Snort database! Installing the Non-Sucking Service Manager (nssm) At the CMD prompt type '7z e d:\temp\nssm-2.24.zip nssm-2.24\win64\nssm.exe -od:\winids\tools' (less the outside quotes) and tap the 'Enter' key. Adding Barnyard2 to the Windows Services Database using nssm At the CMD prompt type 'd:\winids\scripts\by2-service.bat' (less the outside quotes) and tap the 'Enter' key. The following is a confirmation that the Barnyard2 auto-start service has been successfully activated. Service "Barnyard2" installed successfully! Set parameter "Start" for service "Barnyard2". Barnyard2 service installed and started with auto-start. Do not proceed until the 'Barnyard2 service installed and started with auto-start' is displayed. At the CMD prompt type 'sc config Barnyard2 start= delayed-auto' (less the outside quotes) and tap the 'Enter' key. The following is a confirmation that the Barnyard2 delayed auto-start service has been successfully activated. [SC] ChangeServiceConfig SUCCESS Do not proceed until the Barnyard2 auto-start service has been successfully activated. Adding the Rules Updater to the Desktop At the CMD prompt type 'd:\winids\scripts\sc-create.bat' (less the outside quotes) and tap the 'Enter' key. Note: A "Rules Update" shortcut has been added to the desktop for manually initiating a Rules update. For a simple rule update just right-click the desktop icon and select 'Run as Administrator'. The Rules updater can be scheduled The Rules Updater can run silent The Rules Updater can Email results to a valid SMTP server Note: There is a tutorial located HERE to detail the above options. At the CMD prompt type 'shutdown /r /t 10' (less the outside quotes) and tap the 'Enter' key to reboot. Verifying Barnyard2 and Snort is running as a process after rebooting It could take several minutes for the Barnyard2 process to display after rebooting as it is on a delayed start. After the reboot Open a CMD window and type 'taskmgr.exe' (less the outside quotes) and tap the 'Enter' key to start the Windows Task Manager. Left-click the 'Processes' tab. At the bottom, left-click 'Show processes from all users' or 'More Details' to view all running processes. In the 'Name' or 'Image Name' column 'snort.exe' and 'Barnyard2.exe' should both be listed. Do not proceed until both processes shows to be running! eXit the 'Task Manager'. At the CMD prompt type 'exit' (less the outside quotes) and tap the 'Enter' key. Starting the Windows Intrusion Detection Systems (WinIDS) Security Console Open a web-browser and type 'http://winids' (less the outside quotes) into the URL Address box and tap the 'Enter' key. Note: The Windows Intrusion Detection Systems (WinIDS) Security Console is configured to auto refresh every three minutes. Manually refreshing the browser (F5) will show new events and restart the auto refresh counter. Depending on the available resources and the active ruleset, it could take from 10-60 minutes to see events being added to the Windows Intrusion Detection System (WinIDS) console. If no events have been logged after a reasonable length of time then there is a topic here with detailed instruction on how to activate all the rules for testing purposes ONLY. Failure to follow the instructions completely to the end after events have been successfully logged will result in millions of useless events being added to the database. In Conclusion At this point the tutorial has been successfully completed. Events should be arriving into the Database and those events should be seen in the local Windows Intrusion Detection Systems (WinIDS) Security Console. I encourage some tweaks listed below to the post-installation to get a somewhat production-ready 'Windows Intrusion Detection System (WinIDS)'. Tuning your rules and preprocessors. Tuning Snort thresholds and limit values. Adding user authentication to the Windows Intrusion Detection Systems (WinIDS) Security Console. Securing your host (Maybe changing the default database user access, disabling unneeded services, etc.). Become a subscriber (fee based) on snort.org to get access to zero day rules. Scheduling a rules update (with the included Rules Updater). Security Issues Lets review what has happens so far: All support programs, including IIS have been installed to a separate partition, which closed a multitude of security holes. The Windows Intrusion Detection Systems (WinIDS) Security Console can ONLY be accessed locally. A desktop icon was installed to manually initiate a rules update using Pulledpork (rules updates can only be initiated every 15 minutes). Optional Companion Documents Be SURE to check out the available 'Companion Add-on Documents' to enhance the Windows Intrusion Detection System (WinIDS) experience. How to add Event Logging to a local Syslog Server. This tutorial will show how to configure Snort to send events to a local Syslog Server, on an existing Windows Intrusion Detection System (WinIDS). How to add Event Logging to a remote Syslog Server. This tutorial will show how to configure Snort to send events to a remote Syslog Server from an existing Windows Intrusion Detection System (WinIDS). How to add Email Alerting to an existing Windows Intrusion Detection System (WinIDS) This tutorial will show how to email user defined priority events on an existing Windows Intrusion Detection System (WinIDS). How to schedule automatic rules updating This tutorial is a simple to understand process on how to schedule automatic rules updating. How to compile Barnyard2 on Windows using Cygwin This tutorial is a simple to understand, step-by-step guide for Compiling Barnyard2 on Windows using Cygwin (UNIX emulator). How to build and deploy a passive Ethernet tap This tutorial will show how to build and deploy a passive Ethernet tap. Updating the Windows Intrusion Detection Systems (WinIDS) Major components How to update the Snort Intrusion Detection Engine This tutorial will show How to update the Snort Intrusion Detection Engine. How to update the Windows Intrusion Detection Systems rules This tutorial will show how to update the Windows Intrusion Detection Systems rules. Debugging Installation errors Check the Event Viewer as most of the support programs will throw FATAL errors into the Windows Application log or check the actual log file for the specific application. General tutorial issues For general problem issues that pertain to this specific tutorial, left-click the get community support button at the top of this tutorial, or manually navigate to the correct community support forum pertaining to this specific tutorial. Feedback I would love to get feedback on any recommendations, experiences or ideas for this tutorial. Please leave feedback HERE. Michael E. Steele | Microsoft Certified System Engineer (MCSE) Email Support: support@winsnort.com Snort: Open Source Network IDS - www.snort.org How to Install a Windows Intrusion Detection System (WinIDS) Running IIS and logging events to a local PostgreSQL Database Windows 10 / 11 / 2016 SE / 2019 SE / 2022 SE / 2025 SE Last Date Revised: July 22, 2023 Written by: Michael E. Steele Get Community Support! Introduction Take Note: Winsnort has phased out support for the 32bit architecture. During my research and development for the past 20 plus years I've found a lot of tutorials, including blogs describing the installation process for the UNIX environment, but nothing specifically detailed for setting up an intrusion detection system in a Windows environment. These tutorials gives all the basic instructions on how to create a complete and all inclusive standalone Windows Intrusion Detection System (WinIDS), including remote sensors. This is all made possible by simply wrapping Snort, a very powerful Intrusion Detection Engine into a multitude of free open source programs. Best of all, other than the cost of the Windows operating system, it's completely free. The goal of these tutorials was not just to create a Windows Intrusion Detection System (WinIDS) using the most advanced intrusion detection engine known as Snort, but to understand how all the parts work together and to get a deeper understanding of all the components so that troubleshooting and modifying the Windows Intrusion Detection System (WinIDS) can be completed with confidence. If there are any doubts which tutorial should be used, there is a posted topic HERE that will provide the basics so an informed decision can be made based on which combination of software packages are best suited for the installation. Copyright Notice This document is Copyright © 2003-2025 Michael Steele. All rights reserved. Permission to distribute this document is hereby granted providing that distribution is electronic, in it's original form, no money is involved and this copyright notice is maintained. Other requests for distribution will be considered. Use the information in this document at your own risk. Michael Steele disavows any potential liability of this document. Use of the concepts, examples and/or other content of this document are entirely at your own risk. This tutorial is written in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. All copyrights are owned by their owners, unless specifically noted otherwise. Third party trademarks or brand names are the property of their owners. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements. Get Support All general support questions related to a specific tutorial MUST be directed to the specific forum for that particular tutorial. If there is any confusion just click on the 'Get Community Support' button at the top of each tutorial to get transported to the correct forum! There is a Client Only Lounge where all advanced questions/problems should be posted not related to the general installation of any of the tutorials. By request, there is a premium fee service available for one on one support, including remote installs. If this tutorial has not been directly acquired from the winsnort.com website, then is most likely not the latest revision of this tutorial! This is a basic Windows Intrusion Detection System (WinIDS) deployment Microsoft's Windows operating systems are used exclusively for these tutorials. It is highly recommended to start with a fresh install of one of the supported Windows operating systems listed below. If this is a commercial installation and Windows 10 or Windows 11 is a requirement, it is recommended that Windows Enterprise LTSC (Long Term Servicing Channel) version is used. With the LTSC servicing model, customers can delay receiving feature updates and instead only receive monthly quality updates on devices. Features that could be updated with new functionality, including Edge. Make note that all in-box Universal Windows apps are not included in the LTSC channel updates. Feature updates are offered in new LTSC releases every 2–3 years instead of every 6 months and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle. Microsoft is committed to providing bug fixes and security patches for each LTSC release during this 10 year period. The Long Term Servicing Channel is not intended for deployment on most or all the PCs in an organization. The LTSC edition of Windows provides customers with access to a deployment option for their special-purpose devices and environments. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. These devices are also typically not heavily dependent on support from external apps and tools. Since the feature set for LTSC does not change for the lifetime of the release, over time there might be some external tools that do not continue to provide legacy support. See LTSC: What is it and when it should be used. Windows x64 10 Professional / LTSC Windows x64 11 Professional / LTSC Windows x64 Server 2016 Standard Edition Windows x64 Server 2019 Standard Edition Windows x64 Server 2022 Standard Edition Windows x64 Server 2025 Standard Edition All the operating systems listed above have been tested using this tutorial. However, any another Windows operating system listed above, under the same framework will most likely work. Major support programs used in this install Npcap allows 3rd party applications such as Snort to capture and transmit network packets bypassing the protocol stack. Snort performs real-time traffic analysis and network packet logging on Internet Protocol (IP) networks data streams. Barnyard2 is a dedicated spooler for Snort's unified2 binary output format and on-forwarding to a PostgreSQL database. Pulledpork automates the rule updating process. Strawberry Perl is everything needed to run perl scripts (.pl) and applications such as PulledPork. ADOdb allows the same code to be used when accessing a wide range of databases. PostgreSQL-driven database stores processed events from Barnyard2 for analysis. Microsoft's Internet Information Services will drive the web based Windows Intrusion Detection Systems (WinIDS) GUI security console. BASE serves as the Windows Intrusion Detection Systems (WinIDS) web based GUI security console. NSSM is the Non-Sucking Service Manager used to start Barnyard2 as a service. History of Internet Information Services (IIS) IIS 10.0 - included with Workstation 10, 11, Server 2016, 2019, 2022 and 2025 How this Hardware and Software was prepped for this Windows Intrusion Detection System (WinIDS) tutorial A fresh install of any version of Windows listed above is highly recommended. All available Service Packs and updates MUST be applied from the Microsoft Download Center. For this tutorial there are two disks: C:/ (Disk1 - System) with 300GB and D:/ (Disk2 - WinIDS) with 1TB. Installed memory should be no less than 4GB (more is always better). For this tutorial there are two disks being used. Disk1: This is where the Windows operating system will be installed into and should not require more that 100GB of space. Disk2: This is where The Windows Intrusion detection System will be installed and will require at least 1TB of space as a starting point. Note: For Disk2 more space is always recommended for future growth. The default installation paths are hard coded into this tutorial and is also hard coded into some of the install scripts. If the default installation path for the Windows Intrusion Detection System is anything other then 'd:\winids', or the support files are located anywhere other than the 'd:\temp' folder then the appropriate changes will need to be made to this tutorial and possibly any script that might need to be ran in order to accommodate the non-standard folder locations. The Windows Intrusion Detection System (WinIDS) will fail if the default installation path is not Implemented correctly! Prepping for the Windows Intrusion Detection System (WinIDS) Tutorial Downloading and extracting the core Windows Intrusion Detection Systems (WinIDS) Software Support Pack It is imperative to only use the files included in the 'WinIDS - Core Software Support Pack' below. These files have been thoroughly tested and compatible with this particular Windows Intrusion Detection Systems (WinIDS) tutorial. Download the 'WinIDS - Core Software Support Pack'. Open File Explore and navigate to the location of the 'winids-core.zip' file, right-click the 'winids-core.zip' file, highlight and left-click 'Extract all...', in the 'Files will be extracted to this folder:' dialog box type 'd:\temp' (less the outside quotes), left-click and uncheck the 'Show extracted files when complete' radio box, left-click extract, in the 'Password:' dialog box type 'w1nsn03t.c0m' (less the outside quotes), left-click 'OK' and eXit File Explorer. Downloading additional and required support files for this tutorial It is imperative to only use the files downloaded from the URL links below. All the files have been verified as compatible with this particular Windows Intrusion Detection Systems (WinIDS) tutorial. All the files below will need to be downloaded into the folder (d:\temp) that was created when the files from the above 'WinIDS - Core Software Support Pack' were extracted. npcap-1.86: Download and save the file to the d:\temp folder. Snort 2.9.20: Download and save the file to the d:\temp folder. There are two items that are mandatory and requires access to a registered account on the snort.org website. Without these two items the Windows Intrusion Detection System (WinIDS) will fail. Item 1: Open a browser, navigate to the snort.org website and either create an account or Sign into an account that has already been created. Once signed in, on the left menu there is an 'Oinkcode' button and select that and a Window opens displaying the Oinkcode that is linked to the signed in account. Either write that code down exactly as displayed or copy and paste it somewhere for later retrieval. That same code will be displayed every time the account is signed into. There is a regenerate button and if selected will remove the old Oinkcode and be replaced with the new Oinkcode. If a new Oinkcode is generated then it must be changed in the Pulledpork.conf file in order to continue getting new rules. Item 2: Sign into the snort.org website if not signed in. Minimize the Browser to the task bar but do not sign out. Continue to the next download (snortrules-snapshot-29200). Once the download is complete the browser can be closed. Note: If the account is not signed into and active from the same place the download is initiated, the download will fail. snortrules-snapshot-29200: Download and save the file to the d:\temp folder. Pulledpork 8.0: Download and save the file to the d:\temp folder. Strawberry Perl 5.42.0.1: Download and save the file to the d:\temp folder. PostgreSQL Database 18.1-1: Download and save the file to the d:\temp folder. PHP 8.5.1 NTS (VS17): Download and save the file to the d:\temp folder. ADOdb 5.22.11: Download and save the file to the d:\temp folder. nssm 2.24: Download and save the file to the d:\temp folder. Installing the Modder files The modder file preforms several tasks: Disables Universal Access Control (UAC) Installs Microsoft Visual C++ x86/x64 (VS18) 2017-2026 Installs Notepad2 Installs scripts and Tools Installs 7zip Inserts 'winids' hostname into hosts file Inserts 'IGMP and SCTP' into the protocol file for Snort rules Inserts 'Nodosfilewarning' into User ENV to suppress CYGWIN warning message when starting Barnyard2 Exclude '.rules' in Defender (seen as a virus) Sets TCP/IPv4 as the default protocal Sets Show File Extensions and Hidden Files Reboots system At the Windows Desktop press Win + R to open the Run dialog box. In the Run dialog box type 'cmd' (less the outside quotes) and then press CTRL+SHIFT+ENTER to open a command window as Administrator. At the CMD prompt type 'd:\temp\modder.bat' (less the outside quotes) and tap the 'Enter' key. Allow the script to automatically reboot the system! DO NOT INTERVENE! Installing the Windows Intrusion Detection System (WinIDS) Installing Npcap Open a CMD window and type 'd:\temp\npcap-1.86.exe' (less the outside quotes) and tap the 'Enter' key. The 'License Agreement' window opens and left-click 'I Agree'. The 'Installation Options' window opens, make sure the only checked select box is 'Install Npcap in WinPcap API-compatible Mode' and left-click 'Install'. The 'Installation Complete' window opens and left-click 'Next'. The 'Finished' window opens and left-click 'Finish'. Installing Snort, the Traffic Detection and Inspection Engine At the CMD prompt type 'd:\temp\Snort_2_9_20_Installer.x64.exe' (less the outside quotes) and tap the 'Enter' key. The 'License Agreement' window opens and left-click 'I Agree'. The 'Choose Components' window opens and left-click 'Next'. The 'Choose Install Location' window opens, in the 'Destination Folder' dialog box, type 'd:\winids\snort' (less the outside quotes), left-click 'Next'. The install completes with 'Completed' and left-click 'Close'. The install finishes with 'Snort has been successfully installed.' and left-click 'OK'. Installing Strawberry Perl At the CMD prompt type 'd:\temp\strawberry-perl-5.42.0.1-64bit.msi' (less the outside quotes) and tap the 'Enter' key. The 'Welcome to the Setup Wizard for Strawberry Perl...' window opens and left-click 'Next'. The 'End-User License Agreement' window opens, left-click checking the 'I accept the terms...' check box and left-click 'Next'. The 'Destination Folder' window opens, in the 'Install Strawberry Perl to:' dialog box type 'd:\winids\strawberry\' (less the outside quotes) and left-click 'Next'. The 'Ready to install Strawberry Perl..' window opens, left-click 'Install'. The 'Install Strawberry Perl..' window opens, allow the install to complete and left-click 'Next'. The 'Completed the Strawberry Perl...' window opens, uncheck the 'Read README file.' check box and left-click 'Finish'. At the CMD prompt type 'exit' (less the outside quotes) and tap the 'Enter' key. Open a CMD window and type 'cpan install Sys::Syslog' (less the outside quotes) and tap the 'Enter' key. Installing Pulledpork At the CMD prompt type '7z x d:\temp\pulledpork-master.zip -od:\winids\' (less the outside quotes) and tap the 'Enter' key. At the CMD prompt type 'ren d:\winids\pulledpork-master pulledpork' (less the outside quotes) and tap the 'Enter' key. At the CMD prompt type 'mkdir d:\winids\pulledpork\temp' (less the outside quotes) and tap the 'Enter' key. Installing PHP At the CMD prompt type '7z x d:\temp\php-8.5.1-nts-Win32-vs17-x64.zip -od:\winids\php' (less the outside quotes) and tap the 'Enter' key. Installing Internet Information Services At the CMD prompt type 'd:\winids\scripts\iis-install.bat' (less the outside quotes) and tap the 'Enter' key. Installing BASE, the Windows Intrusion Detection Systems (WinIDS) Security Console At the CMD prompt type '7z x d:\temp\base.zip -od:\winids\wwwroot\base' (less the outside quotes) and tap the 'Enter' key. Installing Barnyard2 At the CMD prompt type '7z x d:\temp\barnyard2-2.1.14-b337.zip -od:\winids\barnyard2' (less the outside quotes) and tap the 'Enter' key. Installing the PostgreSQL Database Server At the CMD prompt type 'd:\temp\postgresql-18.1-1-windows-x64.exe' (less the outside quotes) and tap the 'Enter' key. The 'Setup - PostgreSQL' window opens and left-click 'Next'. the 'Installation Directory' window opens. In the dialog box type 'D:\winids\postgresql\18' (less the outside quotes) and left-click 'Next'. The 'Select Components' window opens. In the list of selected Components uncheck 'Stack Builder' and left-click 'Next'. The 'Data Directory' window opens. The dialog box should already be populated with 'D:\winids\postgresql\18\data' (less the outside quotes) and left-click 'Next'. The 'Password' window opens. In the 'Password' dialog box type 'd1ngd0ng' (less the outside quotes) and tap the 'TAB' key. In the 'Retype password' dialog box type 'd1ngd0ng' (less the outside quotes), tap the 'TAB' key and left-click 'Next'. The 'Port' window opens. The listening port dialog box should already be populated with '5432' and left-click 'Next'. The 'Advanced Options' window opens. The 'Locale' pull-down select box should already be populated with 'DEFAULT' (less the outside quotes) and left-click 'Next'. The 'Pre Installation Summery' window opens. Verify all the below pre select settings are correct and left-click 'Next'. Installation Directory: D:\winids\postgresql\18 Server Installation Directory: D:\winids\postgresql\18 Data Directory: D:\winids\postgresql\18\data Database Port: 5432 Database Superuser: postgres Operating System Account: NT AUTHORITY\NetworkService Database Service: postgresql-x64-18 Command Line Tools Installation Directory: D:\winids\postgresql\18 pgAdmin4 Installation Directory: D:\winids\postgresql\18\pgAdmin 4 Installation Log: C:\Users\*\AppData\Local\temp\install-postgresql.log The 'Ready to Install' window opens and left-click 'Next' allowing the installation to complete. The 'Completing the PostgreSQL Setup Wizard' window opens and left-click 'Finish'. Installing ADODB At the CMD prompt type '7z x d:\temp\adodb-5.22.11.zip -od:\winids\' (less the outside quotes) and tap the 'Enter' key. At the CMD prompt type 'ren d:\winids\adodb-5.22.11 adobd5' (less the outside quotes) and tap the 'Enter' key. Verifying Snort is detecting Network traffic Snort monitors traffic on a specific NIC and Npcap assigns Index numbers to every NIC. This procedure will determine which Index number Snort is attached too, so write it down as it will be needed several times for testing and final configuration! At the CMD prompt type 'd:\winids\snort\bin\snort -W' (less the outside quotes) and tap the 'Enter' key. The following is a partial example of what might be listed as valid Network Interface Cards. Index Physical Address IP Address Device Name Description ----- ---------------- ---------- ----------- ----------- 1 20:41:53:59:4E:FF disabled \Device\NPF_{78032B7E-4968-42D3-9F37-287EA86C0AAA} RAS Async Adapter 2 00:0C:29:27:2C:1F 0000:0000:fe80:0000:0000:0000:e0ef:e77d \Device\NPF_{A5EB8922-B7D4-49A8-A30D-E0C8863F1B2D} Intel(R) PRO/1000 MT Network Connection 3 00:00:00:00:00:00 disabled \Device\NPF_Loopback Adapter for loopback traffic capture Note: There may be several Network Interface Cards listed. Snort needs to know which Index number is attached to the NIC that is monitoring the network traffic. At the CMD prompt type 'd:\winids\snort\bin\snort -v -ix' (less the outside quotes) and tap the 'Enter' key. Note: In the interface switch above (-ix), the x will be substituted for the Index number of the monitoring NIC. There should now be multiple packets passing through he CMD window (example packet below). If there is no traffic passing through, then open a web browser and generate some web traffic. If there is still no traffic passing through, then activate the CMD window, press the CRTL/C to stop the Snort process and try another Index number. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 10/08-12:12:32.131826 10.0.0.29:1068 -> 65.55.121.241:80 TCP TTL:128 TOS:0x0 ID:1586 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x7430B82E Ack: 0x1850214F Win: 0xFAF0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ If all Index numbers have been exhausted then there could be a couple of issues: No Internet connection NIC not compatible NIC drivers need updating Configuring wrong (snort -v -ix) Note: In the interface switch above (-ix), the x will be substituted for the Index number of the monitoring NIC. After verifying the Index number, eXit the web-browser, activate the CMD window and press the CTRL/C keys to stop the Snort process exiting back to the CMD prompt. Do not proceed until network traffic is being displayed in the CMD window. Processing task dependencies pre Snort configuration At the CMD prompt type '7z x d:\temp\snortrules-snapshot-29200.tar.gz -od:\temp' (less the outside quotes) and tap the 'Enter' key. At the CMD prompt type '7z e d:\temp\snortrules-snapshot-29200.tar -aoa -od:\winids\snort\etc etc\*.*' (less the outside quotes) and tap the 'Enter' key. At the CMD prompt type 'del d:\temp\snortrules-snapshot-29200.tar /Q' (less the outside quotes) and tap the 'Enter' key. At the CMD prompt type 'perl -pi -e "s/include \$RULE\_PATH/# include \$RULE\_PATH/" d:\winids\snort\etc\snort.conf' (less the outside quotes) and tap the 'Enter' key. At the CMD prompt type 'type NUL > d:\winids\snort\rules\white_list.rules' (less the outside quotes) and tap the 'Enter' key. At the CMD prompt type 'type NUL > d:\winids\snort\rules\black_list.rules' (less the outside quotes) and tap the 'Enter' key. At the CMD prompt type 'type NUL > d:\winids\snort\rules\winids.rules' (less the outside quotes) and tap the 'Enter' key. At the CMD prompt type 'rd d:\winids\snort\preproc_rules /S /Q' (less the outside quotes) and tap the 'Enter' key. At the CMD prompt type 'copy d:\winids\scripts\local.rules d:\winids\snort\rules\local.rules' (less the outside quotes) and tap the 'Enter' key. Configuring Snort, the Heart of the Windows Intrusion Detection System (WinIDS) At the CMD prompt type 'notepad2 d:\winids\snort\etc\snort.conf' (less the outside quotes) and tap the 'Enter' key. Use the Find option in Notepad2 to locate and change the variables below. Original Line(s): ipvar HOME_NET any Change to: ipvar HOME_NET 192.168.1.0/24 In the above HOME_NET example (192.168.1.0/24), using a CIDR of 24 the Windows Intrusion Detection System (WinIDS) will monitor addresses 192.168.1.1 - 192.168.1.254. It is important to specify the correct internal IP segment or segments of the Windows Intrusion Detection System (WinIDS) network that needs monitoring and to set the correct CIDR/S. Original Line(s): var RULE_PATH ../rules Change to: var RULE_PATH d:\winids\snort\rules Original Line(s): var SO_RULE_PATH ../so_rules Change to: # var SO_RULE_PATH ../so_rules Original Line(s): var PREPROC_RULE_PATH ../preproc_rules Change to: # var PREPROC_RULE_PATH ../preproc_rules Original Line(s): var WHITE_LIST_PATH ../rules Change to: var WHITE_LIST_PATH d:\winids\snort\rules Original Line(s): var BLACK_LIST_PATH ../rules Change to: var BLACK_LIST_PATH d:\winids\snort\rules Original Line(s): dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ Change to: dynamicpreprocessor directory d:\winids\snort\lib\snort_dynamicpreprocessor Original Line(s): dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so Change to: dynamicengine d:\winids\snort\lib\snort_dynamicengine\sf_engine.dll Original Line(s): decompress_swf { deflate lzma } \ Change to: decompress_swf { deflate } \ Original Line(s): # preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } Change to: preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } logfile { portscan.log } Original Line(s): # output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types Change to: output unified2: filename merged.log, limit 128 Original Line(s): # include $RULE_PATH/local.rules Change to: include $RULE_PATH/local.rules Just below the line 'include $RULE_PATH/local.rules', add the next three line. include $RULE_PATH/winids.rules include $RULE_PATH/white_list.rules include $RULE_PATH/black_list.rules Save the file and eXit Notepad2. Testing the Snort configuration file At the CMD prompt type 'd:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix -T' (less the outside quotes) and tap the 'Enter' key. Note: In the interface switch above (-ix), the x will be substituted for the Index number of the monitoring NIC. This will test the Snort configuration and depending on the resources used and/or available, it could take several minutes to run the self-test mode. If all the tests are passed, the following is a confirmation that the Snort configuration file and rules have tested good. Snort successfully validated the configuration! Snort exiting Do not proceed until 'Snort successfully validated the configuration!' Now to test a rule. Scrolling up through the output from the Snort configuration test in the CMD window should show 1 Snort rules read as shown in the example below. +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... 1 Snort rules read 1 detection rules 0 decoder rules 0 preprocessor rules 1 Option Chains linked into 1 Chain Headers +++++++++++++++++++++++++++++++++++++++++++++++++++ At the CMD prompt type 'd:\winids\snort\bin\snort -A console -q -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix' (less the outside quotes) and tap the 'Enter' key. Note: In the interface switch above (-ix), the x will be substituted for the Index number of the monitoring NIC. Once Snort has started with the above command, go to another computer or open another CMD window and ping the IP of the interface that Snort is listening on. Output similar to the below should appear in the CMD window if the ping was successful. 02/02-14:25:23.413383 [**] [1:10000001:1] ICMP test detected [**] [Classification: Generic ICMP event] [Priority: 3] {ICMP} 192.168.1.3 -> 192.168.1.26 02/02-14:25:28.037797 [**] [1:10000001:1] ICMP test detected [**] [Classification: Generic ICMP event] [Priority: 3] {ICMP} 192.168.1.3 -> 192.168.1.26 02/02-14:25:33.038644 [**] [1:10000001:1] ICMP test detected [**] [Classification: Generic ICMP event] [Priority: 3] {ICMP} 192.168.1.3 -> 192.168.1.26 02/02-14:25:38.041163 [**] [1:10000001:1] ICMP test detected [**] [Classification: Generic ICMP event] [Priority: 3] {ICMP} 192.168.1.3 -> 192.168.1.26 *** Caught Int-Signal Note: If the ping is not successful, check the HOME_NET setting in the snort.conf file to make sure it has been configured correctly. Do not proceed until the ping has been detected!' Activate the CMD window and press CTRL/C to exit back to the CMD prompt. Note: After the above ping test was successful the rule that generated the events must be disabled. If the rule is not disabled the database will fill up with millions of useless events. At the CMD prompt type 'perl -pi -e "s/include \$RULE\_PATH\/local.rules/# include \$RULE\_PATH\/local.rules/" d:\winids\snort\etc\snort.conf' (less the outside quotes) and tap the 'Enter' key. Configuring Pulledpork At the CMD prompt type 'notepad2 d:\winids\pulledpork\etc\pulledpork.conf' (less the outside quotes) and tap the 'Enter' key. Use the Find option in Notepad2 to locate and change the variables below. Original Line(s): rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode> Change to: rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|x Note: Insert your unique Oinkcode into the x position above. Original Line(s): rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community Change to: # rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community Original Line(s): temp_path=/tmp Change to: temp_path=d:/winids/pulledpork/temp Original Line(s): rule_path=/usr/local/etc/snort/rules/snort.rules Change to: rule_path=d:/winids/snort/rules/winids.rules Original Line(s): local_rules=/usr/local/etc/snort/rules/local.rules Change to: local_rules=d:/winids/snort/rules/local.rules Original Line(s): sid_msg=/usr/local/etc/snort/sid-msg.map Change to: sid_msg=d:/winids/snort/etc/sid-msg.map Original Line(s): sid_changelog=/var/log/sid_changes.log Change to: sid_changelog=d:/winids/snort/log/sid_changes.log Original Line(s): block_list=/usr/local/etc/snort/rules/iplists/default.blocklist Change to: # block_list=/usr/local/etc/snort/rules/iplists/default.blocklist Original Line(s): IPRVersion=/usr/local/etc/snort/rules/iplists Change to: # IPRVersion=/usr/local/etc/snort/rules/iplists Original Line(s): snort_control=/usr/local/bin/snort_control Change to: # snort_control=/usr/local/bin/snort_control Original Line(s): # snort_version=2.9.0.0 Change to: snort_version=2.9.20.0 Original Line(s): # enablesid=/usr/local/etc/snort/enablesid.conf # dropsid=/usr/local/etc/snort/dropsid.conf # disablesid=/usr/local/etc/snort/disablesid.conf # modifysid=/usr/local/etc/snort/modifysid.conf Change to: enablesid=d:/winids/pulledpork/etc/enablesid.conf dropsid=d:/winids/pulledpork/etc/dropsid.conf disablesid=d:/winids/pulledpork/etc/disablesid.conf modifysid=d:/winids/pulledpork/etc/modifysid.conf Original Line(s): # ips_policy=security Change to: ips_policy=security In the above, the 'ips_policy' switch is set to 'security'. There are three pre-configured policies (connectivity, balanced and security) that can be used. Change the above to your specific needs. Each policy has the Sourcefire recommended rules applied and the 'ips_policy' switch is only an option. By placing a hash '#' (less the outside quotes) mark in front of the 'ips_policy' switch Pulledpork will process the stock rules as they are. Connectivity: Means "Connectivity over Security". Meaning this is a speedy policy for people that insist on blocking only the really known bad with no false positives. Balanced: Means "Balanced between Connectivity and Security". Meaning that this is a good starter policy for everyone. It's quick, has a good base coverage level and covers the latest threats of the day. The policy contains everything that is in Connectivity. Security: Means "Security over Connectivity". Meaning that this is a stringent policy that everyone should strive to get to through tuning. It's quick, but has some policy-type rules in it. Rules that will alert on Flash contained within an Excel file and things like that. This policy contains everything that is in Connectivity and Balanced. Save the file and eXit Notepad2. Rule activation and testing with Pulledpork At the CMD prompt type 'perl d:\winids\pulledpork\pulledpork.pl -c d:\winids\pulledpork\etc\pulledpork.conf -T' (less the outside quotes) and tap the 'Enter' key. This will not only test the Pulledpork configuration file, but will install the latest ruleset. Depending on the resources used and/or available, it could take several minutes to process. If the test passed, the following is a confirmation that the Pulledpork configuration file passed and the rules were successfully installed. Please review d:\winids\snort\log\sid_changes.log for additional details Fly Piggy Fly! Do not proceed until 'Fly Piggy Fly!' has appeared Testing the Snort configuration file At the CMD prompt type 'd:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix -T' (less the outside quotes) and tap the 'Enter' key. Note: In the interface switch above (-ix), the x will be substituted for the Index number of the monitoring NIC. Pulledpork modified/added new rules and Snort will need to test the new rules to verify there are no errors. The following is a confirmation that the Snort configuration file and rules have tested good. Snort successfully validated the configuration! Snort exiting Do not proceed until 'Snort successfully validated the configuration!' Configuring PHP At the CMD prompt type 'mkdir d:\winids\php\logs' (less the outside quotes) and tap the 'Enter' key. At the CMD prompt type 'copy d:\winids\php\php.ini-production d:\winids\php\php.ini' (less the outside quotes) and tap the 'Enter' key. Should display '1 file(s) copied.' and returns to the CMD prompt. At the CMD prompt type 'notepad2 d:\winids\php\php.ini' (less the outside quotes) and tap the 'Enter' key. Use the Find option in Notepad2 to locate and change the variables below. Original Line(s): max_execution_time = 30 Change to: max_execution_time = 60 Original Line(s): ;error_log = php_errors.log Change to: error_log = d:\winids\php\logs\php_errors.log Original Line(s): ;include_path = ".;c:\php\includes" Change to: include_path = "d:\winids\php" Original Line(s): ;extension_dir = "ext" Change to: extension_dir = "d:\winids\php\ext" Original Line(s): ;cgi.force_redirect = 1 Change to: cgi.force_redirect = 0 Original Line(s): ;extension=gd Change to: extension=gd Original Line(s): ;extension=gmp Change to: extension=gmp Original Line(s): ;extension=pgsql Change to: extension=pgsql Original Line(s): ;date.timezone = Change to: date.timezone = America/New_York In the above date.timezone setting, America/New_York is only the default. Inserting the correct Timezone setting where the Windows Intrusion Detection System (WinIDS) will be located is essential. Check out the PHP website for the List of Supported Timezones. Original Line(s): ;session.save_path = "/tmp" Change to: session.save_path = "c:\windows\temp" Save the file and eXit Notepad2. Configuring IIS for PHP and the Windows Intrusion Detection Systems security console At the CMD prompt type 'c:\windows\system32\inetsrv\inetmgr' (less the outside quotes), tap the 'Enter' key and the 'Internet Information Services (IIS) Manager' opens. If the 'Internet Information Services (IIS) Manager' opens and asks 'Do you want to get started with...' left-click 'No'. Setting up FastCGI for the WinIDS Security Console On the left under 'Connections' left-click and expand '<server name>'. On the left under '<server name>' left-click and expand 'Sites'. On the left under 'Sites' left-click highlighting 'Default Web Site'. In the center window titled 'Default Web Site Home' go down to the section labeled 'IIS', right-click 'Handler Mappings' and left-click 'Open Feature'. On the right under 'Actions' left-click 'Add Module Mapping...'. In the 'Request Path:' dialog box type '*.php' (less the outside quotes). In the 'Module' drop-down list select 'FastCgiModule'. In the 'Executable (optional):' dialog box type 'd:\winids\php\php-cgi.exe' (less the outside quotes). In the 'Name:' dialog box type 'PHP-FastCGI' (less the outside quotes). Left-click opening 'Request Restrictions...'. To the left of 'Invoke handler only if request is mapped to:' left-click and place a check mark as the selected option, if one is not already there. Under the 'Invoke handler only if request is mapped to:', left-click selecting the 'File or Folder' radio button, left-click 'OK' to exit 'Request Restrictions' and left-click 'OK' to exit 'Add Module Mapping'. The 'Add Module Mappings' information window opens, left-click 'Yes' to create a FastCGI application. In the center window titled 'Handler Mappings' in the 'Name' column PHP-FastCGI must be listed. In the 'Path' column for 'PHP-FastCGI' *.php must be listed. In the 'State' column for 'PHP-FastCGI' Enabled must be listed. Setting the Default Document type for the WinIDS Security Console On the left under 'Connections' left-click highlighting 'Default Web Site'. In the center window titled 'Default Web Site Home' go down to the section labeled 'IIS', right-click 'Default Document' and left-click 'Open Feature'. On the right under 'Actions' left-click 'Add...'. The 'Add Default Document' request for dialog box opens. In the 'Name:' dialog box type 'index.php' (less the outside quotes) and left-click 'OK'. In center window titled 'Default Document' index.php musty be listed at the top entry under 'Name' and Local must be listed under 'Entry Type'. Note: As an option all the other entries can be removed! Setting the Default Website Path for the WinIDS Security Console On the left under 'Connections' right-click 'Default Web Site', mouse over 'Manage Web Site' and left-click 'Advanced Settings'. The 'Advanced Settings' window opens. Under '(General)' left-click highlighting 'Physical Path'. In the dialog box to the right of 'Physical Path' type 'd:\winids\wwwroot\base' (less the outside quotes) and left-click 'OK'. eXit the 'Internet Information Services (IIS) Manager' applet. At the CMD prompt type 'iisreset /restart' (less the outside quotes) and tap the 'Enter' key. Testing IIS and the PHP installation Open a CMD window and type 'copy d:\winids\scripts\test_php.php d:\winids\wwwroot\base' (less the outside quotes) and tap the 'Enter' key. Should display '1 file(s) copied.' and returns to the CMD prompt. Open a web-browser and type 'http://winids/test_php.php' (less the outside quotes) into the URL Address box and tap the 'Enter' key. Several sections of information concerning the status and install of PHP should be displayed. In the first section of information make SURE that the item labeled 'Server API' is pointing to 'CGI/FastCGI'. In the first section of information make SURE that the item labeled 'Loaded Configuration File' is pointing to 'd:\winids\php\php.ini'. In the section labeled 'Configuration - PHP Core' make SURE that the item labeled 'extension_dir' is pointing to 'd:\winids\php\ext' in columns 'Local Values' and 'Master Values'. In the section labeled 'Configuration - PHP Core' make SURE that the item labeled 'include_path' is pointing to 'd:\winids\php' in columns 'Local Values' and 'Master Values'. In the section labeled 'session' make SURE that the item labeled 'session.save_path' is pointing to 'c:\windows\temp' in columns 'Local Values' and 'Master Values'. Do not proceed until all the above paths are correct! eXit the web-browser. At the CMD prompt type 'del d:\winids\wwwroot\base\test_php.php' (less the outside quotes) and tap the 'Enter' key. Adding Snort to the Windows Services Database At the CMD prompt type 'cd /d d:\winids\snort\bin' (less the outside quotes) and tap the 'Enter' key. At the CMD prompt type 'snort /SERVICE /INSTALL -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix' (less the outside quotes) and tap the 'Enter' key. Note: In the interface switch above (-ix), the x will be substituted for the Index number of the monitoring NIC. This will install Snort into the Windows Services Database and the below is a confirmation that the Snort service was successfully added to the Windows Services Database. [SNORT_SERVICE] Attempting to install the Snort service. [SNORT_SERVICE] The full path to the Snort binary appears to be: D:\winids\snort\bin\snort /SERVICE [SNORT_SERVICE] Successfully added registry keys to: \HKEY_LOCAL_MACHINE\SOFTWARE\Snort\ [SNORT_SERVICE] Successfully added the Snort service to the Windows Services Database. Do not proceed until the Snort service has been successfully added to the Windows Services Database. At the CMD prompt type 'sc config snortsvc start= auto' (less the outside quotes) and tap the 'Enter' key. The following is a confirmation that the Snort auto-start service has been successfully activated. [SC] ChangeServiceConfig SUCCESS Do not proceed until the Snort auto-start service has been SUCCESSfully activated. Configuring the PostgreSQL Database Server At the CMD prompt type 'd:\winids\postgresql\18\bin\psql -U postgres' (less the outside quotes) and tap the 'Enter' key. At the 'Password for user postgres: " prompt type 'd1ngd0ng' (less the outside quotes) and tap the 'Enter' key. Key presses will not echo the characters! Creating the Windows Intrusion Detection System Databases At the 'postgres=#' prompt type 'create database archive;' (less the outside quotes) and tap the 'Enter' key. At the 'postgres=#' prompt type 'create database snort;' (less the outside quotes) and tap the 'Enter' key. Creating the Windows Intrusion Detection System Authenticated Users At the 'postgres=#' prompt type 'create user snort with password 'l0gg3r';' (less the outside quotes) and tap the 'Enter' key. At the 'postgres=#' prompt type 'create user base with password 'an@l1st';' (less the outside quotes) and tap the 'Enter' key. Creating the Windows Intrusion Detection System Database Tables At the 'postgres=#' prompt type '\connect archive;' (less the outside quotes) and tap the 'Enter' key. At the 'archive=#' prompt type '\i d:/winids/barnyard2/schemas/create_postgresql;' (less the outside quotes) and tap the 'Enter' key. At the 'archive=#' prompt type '\i d:/winids/wwwroot/base/sql/create_base_tbls_pgsql.sql;' (less the outside quotes) and tap the 'Enter' key. At the 'archive=#' prompt type '\i d:/winids/wwwroot/base/sql/enable_RI.sql;' (less the outside quotes) and tap the 'Enter' key. At the 'archive=#' prompt type 'GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO base;' (less the outside quotes) and tap the 'Enter' key. At the 'archive=#' prompt type 'GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO base;' (less the outside quotes) and tap the 'Enter' key. At the 'archive=#' prompt type '\connect snort;' (less the outside quotes) and tap the 'Enter' key. At the 'archive=#' prompt type '\i d:/winids/barnyard2/schemas/create_postgresql;' (less the outside quotes) and tap the 'Enter' key. At the 'snort=#' prompt type '\i d:/winids/wwwroot/base/sql/create_base_tbls_pgsql.sql;' (less the outside quotes) and tap the 'Enter' key. At the 'snort=#' prompt type '\i d:/winids/wwwroot/base/sql/enable_RI.sql;' (less the outside quotes) and tap the 'Enter' key. At the 'snort=#' prompt type 'GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO base;' (less the outside quotes) and tap the 'Enter' key. At the 'snort=#' prompt type 'GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO base;' (less the outside quotes) and tap the 'Enter' key. At the 'snort=#' prompt type 'GRANT INSERT, SELECT, UPDATE ON ALL TABLES IN SCHEMA public TO snort;' (less the outside quotes) and tap the 'Enter' key. At the 'snort=#' prompt type 'GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO snort;' (less the outside quotes) and tap the 'Enter' key. At the 'snort=#' prompt type '\q' (less the outside quotes) and tap the 'Enter' key. Confirming PostgreSQL and Snort are operational At the CMD prompt type 'net stop postgresql-x64-18 & net start postgresql-x64-18 & net start snort' (less the outside quotes) and tap the 'Enter' key. Do not proceed until the PosgreSQL Database has successfully restarted and Snort has successfully started! At the CMD prompt type 'taskmgr.exe' (less the outside quotes) and tap the 'Enter' key to start the Windows Task Manager. Left-click the 'Processes' tab. At the bottom, left-click 'Show processes from all users' or 'More Details' to view all running processes. In the 'Name' or 'Image Name' column 'snort.exe' and several instances of 'postgres.exe' should be listed. Do not proceed until the processes above are running! eXit the 'Task Manager'. Configuring BASE the Windows Intrusion Detection Systems (WinIDS) Security Console At the CMD prompt type 'copy d:\winids\wwwroot\base\base_conf.php.dist d:\winids\wwwroot\base\base_conf.php' (less the outside quotes) and tap the 'Enter' key. Should display '1 file(s) copied.' and returns to the CMD prompt. At the CMD prompt type 'notepad2 d:\winids\wwwroot\base\base_conf.php' (less the outside quotes) and tap the 'Enter' key. Use the Find option in Notepad2 to locate and change the variables below. Original Line(s): $DBlib_path = ''; Change to: $DBlib_path = 'd:\winids\adodb5'; Original Line(s): $DBtype = '?????'; Change to: $DBtype = 'postgres'; Original Line(s): $alert_dbname = 'snort_log'; $alert_host = 'localhost'; $alert_port = ''; $alert_user = 'snort'; $alert_password = 'mypassword'; Change to: $alert_dbname = 'snort'; $alert_host = 'winids'; $alert_port = ''; $alert_user = 'base'; $alert_password = 'an@l1st'; Original Line(s): $archive_exists = 0; # Set this to 1 if you have an archive DB $archive_dbname = 'snort_archive'; $archive_host = 'localhost'; $archive_port = ''; $archive_user = 'snort'; $archive_password = 'mypassword'; Change to: $archive_exists = 1; # Set this to 1 if you have an archive DB $archive_dbname = 'archive'; $archive_host = 'winids'; $archive_port = ''; $archive_user = 'base'; $archive_password = 'an@l1st'; Original Line(s): $use_referential_integrity = 0; Change to: $use_referential_integrity = 1; Original Line(s): $resolve_IP = 0; Change to: $resolve_IP = 1; Original Line(s): $show_expanded_query = 0; Change to: $show_expanded_query = 1; Original Line(s): $portscan_file = ''; Change to: $portscan_file = 'd:\winids\snort\log\portscan.log'; Original Line(s): $colored_alerts = 0; Change to: $colored_alerts = 1; Save the file and eXit Notepad2. Configuring Barnyard2 At the CMD prompt type 'notepad2 d:\winids\barnyard2\etc\barnyard2.conf' (less the outside quotes) and tap the 'Enter' key. Use the Find option in Notepad2 to locate and change the variables below. Original Line(s): config reference_file: /etc/snort/reference.config config classification_file: /etc/snort/classification.config config gen_file: /etc/snort/gen-msg.map config sid_file: /etc/snort/sid-msg.map Change to: config reference_file: d:\winids\snort\etc\reference.config config classification_file: d:\winids\snort\etc\classification.config config gen_file: d:\winids\snort\etc\gen-msg.map config sid_file: d:\winids\snort\etc\sid-msg.map Original Line(s): # config event_cache_size: 4096 Change to: config event_cache_size: 32768 Original Line(s): # output database: alert, postgresql, user=snort dbname=snort Change to: output database: log, postgresql, user=snort password=l0gg3r dbname=snort host=winids sensor_name=WinIDS_Master Save the file and eXit Notepad2. Testing the Barnyard2 configuration file At the CMD prompt type 'd:\winids\scripts\by2-test.bat' (less the outside quotes) and tap the 'Enter' key. This will start Barnyard2 in self-test mode for configuration testing and depending on the resources used and/or available it could take from 10 minutes to 1 hour to run the self-test mode. If all the tests are passed, the following is a confirmation that the Barnyard2 configuration file is good. Barnyard2 successfully loaded configuration file! Barnyard2 exiting database: Closing connection to database "snort" Do not proceed until Barnyard2 has successfully loaded the configuration file, eXited Barnyard2 and closed the connection to the Snort database! Installing the Non-Sucking Service Manager (nssm) At the CMD prompt type '7z e d:\temp\nssm-2.24.zip nssm-2.24\win64\nssm.exe -od:\winids\tools' (less the outside quotes) and tap the 'Enter' key. Adding Barnyard2 to the Windows Services Database using nssm At the CMD prompt type 'd:\winids\scripts\by2-service.bat' (less the outside quotes) and tap the 'Enter' key. The following is a confirmation that the Barnyard2 auto-start service has been successfully activated. Service "Barnyard2" installed successfully! Set parameter "Start" for service "Barnyard2". Barnyard2 service installed and started with auto-start. Do not proceed until the 'Barnyard2 service installed and started with auto-start' is displayed. At the CMD prompt type 'sc config Barnyard2 start= delayed-auto' (less the outside quotes) and tap the 'Enter' key. The following is a confirmation that the Barnyard2 delayed auto-start service has been successfully activated. [SC] ChangeServiceConfig SUCCESS Do not proceed until the Barnyard2 auto-start service has been successfully activated. Adding the Rules Updater to the Desktop At the CMD prompt type 'd:\winids\scripts\sc-create.bat' (less the outside quotes) and tap the 'Enter' key. Note: A "Rules Update" shortcut has been added to the desktop for manually initiating a Rules update. For a simple rule update just right-click the desktop icon and select 'Run as Administrator'. The Rules updater can be scheduled The Rules Updater can run silent The Rules Updater can Email results to a valid SMTP server Note: There is a tutorial located HERE to detail the above options. At the CMD prompt type 'shutdown /r /t 10' (less the outside quotes) and tap the 'Enter' key to reboot. Verifying Barnyard2 and Snort is running as a process after rebooting It could take several minutes for the Barnyard2 process to display after rebooting as it is on a delayed start. After the reboot Open a CMD window and type 'taskmgr.exe' (less the outside quotes) and tap the 'Enter' key to start the Windows Task Manager. Left-click the 'Processes' tab. At the bottom, left-click 'Show processes from all users' or 'More Details' to view all running processes. In the 'Name' or 'Image Name' column 'snort.exe' and 'Barnyard2.exe' should both be listed. Do not proceed until both processes shows to be running! eXit the 'Task Manager'. At the CMD prompt type 'exit' (less the outside quotes) and tap the 'Enter' key. Starting the Windows Intrusion Detection Systems (WinIDS) Security Console Open a web-browser and type 'http://winids' (less the outside quotes) into the URL Address box and tap the 'Enter' key. Note: The Windows Intrusion Detection Systems (WinIDS) Security Console is configured to auto refresh every three minutes. Manually refreshing the browser (F5) will show new events and restart the auto refresh counter. Depending on the available resources and the active ruleset, it could take from 10-60 minutes to see events being added to the Windows Intrusion Detection System (WinIDS) console. If no events have been logged after a reasonable length of time then there is a topic here with detailed instruction on how to activate all the rules for testing purposes ONLY. Failure to follow the instructions completely to the end after events have been successfully logged will result in millions of useless events being added to the database. In Conclusion At this point the tutorial has been successfully completed. Events should be arriving into the Database and those events should be seen in the local Windows Intrusion Detection Systems (WinIDS) Security Console. I encourage some tweaks listed below to the post-installation to get a somewhat production-ready 'Windows Intrusion Detection System (WinIDS)'. Tuning your rules and preprocessors. Tuning Snort thresholds and limit values. Adding user authentication to the Windows Intrusion Detection Systems (WinIDS) Security Console. Securing your host (Maybe changing the default database user access, disabling unneeded services, etc.). Become a subscriber (fee based) on snort.org to get access to zero day rules. Scheduling a rules update (with the included Rules Updater). Security Issues Lets review what has happens so far: All support programs, including IIS have been installed to a separate partition, which closed a multitude of security holes. The Windows Intrusion Detection Systems (WinIDS) Security Console can ONLY be accessed locally. A desktop icon was installed to manually initiate a rules update using Pulledpork (rules updates can only be initiated every 15 minutes). Optional Companion Documents Be SURE to check out the available 'Companion Add-on Documents' to enhance the Windows Intrusion Detection System (WinIDS) experience. How to add Event Logging to a local Syslog Server. This tutorial will show how to configure Snort to send events to a local Syslog Server, on an existing Windows Intrusion Detection System (WinIDS). How to add Event Logging to a remote Syslog Server. This tutorial will show how to configure Snort to send events to a remote Syslog Server from an existing Windows Intrusion Detection System (WinIDS). How to add Email Alerting to an existing Windows Intrusion Detection System (WinIDS) This tutorial will show how to email user defined priority events on an existing Windows Intrusion Detection System (WinIDS). How to schedule automatic rules updating This tutorial is a simple to understand process on how to schedule automatic rules updating. How to compile Barnyard2 on Windows using Cygwin This tutorial is a simple to understand, step-by-step guide for Compiling Barnyard2 on Windows using Cygwin (UNIX emulator). How to build and deploy a passive Ethernet tap This tutorial will show how to build and deploy a passive Ethernet tap. Updating the Windows Intrusion Detection Systems (WinIDS) Major components How to update the Snort Intrusion Detection Engine This tutorial will show How to update the Snort Intrusion Detection Engine. How to update the Windows Intrusion Detection Systems rules This tutorial will show how to update the Windows Intrusion Detection Systems rules. Debugging Installation errors Check the Event Viewer as most of the support programs will throw FATAL errors into the Windows Application log or check the actual log file for the specific application. General tutorial issues For general problem issues that pertain to this specific tutorial, left-click the get community support button at the top of this tutorial, or manually navigate to the correct community support forum pertaining to this specific tutorial. Feedback I would love to get feedback on any recommendations, experiences or ideas for this tutorial. Please leave feedback HERE. Michael E. Steele | Microsoft Certified System Engineer (MCSE) Email Support: support@winsnort.com Snort: Open Source Network IDS - www.snort.org

No you don't need to do anything. What you are seeing is correct. I made an error in the tutorial and have since corrected it. Check out the tutorial, and it should match your install.

What is the process you used and I'll check it on another build. Did you just add the below to your local.rules file? alert ( msg: "ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK"; sid: 4; gid: 112; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) Did you use something to generate the alert?

Looks like there was a problem with the modder file adding winids to the hosts file. add to hosts file: 127.0.0.1 winids

There was an issue with the repository being hacked and was taken down. The tutorials were changed in order to internally control that process.

Go back to the section titled below to get the solution: Testing the Windows Intrusion Detection System (WinIDS) for network traffic

The user has apparently fixed the issue without posting the root cause of the issue.

Make sure you have ran the modder.vbs file as Administrator and allowed it to reboot on its own. Make sure the test.php file has been copied to the d:\winids\apache24\htdocs\base folder. Make sure you can ping winids: Make sure all the required Microsoft Visual C++ packages have been installed: If all the above is correct then please attach the php.ini file and the httpd.conf file.

The above looks normal. If you open the command window in the task bar it should say waiting for data. if you see packets being displayed in the command window than there is a problem. Those packets should be registering in the security console. If you are not seeing any packets in the command window than there is nothing triggering events. There could be several reasons why; not on the same subnet, plugged into a switch and switches must have port mirroring set to the security consoles ip.

Looks like you ran into a problem installing and moving the IIS server. I'm not sure how this can be fixed as I've never seen the error. You might try reinstalling from scratch ands make SURE the command window is in Admin mode before running the move script.

If Snort is setup correctly queries to the log folder are defaulted to the snort folder.

I figured it out..... I think there is a step missing in the install guide "installing an IIS Web Server logging events to a MySQL Database". when configuring the snort.conf file...... in step #2 line # 186 needs to be changed to config logdir: d:\winids\snort\log

    I found a few quirks but nothing major. Swap the files in the attached .zip with your existing files. winIDS.zip

Not sure but it's not getting the MSV C++ installed correctly Did you run the modder.vbs file? Is this a fresh install of the operating system? Have you tried installing the MS Visual C ++ redistributable as 'Run as Administrator'?

I just noticed:   Change this: d:winidssnortbinsnort -c d:winidssnortetcsnort.conf -l d:winidssnortlog –i1 -T   To this: d:winidssnortbinsnort -c d:winidssnortetcsnort.conf -l d:winidssnortlog -i1 -T

  1) Wonder what else didn't happen when the modder.vbs file ran?   2) Sourcefire has updated their snort.org site in the past few days and there has been issues with the rules, and opensource files?   3) I'm not sure as that has never happened here. This is most likely an issue related to item 1   I'll look into item 2 and adjust to the new name.   Update: Several of the file names were changed on the snort.org site, and all the tutorials now reflect those changes.

The Windows Intrusion Detection Systems (WinIDS) tutorials are accessed by using the 'Tutorials' link in the main menu bar. The Windows Intrusion Detection System (WinIDS) is officially supported on the following operating systems in 64bit architecture only! Windows x64 7 Professional Windows x64 10 Professional Windows x64 11 Professional Windows x64 Server 2008 R2 Standard Edition Windows x64 Server 2012 R2 Standard Edition Windows x64 Server 2016 Standard Edition Windows x64 Server 2019 Standard Edition Windows x64 Server 2022 Standard Edition Note: The Windows Intrusion Detection System (WinIDS) may not have any issues being installed on any variant of the Windows operating system listed above, including Datacenter. However, Winsnort.com has only verified that the Windows Intrusion Detection System does work on any of the Windows's versions listed above, and those are the only ones supported in the forums. Winsnort.com has six specific tutorials for installing a Windows Intrusion Detection System (WinIDS) using a Microsoft Windows operating system. There are four full blown tutorials for installing a Master (stand-alone) Windows Intrusion Detection Systems (WinIDS), and there are two tutorials dealing with installing slave sensors. If you are going to be installing a full-blown Windows Intrusion Detection System (WinIDS) then there are only a couple of major decisions to make. Decision 1: Which of the two supported Web Servers to use: The Microsoft Internet Information Server (IIS) The Apache2 Web Server Decision 2: Which of the two supported Database Server to use: The MySQL Database Server The PostgreSQL Database Server If you are going to be installing a slave sensor, then there is only one major decision to make. Decision 1: Which of the two supported Remote Database Servers the slave will be sending events too. The MySQL Database Server The PostgreSQL Database Server Note: There are a multitude of additional support programs that will be installed across all installations. Picking the correct tutorial always starts with one of the supported Operating Systems being installed, and it's always best to start with a fresh install. Now it comes down to which Web Server, and which Database server to use. The tutorials are written so installation can be any possible configuration of operating system, Web Server, or Database Server. It's completely the installers preference. Support Forums: Each tutorial has its own specific support forum. It is important to request support in the correct forum that matches the tutorial. For the installers convenience there is a 'Get Support' button at the top of each tutorial that will open the correct support forum for that particular tutorial. It is important to use the correct support forum until the tutorial has been completed and events are being shuttled to the Windows Intrusion Detection Systems (WinIDS) security console. Once the Windows Intrusion Detection System has been verified to be working than questions should be asked in the Client forum. If there are any questions, reply to this topic for an answer. This topic will be followed by the moderator, and or administrator. Questions should be answered in a reasonable amount of time. However, it could take up to 24 hours for a response. Winsnort.com has a great community, and they may jump in and help for a quicker response. Good luck, and happy WinSnorting...

How to Install a Windows Intrusion Detection System (WinIDS) Running IIS and logging events to a local MySQL Database Windows 10 / 11 / 2016 SE / 2019 SE / 2022 SE / 2025 SE Last Date Revised: July 22, 2023 Written by: Michael E. Steele Get Community Support! Introduction Take Note: Winsnort has phased out support for the 32bit architecture. During my research and development for the past 20 plus years I've found a lot of tutorials, including blogs describing the installation process for the UNIX environment, but nothing specifically detailed for setting up an intrusion detection system in a Windows environment. These tutorials gives all the basic instructions on how to create a complete and all inclusive standalone Windows Intrusion Detection System (WinIDS), including remote sensors. This is all made possible by simply wrapping Snort, a very powerful Intrusion Detection Engine into a multitude of free open source programs. Best of all, other than the cost of the Windows operating system, it's completely free. The goal of these tutorials was not just to create a Windows Intrusion Detection System (WinIDS) using the most advanced intrusion detection engine known as Snort, but to understand how all the parts work together and to get a deeper understanding of all the components so that troubleshooting and modifying the Windows Intrusion Detection System (WinIDS) can be completed with confidence. If there are any doubts which tutorial should be used, there is a posted topic HERE that will provide the basics so an informed decision can be made based on which combination of software packages are best suited for the installation. Copyright Notice This document is Copyright © 2003-2025 Michael Steele. All rights reserved. Permission to distribute this document is hereby granted providing that distribution is electronic, in it's original form, no money is involved and this copyright notice is maintained. Other requests for distribution will be considered. Use the information in this document at your own risk. Michael Steele disavows any potential liability of this document. Use of the concepts, examples and/or other content of this document are entirely at your own risk. This tutorial is written in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. All copyrights are owned by their owners, unless specifically noted otherwise. Third party trademarks or brand names are the property of their owners. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements. Get Support All general support questions related to a specific tutorial MUST be directed to the specific forum for that particular tutorial. If there is any confusion just click on the 'Get Community Support' button at the top of each tutorial to get transported to the correct forum! There is a Client Only Lounge where all advanced questions/problems should be posted not related to the general installation of any of the tutorials. By request, there is a premium fee service available for one on one support, including remote installs. If this tutorial has not been directly acquired from the winsnort.com website, then is most likely not the latest revision of this tutorial! This is a basic Windows Intrusion Detection System (WinIDS) deployment Microsoft's Windows operating systems are used exclusively for these tutorials. It is highly recommended to start with a fresh install of one of the supported Windows operating systems listed below. If this is a commercial installation and Windows 10 or Windows 11 is a requirement, it is recommended that Windows Enterprise LTSC (Long Term Servicing Channel) version is used. With the LTSC servicing model, customers can delay receiving feature updates and instead only receive monthly quality updates on devices. Features that could be updated with new functionality, including Edge. Make note that all in-box Universal Windows apps are not included in the LTSC channel updates. Feature updates are offered in new LTSC releases every 2–3 years instead of every 6 months and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle. Microsoft is committed to providing bug fixes and security patches for each LTSC release during this 10 year period. The Long Term Servicing Channel is not intended for deployment on most or all the PCs in an organization. The LTSC edition of Windows provides customers with access to a deployment option for their special-purpose devices and environments. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. These devices are also typically not heavily dependent on support from external apps and tools. Since the feature set for LTSC does not change for the lifetime of the release, over time there might be some external tools that do not continue to provide legacy support. See LTSC: What is it and when it should be used. Windows x64 10 Professional / LTSC Windows x64 11 Professional / LTSC Windows x64 Server 2016 Standard Edition Windows x64 Server 2019 Standard Edition Windows x64 Server 2022 Standard Edition Windows x64 Server 2025 Standard Edition All the operating systems listed above have been tested using this tutorial. However, any another Windows operating system listed above, under the same framework will most likely work. Major support programs used in this install Npcap allows 3rd party applications such as Snort to capture and transmit network packets bypassing the protocol stack. Snort performs real-time traffic analysis and network packet logging on Internet Protocol (IP) networks data streams. Barnyard2 is a dedicated spooler for Snort's unified2 binary output format and on-forwarding to a MySQL database. Pulledpork automates the rule updating process. Strawberry Perl is everything needed to run perl scripts (.pl) and applications such as PulledPork. ADOdb allows the same code to be used when accessing a wide range of databases. MySQL-driven database stores processed events from Barnyard2 for analysis. Microsoft's Internet Information Services will drive the web based Windows Intrusion Detection Systems (WinIDS) GUI security console. BASE serves as the Windows Intrusion Detection Systems (WinIDS) web based GUI security console. NSSM is the Non-Sucking Service Manager used to start Barnyard2 as a service. History of Internet Information Services (IIS) IIS 10.0 - included with Workstation 10, 11, Server 2016, 2019, 2022 and 2025 How this Hardware and Software was prepped for this Windows Intrusion Detection System (WinIDS) tutorial A fresh install of any version of Windows listed above is highly recommended. All available Service Packs and updates MUST be applied from the Microsoft Download Center. For this tutorial there are two disks: C:/ (Disk1 - System) with 300GB and D:/ (Disk2 - WinIDS) with 1TB. Installed memory should be no less than 4GB (more is always better). For this tutorial there are two disks being used. Disk1: This is where the Windows operating system will be installed into and should not require more that 100GB of space. Disk2: This is where The Windows Intrusion detection System will be installed and will require at least 1TB of space as a starting point. Note: For Disk2 more space is always recommended for future growth. The default installation paths are hard coded into this tutorial and is also hard coded into some of the install scripts. If the default installation path for the Windows Intrusion Detection System is anything other then 'd:\winids', or the support files are located anywhere other than the 'd:\temp' folder then the appropriate changes will need to be made to this tutorial and possibly any script that might need to be ran in order to accommodate the non-standard folder locations. The Windows Intrusion Detection System (WinIDS) will fail if the default installation path is not Implemented correctly! Prepping for the Windows Intrusion Detection System (WinIDS) Tutorial Downloading and extracting the core Windows Intrusion Detection Systems (WinIDS) Software Support Pack It is imperative to only use the files included in the 'WinIDS - Core Software Support Pack' below. These files have been thoroughly tested and compatible with this particular Windows Intrusion Detection Systems (WinIDS) tutorial. Download the 'WinIDS - Core Software Support Pack'. Open File Explore and navigate to the location of the 'winids-core.zip' file, right-click the 'winids-core.zip' file, highlight and left-click 'Extract all...', in the 'Files will be extracted to this folder:' dialog box type 'd:\temp' (less the outside quotes), left-click and uncheck the 'Show extracted files when complete' radio box, left-click extract, in the 'Password:' dialog box type 'w1nsn03t.c0m' (less the outside quotes), left-click 'OK' and eXit File Explorer. Downloading additional and required support files for this tutorial It is imperative to only use the files downloaded from the URL links below. All the files have been verified as compatible with this particular Windows Intrusion Detection Systems (WinIDS) tutorial. All the files below will need to be downloaded into the folder (d:\temp) that was created when the files from the above 'WinIDS - Core Software Support Pack' were extracted. npcap-1.86: Download and save the file to the d:\temp folder. Snort 2.9.20: Download and save the file to the d:\temp folder. There are two items that are mandatory and requires access to a registered account on the snort.org website. Without these two items the Windows Intrusion Detection System (WinIDS) will fail. Item 1: Open a browser, navigate to the snort.org website and either create an account or Sign into an account that has already been created. Once signed in, on the left menu there is an 'Oinkcode' button and select that and a Window opens displaying the Oinkcode that is linked to the signed in account. Either write that code down exactly as displayed or copy and paste it somewhere for later retrieval. That same code will be displayed every time the account is signed into. There is a regenerate button and if selected will remove the old Oinkcode and be replaced with the new Oinkcode. If a new Oinkcode is generated then it must be changed in the Pulledpork.conf file in order to continue getting new rules. Item 2: Sign into the snort.org website if not signed in. Minimize the Browser to the task bar but do not sign out. Continue to the next download (snortrules-snapshot-29200). Once the download is complete the browser can be closed. Note: If the account is not signed into and active from the same place the download is initiated, the download will fail. snortrules-snapshot-29200: Download and save the file to the d:\temp folder. Pulledpork 8.0: Download and save the file to the d:\temp folder. Strawberry Perl 5.42.0.1: Download and save the file to the d:\temp folder. MySQL Database 8.0.44.0: Download and save the file to the d:\temp folder. PHP 8.5.1 NTS (VS17): Download and save the file to the d:\temp folder. ADOdb 5.22.11: Download and save the file to the d:\temp folder. nssm 2.24: Download and save the file to the d:\temp folder. Installing the Modder files The modder file preforms several tasks: Disables Universal Access Control (UAC) Installs Microsoft Visual C++ x86/x64 (VS18) 2017-2026 Installs Notepad2 Installs scripts and Tools Installs 7zip Inserts 'winids' hostname into hosts file Inserts 'IGMP and SCTP' into the protocol file for Snort rules Inserts 'Nodosfilewarning' into User ENV to suppress CYGWIN warning message when starting Barnyard2 Exclude '.rules' in Defender (seen as a virus) Sets TCP/IPv4 as the default protocal Sets Show File Extensions Reboots system At the Windows Desktop press Win + R to open the Run dialog box. In the Run dialog box type 'cmd' (less the outside quotes) and then press CTRL+SHIFT+ENTER to open a command window as Administrator. At the CMD prompt type 'd:\temp\modder.bat' (less the outside quotes) and tap the 'Enter' key. Allow the script to automatically reboot the system! DO NOT INTERVENE! Installing the Windows Intrusion Detection System (WinIDS) Installing Npcap Open a CMD window and type 'd:\temp\npcap-1.86.exe' (less the outside quotes) and tap the 'Enter' key. The 'License Agreement' window opens and left-click 'I Agree'. The 'Installation Options' window opens, make sure the only checked select box is 'Install Npcap in WinPcap API-compatible Mode' and left-click 'Install'. The 'Installation Complete' window opens and left-click 'Next'. The 'Finished' window opens and left-click 'Finish'. Installing Snort, the Traffic Detection and Inspection Engine At the CMD prompt type 'd:\temp\Snort_2_9_20_Installer.x64.exe' (less the outside quotes) and tap the 'Enter' key. The 'License Agreement' window opens and left-click 'I Agree'. The 'Choose Components' window opens and left-click 'Next'. The 'Choose Install Location' window opens, in the 'Destination Folder' dialog box, type 'd:\winids\snort' (less the outside quotes), left-click 'Next'. The install completes with 'Completed' and left-click 'Close'. The install finishes with 'Snort has been successfully installed.' and left-click 'OK'. Installing Strawberry Perl At the CMD prompt type 'd:\temp\strawberry-perl-5.42.0.1-64bit.msi' (less the outside quotes) and tap the 'Enter' key. The 'Welcome to the Setup Wizard for Strawberry Perl...' window opens and left-click 'Next'. The 'End-User License Agreement' window opens, left-click checking the 'I accept the terms...' check box and left-click 'Next'. The 'Destination Folder' window opens, in the 'Install Strawberry Perl to:' dialog box type 'd:\winids\strawberry\' (less the outside quotes) and left-click 'Next'. The 'Ready to install Strawberry Perl..' window opens, left-click 'Install'. The 'Install Strawberry Perl..' window opens, allow the install to complete and left-click 'Next'. The 'Completed the Strawberry Perl...' window opens, uncheck the 'Read README file.' check box and left-click 'Finish'. At the CMD prompt type 'exit' (less the outside quotes) and tap the 'Enter' key. Open a CMD window and type 'cpan install Sys::Syslog' (less the outside quotes) and tap the 'Enter' key. Installing Pulledpork At the CMD prompt type '7z x d:\temp\pulledpork-master.zip -od:\winids\' (less the outside quotes) and tap the 'Enter' key. At the CMD prompt type 'ren d:\winids\pulledpork-master pulledpork' (less the outside quotes) and tap the 'Enter' key. At the CMD prompt type 'mkdir d:\winids\pulledpork\temp' (less the outside quotes) and tap the 'Enter' key. Installing PHP At the CMD prompt type '7z x d:\temp\php-8.5.1-nts-Win32-vs17-x64.zip -od:\winids\php' (less the outside quotes) and tap the 'Enter' key. Installing Internet Information Services At the CMD prompt type 'd:\winids\scripts\iis-install.bat' (less the outside quotes) and tap the 'Enter' key. Installing BASE, the Windows Intrusion Detection Systems (WinIDS) Security Console At the CMD prompt type '7z x d:\temp\base.zip -od:\winids\wwwroot\base' (less the outside quotes) and tap the 'Enter' key. Installing Barnyard2 At the CMD prompt type '7z x d:\temp\barnyard2-2.1.14-b337.zip -od:\winids\barnyard2' (less the outside quotes) and tap the 'Enter' key. Installing the MySQL Database Server At the CMD prompt type 'd:\temp\mysql-installer-community-8.0.44.0.msi' (less the outside quotes) and tap the 'Enter' key. The MySQL installer 'Choosing a Setup Type' window opens. Left-click selecting the 'Custom' radio button and left-click 'Next'. The MySQL installer 'Select Products' window opens. Under 'Available Products:' left-click expanding 'MySQL Servers', left-click expanding 'MySQL Server', left-click expanding 'MySQL Servers 8.0', left-click highlighting 'MySQL Server 8.0.44x - X64' and left click the green arrow pointing to the right moving the 'MySql Server 8.0.44 - X64' to the 'Products To Be Installed:' section. Under 'Products To Be Installed:' left-click highlighting 'MySql Server 8.0.44 - X64'. Just above the 'Cancel' button left-click 'Advanced Options' and the 'Advanced Options for MySQL Server 8.0.44' opens. In the 'Install Directory:' dialog box type 'D:\winids\mysql' (less the outside quotes). In the 'Data Directory:' dialog box type 'D:\winids\mysql' (less the outside quotes), left-click 'OK' and left-click 'Next'. The MySQL installer 'Installation' window opens. Left-click 'Execute' allowing the MySQL to 'Complete' the install and left-click 'Next'. The MySQL installer 'Product Configuration' window opens and left-click 'Next'. The MySQL installer 'Type and Networking' window opens. Under 'Server Configuration Type' left-click the 'Config Type:", left-click selecting 'Server Computer' and left-click 'Next'. The MySQL installer 'Authentication Method' window opens. To the left of 'Use Legacy Authentication Method...' left-click selecting the radio button and left-click 'Next'. The MySQL installer 'Accounts and Roles' window opens. In the 'MySQL Root Password:' dialog box type 'd1ngd0ng' (less the outside quotes) and tap the 'Tab' key. In the 'Repeat Password:' dialog box type 'd1ngd0ng' (less the outside quotes), tap the 'Tab' key and left-click 'Next'. The MySQL installer 'Windows Service' window opens. In the 'Windows Service Name:' dialog box type 'MySQL' (less the outside quotes) and left-click 'Next'. The MySQL installer 'Server File Permissions' window opens and left-click 'Next'. The MySQL installer 'Apply Configuration' window opens. Left-click 'Execute' allowing the configuration for MySQL Server to succeed and left-click 'Finish'. The MySQL installer 'Product Configuration' window opens and left-click 'Next'. The MySQL installer 'Installation Complete' window opens. Left-click 'Finish' to complete the MySQL Database installation. At the CMD prompt type 'copy d:\winids\mysql\lib\libmysql.dll c:\windows\system32' (less the outside quotes) and tap the 'Enter' key. Should display '1 file(s) copied.' and return to the command prompt. Installing ADODB At the CMD prompt type '7z x d:\temp\adodb-5.22.11.zip -od:\winids\' (less the outside quotes) and tap the 'Enter' key. At the CMD prompt type 'ren d:\winids\adodb-5.22.11 adobd5' (less the outside quotes) and tap the 'Enter' key. Verifying Snort is detecting Network traffic Snort monitors traffic on a specific NIC and Npcap assigns Index numbers to every NIC. This procedure will determine which Index number Snort is attached too, so write it down as it will be needed several times for testing and final configuration! At the CMD prompt type 'd:\winids\snort\bin\snort -W' (less the outside quotes) and tap the 'Enter' key. The following is a partial example of what might be listed as valid Network Interface Cards. Index Physical Address IP Address Device Name Description ----- ---------------- ---------- ----------- ----------- 1 20:41:53:59:4E:FF disabled \Device\NPF_{78032B7E-4968-42D3-9F37-287EA86C0AAA} RAS Async Adapter 2 00:0C:29:27:2C:1F 0000:0000:fe80:0000:0000:0000:e0ef:e77d \Device\NPF_{A5EB8922-B7D4-49A8-A30D-E0C8863F1B2D} Intel(R) PRO/1000 MT Network Connection 3 00:00:00:00:00:00 disabled \Device\NPF_Loopback Adapter for loopback traffic capture Note: There may be several Network Interface Cards listed. Snort needs to know which Index number is attached to the NIC that is monitoring the network traffic. At the CMD prompt type 'd:\winids\snort\bin\snort -v -ix' (less the outside quotes) and tap the 'Enter' key. Note: In the interface switch above (-ix), the x will be substituted for the Index number of the monitoring NIC. There should now be multiple packets passing through he Terminal window (example packet below). If there is no traffic passing through, then open a web browser and generate some web traffic. If there is still no traffic passing through, then activate the CMD window, press the CRTL/C to stop the Snort process and try another Index number. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 10/08-12:12:32.131826 10.0.0.29:1068 -> 65.55.121.241:80 TCP TTL:128 TOS:0x0 ID:1586 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x7430B82E Ack: 0x1850214F Win: 0xFAF0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ If all Index numbers have been exhausted then there could be a couple of issues: No Internet connection NIC not compatible NIC drivers need updating Configuring wrong (snort -v -ix) Note: In the interface switch above (-ix), the x will be substituted for the Index number of the monitoring NIC. After verifying the Index number, eXit the web-browser, activate the CMD window and press the CTRL/C keys to stop the Snort process exiting back to the CMD prompt. Do not proceed until network traffic is being displayed in the CMD window. Processing task dependencies pre Snort configuration At the CMD prompt type '7z x d:\temp\snortrules-snapshot-29200.tar.gz -od:\temp' (less the outside quotes) and tap the 'Enter' key. At the CMD prompt type '7z e d:\temp\snortrules-snapshot-29200.tar -aoa -od:\winids\snort\etc etc\*.*' (less the outside quotes) and tap the 'Enter' key. At the CMD prompt type 'del d:\temp\snortrules-snapshot-29200.tar /Q' (less the outside quotes) and tap the 'Enter' key. At the CMD prompt type 'perl -pi -e "s/include \$RULE\_PATH/# include \$RULE\_PATH/" d:\winids\snort\etc\snort.conf' (less the outside quotes) and tap the 'Enter' key. At the CMD prompt type 'type NUL > d:\winids\snort\rules\white_list.rules' (less the outside quotes) and tap the 'Enter' key. At the CMD prompt type 'type NUL > d:\winids\snort\rules\black_list.rules' (less the outside quotes) and tap the 'Enter' key. At the CMD prompt type 'type NUL > d:\winids\snort\rules\winids.rules' (less the outside quotes) and tap the 'Enter' key. At the CMD prompt type 'rd d:\winids\snort\preproc_rules /S /Q' (less the outside quotes) and tap the 'Enter' key. At the CMD prompt type 'copy d:\winids\scripts\local.rules d:\winids\snort\rules\local.rules' (less the outside quotes) and tap the 'Enter' key. Configuring Snort, the Heart of the Windows Intrusion Detection System (WinIDS) At the CMD prompt type 'notepad2 d:\winids\snort\etc\snort.conf' (less the outside quotes) and tap the 'Enter' key. Use the Find option in Notepad2 to locate and change the variables below. Original Line(s): ipvar HOME_NET any Change to: ipvar HOME_NET 192.168.1.0/24 In the above HOME_NET example (192.168.1.0/24), using a CIDR of 24 the Windows Intrusion Detection System (WinIDS) will monitor addresses 192.168.1.1 - 192.168.1.254. It is important to specify the correct internal IP segment or segments of the Windows Intrusion Detection System (WinIDS) network that needs monitoring and to set the correct CIDR/S. Original Line(s): var RULE_PATH ../rules Change to: var RULE_PATH d:\winids\snort\rules Original Line(s): var SO_RULE_PATH ../so_rules Change to: # var SO_RULE_PATH ../so_rules Original Line(s): var PREPROC_RULE_PATH ../preproc_rules Change to: # var PREPROC_RULE_PATH ../preproc_rules Original Line(s): var WHITE_LIST_PATH ../rules Change to: var WHITE_LIST_PATH d:\winids\snort\rules Original Line(s): var BLACK_LIST_PATH ../rules Change to: var BLACK_LIST_PATH d:\winids\snort\rules Original Line(s): dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ Change to: dynamicpreprocessor directory d:\winids\snort\lib\snort_dynamicpreprocessor Original Line(s): dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so Change to: dynamicengine d:\winids\snort\lib\snort_dynamicengine\sf_engine.dll Original Line(s): decompress_swf { deflate lzma } \ Change to: decompress_swf { deflate } \ Original Line(s): # preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } Change to: preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } logfile { portscan.log } Original Line(s): # output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types Change to: output unified2: filename merged.log, limit 128 Original Line(s): # include $RULE_PATH/local.rules Change to: include $RULE_PATH/local.rules Just below the line 'include $RULE_PATH/local.rules', add the next three line. include $RULE_PATH/winids.rules include $RULE_PATH/white_list.rules include $RULE_PATH/black_list.rules Save the file and eXit Notepad2. Testing the Snort configuration file At the CMD prompt type 'd:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix -T' (less the outside quotes) and tap the 'Enter' key. Note: In the interface switch above (-ix), the x will be substituted for the Index number of the monitoring NIC. This will test the Snort configuration and depending on the resources used and/or available, it could take several minutes to run the self-test mode. If all the tests are passed, the following is a confirmation that the Snort configuration file and rules have tested good. Snort successfully validated the configuration! Snort exiting Do not proceed until 'Snort successfully validated the configuration!' Now to test a rule. Scrolling up through the output from the Snort configuration test in the CMD window should show 1 Snort rules read as shown in the example below. +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... 1 Snort rules read 1 detection rules 0 decoder rules 0 preprocessor rules 1 Option Chains linked into 1 Chain Headers +++++++++++++++++++++++++++++++++++++++++++++++++++ At the CMD prompt type 'd:\winids\snort\bin\snort -A console -q -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix' (less the outside quotes) and tap the 'Enter' key. Note: In the interface switch above (-ix), the x will be substituted for the Index number of the monitoring NIC. Once Snort has started with the above command, go to another computer or open another CMD window and ping the IP of the interface that Snort is listening on. Output similar to the below should appear in the CMD window if the ping was successful. 02/02-14:25:23.413383 [**] [1:10000001:1] ICMP test detected [**] [Classification: Generic ICMP event] [Priority: 3] {ICMP} 192.168.1.3 -> 192.168.1.26 02/02-14:25:28.037797 [**] [1:10000001:1] ICMP test detected [**] [Classification: Generic ICMP event] [Priority: 3] {ICMP} 192.168.1.3 -> 192.168.1.26 02/02-14:25:33.038644 [**] [1:10000001:1] ICMP test detected [**] [Classification: Generic ICMP event] [Priority: 3] {ICMP} 192.168.1.3 -> 192.168.1.26 02/02-14:25:38.041163 [**] [1:10000001:1] ICMP test detected [**] [Classification: Generic ICMP event] [Priority: 3] {ICMP} 192.168.1.3 -> 192.168.1.26 *** Caught Int-Signal Note: If the ping is not successful, check the HOME_NET setting in the snort.conf file to make sure it has been configured correctly. Do not proceed until the ping has been detected!' Activate the CMD window and press CTRL/C to exit back to the CMD prompt. Note: After the above ping test was successful the rule that generated the events must be disabled. If the rule is not disabled the database will fill up with millions of useless events. At the CMD prompt type 'perl -pi -e "s/include \$RULE\_PATH\/local.rules/# include \$RULE\_PATH\/local.rules/" d:\winids\snort\etc\snort.conf' (less the outside quotes) and tap the 'Enter' key. Configuring Pulledpork At the CMD prompt type 'notepad2 d:\winids\pulledpork\etc\pulledpork.conf' (less the outside quotes) and tap the 'Enter' key. Use the Find option in Notepad2 to locate and change the variables below. Original Line(s): rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode> Change to: rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|x Note: Insert your unique Oinkcode into the x position above. Original Line(s): rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community Change to: # rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community Original Line(s): temp_path=/tmp Change to: temp_path=d:/winids/pulledpork/temp Original Line(s): rule_path=/usr/local/etc/snort/rules/snort.rules Change to: rule_path=d:/winids/snort/rules/winids.rules Original Line(s): local_rules=/usr/local/etc/snort/rules/local.rules Change to: local_rules=d:/winids/snort/rules/local.rules Original Line(s): sid_msg=/usr/local/etc/snort/sid-msg.map Change to: sid_msg=d:/winids/snort/etc/sid-msg.map Original Line(s): sid_changelog=/var/log/sid_changes.log Change to: sid_changelog=d:/winids/snort/log/sid_changes.log Original Line(s): block_list=/usr/local/etc/snort/rules/iplists/default.blocklist Change to: # block_list=/usr/local/etc/snort/rules/iplists/default.blocklist Original Line(s): IPRVersion=/usr/local/etc/snort/rules/iplists Change to: # IPRVersion=/usr/local/etc/snort/rules/iplists Original Line(s): snort_control=/usr/local/bin/snort_control Change to: # snort_control=/usr/local/bin/snort_control Original Line(s): # snort_version=2.9.0.0 Change to: snort_version=2.9.20.0 Original Line(s): # enablesid=/usr/local/etc/snort/enablesid.conf # dropsid=/usr/local/etc/snort/dropsid.conf # disablesid=/usr/local/etc/snort/disablesid.conf # modifysid=/usr/local/etc/snort/modifysid.conf Change to: enablesid=d:/winids/pulledpork/etc/enablesid.conf dropsid=d:/winids/pulledpork/etc/dropsid.conf disablesid=d:/winids/pulledpork/etc/disablesid.conf modifysid=d:/winids/pulledpork/etc/modifysid.conf Original Line(s): # ips_policy=security Change to: ips_policy=security In the above, the 'ips_policy' switch is set to 'security'. There are three pre-configured policies (connectivity, balanced and security) that can be used. Change the above to your specific needs. Each policy has the Sourcefire recommended rules applied and the 'ips_policy' switch is only an option. By placing a hash '#' (less the outside quotes) mark in front of the 'ips_policy' switch Pulledpork will process the stock rules as they are. Connectivity: Means "Connectivity over Security". Meaning this is a speedy policy for people that insist on blocking only the really known bad with no false positives. Balanced: Means "Balanced between Connectivity and Security". Meaning that this is a good starter policy for everyone. It's quick, has a good base coverage level and covers the latest threats of the day. The policy contains everything that is in Connectivity. Security: Means "Security over Connectivity". Meaning that this is a stringent policy that everyone should strive to get to through tuning. It's quick, but has some policy-type rules in it. Rules that will alert on Flash contained within an Excel file and things like that. This policy contains everything that is in Connectivity and Balanced. Save the file and eXit Notepad2. Rule activation and testing with Pulledpork At the CMD prompt type 'perl d:\winids\pulledpork\pulledpork.pl -c d:\winids\pulledpork\etc\pulledpork.conf -T' (less the outside quotes) and tap the 'Enter' key. This will not only test the Pulledpork configuration file, but will install the latest ruleset. Depending on the resources used and/or available, it could take several minutes to process. If the test passed, the following is a confirmation that the Pulledpork configuration file passed and the rules were successfully installed. Please review d:\winids\snort\log\sid_changes.log for additional details Fly Piggy Fly! Do not proceed until 'Fly Piggy Fly!' has appeared Testing the Snort configuration file At the CMD prompt type 'd:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix -T' (less the outside quotes) and tap the 'Enter' key. Note: In the interface switch above (-ix), the x will be substituted for the Index number of the monitoring NIC. Pulledpork modified/added new rules and Snort will need to test the new rules to verify there are no errors. The following is a confirmation that the Snort configuration file and rules have tested good. Snort successfully validated the configuration! Snort exiting Do not proceed until 'Snort successfully validated the configuration!' Configuring PHP At the CMD prompt type 'mkdir d:\winids\php\logs' (less the outside quotes) and tap the 'Enter' key. At the CMD prompt type 'copy d:\winids\php\php.ini-production d:\winids\php\php.ini' (less the outside quotes) and tap the 'Enter' key. Should display '1 file(s) copied.' and return to the CMD prompt. At the CMD prompt type 'notepad2 d:\winids\php\php.ini' (less the outside quotes) and tap the 'Enter' key. Use the Find option in Notepad2 to locate and change the variables below. Original Line(s): max_execution_time = 30 Change to: max_execution_time = 60 Original Line(s): ;error_log = php_errors.log Change to: error_log = d:\winids\php\logs\php_errors.log Original Line(s): ;include_path = ".;c:\php\includes" Change to: include_path = "d:\winids\php" Original Line(s): ;extension_dir = "ext" Change to: extension_dir = "d:\winids\php\ext" Original Line(s): ;cgi.force_redirect = 1 Change to: cgi.force_redirect = 0 Original Line(s): ;extension=gd Change to: extension=gd Original Line(s): ;extension=gmp Change to: extension=gmp Original Line(s): ;extension=mysqli Change to: extension=mysqli Original Line(s): ;date.timezone = Change to: date.timezone = America/New_York In the above date.timezone setting, America/New_York is only the default. Inserting the correct Timezone setting where the Windows Intrusion Detection System (WinIDS) will be located is essential. Check out the PHP website for the List of Supported Timezones. Original Line(s): ;session.save_path = "/tmp" Change to: session.save_path = "c:\windows\temp" Save the file and eXit Notepad2. Configuring IIS for PHP and the Windows Intrusion Detection Systems security console At the CMD prompt type 'c:\windows\system32\inetsrv\inetmgr' (less the outside quotes), tap the 'Enter' key and the 'Internet Information Services (IIS) Manager' opens. If the 'Internet Information Services (IIS) Manager' opens and asks 'Do you want to get started with...' left-click 'No'. Setting up FastCGI for the WinIDS Security Console On the left under 'Connections' left-click and expand '<server name>'. On the left under '<server name>' left-click and expand 'Sites'. On the left under 'Sites' left-click highlighting 'Default Web Site'. In the center window titled 'Default Web Site Home' go down to the section labeled 'IIS', right-click 'Handler Mappings' and left-click 'Open Feature'. On the right under 'Actions' left-click 'Add Module Mapping...'. In the 'Request Path:' dialog box type '*.php' (less the outside quotes). In the 'Module' drop-down list select 'FastCgiModule'. In the 'Executable (optional):' dialog box type 'd:\winids\php\php-cgi.exe' (less the outside quotes). In the 'Name:' dialog box type 'PHP-FastCGI' (less the outside quotes). Left-click opening 'Request Restrictions...'. To the left of 'Invoke handler only if request is mapped to:' left-click and place a check mark as the selected option, if one is not already there. Under the 'Invoke handler only if request is mapped to:', left-click selecting the 'File or Folder' radio button, left-click 'OK' to exit 'Request Restrictions' and left-click 'OK' to exit 'Add Module Mapping'. The 'Add Module Mappings' information window opens, left-click 'Yes' to create a FastCGI application. In the center window titled 'Handler Mappings' in the 'Name' column PHP-FastCGI must be listed. In the 'Path' column for 'PHP-FastCGI' *.php must be listed. In the 'State' column for 'PHP-FastCGI' Enabled must be listed. Setting the Default Document type for the WinIDS Security Console On the left under 'Connections' left-click highlighting 'Default Web Site'. In the center window titled 'Default Web Site Home' go down to the section labeled 'IIS', right-click 'Default Document' and left-click 'Open Feature'. On the right under 'Actions' left-click 'Add...'. The 'Add Default Document' request for dialog box opens. In the 'Name:' dialog box type 'index.php' (less the outside quotes) and left-click 'OK'. In center window titled 'Default Document' index.php musty be listed at the top entry. Under 'Name' and Local must be listed under 'Entry Type'. Note: As an option all the other entries can be removed! Setting the Default Website Path for the WinIDS Security Console On the left under 'Connections' right-click 'Default Web Site', mouse over 'Manage Web Site' and left-click 'Advanced Settings'. The 'Advanced Settings' window opens. Under '(General)' left-click highlighting 'Physical Path'. In the dialog box to the right of 'Physical Path' type 'd:\winids\wwwroot\base' (less the outside quotes) and left-click 'OK'. eXit the 'Internet Information Services (IIS) Manager' applet. At the CMD prompt type 'iisreset /restart' (less the outside quotes) and tap the 'Enter' key. Testing IIS and the PHP installation Open a CMD window and type 'copy d:\winids\scripts\test_php.php d:\winids\wwwroot\base' (less the outside quotes) and tap the 'Enter' key. Should display '1 file(s) copied.' and return to the CMD prompt. Open a web-browser and type 'http://winids/test_php.php' (less the outside quotes) into the URL Address box and tap the 'Enter' key. Several sections of information concerning the status and install of PHP should be displayed. In the first section of information make SURE that the item labeled 'Server API' is pointing to 'CGI/FastCGI'. In the first section of information make SURE that the item labeled 'Loaded Configuration File' is pointing to 'd:\winids\php\php.ini'. In the section labeled 'Configuration - PHP Core' make SURE that the item labeled 'extension_dir' is pointing to 'd:\winids\php\ext' in columns 'Local Values' and 'Master Values'. In the section labeled 'Configuration - PHP Core' make SURE that the item labeled 'include_path' is pointing to 'd:\winids\php' in columns 'Local Values' and 'Master Values'. In the section labeled 'session' make SURE that the item labeled 'session.save_path' is pointing to 'c:\windows\temp' in columns 'Local Values' and 'Master Values'. Do not proceed until all the above paths are correct! eXit the web-browser. At the CMD prompt type 'del d:\winids\wwwroot\base\test_php.php' (less the outside quotes) and tap the 'Enter' key. Adding Snort to the Windows Services Database At the CMD prompt type 'cd /d d:\winids\snort\bin' (less the outside quotes) and tap the 'Enter' key. At the CMD prompt type 'snort /SERVICE /INSTALL -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix' (less the outside quotes) and tap the 'Enter' key. Note: In the interface switch above (-ix), the x will be substituted for the Index number of the monitoring NIC. This will install Snort into the Windows Services Database and the below is a confirmation that the Snort service was successfully added to the Windows Services Database. [SNORT_SERVICE] Attempting to install the Snort service. [SNORT_SERVICE] The full path to the Snort binary appears to be: D:\winids\snort\bin\snort /SERVICE [SNORT_SERVICE] Successfully added registry keys to: \HKEY_LOCAL_MACHINE\SOFTWARE\Snort\ [SNORT_SERVICE] Successfully added the Snort service to the Windows Services Database. Do not proceed until the Snort service has been successfully added to the Windows Services Database. At the CMD prompt type 'sc config snortsvc start= auto' (less the outside quotes) and tap the 'Enter' key. The following is a confirmation that the Snort auto-start service has been successfully activated. [SC] ChangeServiceConfig SUCCESS Do not proceed until the Snort auto-start service has been SUCCESSfully activated. Configuring the MySQL Database Server Open a CMD window and type 'notepad2 d:\winids\mysql\my.ini' (less the outside quotes) and tap the 'Enter' key. Use the find and locate the line '[mysqld]' (less the outside quotes) and just below add the next two lines. character-set-server=utf8 bind-address=127.0.0.1 Save the file and eXit Notepad2. Creating the Windows Intrusion Detection System Databases At the CMD prompt type 'mysql -u root -pd1ngd0ng' (less the outside quotes) and tap the 'Enter' key to be dropped into the MySQL CMD prompt as Administrator. At the mysql CMD prompt type 'create database snort;' (less the outside quotes) and tap the 'Enter' key. It will display 'Query OK...' and drop back to the mysql prompt. At the mysql CMD prompt type 'create database archive;' (less the outside quotes) and tap the 'Enter' key. It will display 'Query OK...' and drop back to the mysql prompt. At the mysql CMD prompt type 'show databases;' (less the outside quotes) and tap the 'Enter' key. There should be several databases listed, 'information_schema', 'archive', 'mysql' and 'snort'. Creating the Windows Intrusion Detection System Database Tables At the mysql CMD prompt type 'connect snort;' (less the outside quotes) and tap the 'Enter' key. It will display 'Current database: snort' and drop back to the mysql prompt. At the mysql CMD prompt type 'source d:\winids\barnyard2\schemas\create_mysql' (less the outside quotes), and tap the 'Enter' key. It will display multiple 'Query OK, 1 rows affected (0.0? sec)' entries and drop back to the mysql prompt. At the mysql CMD prompt type 'source d:\winids\wwwroot\base\sql\create_base_tbls_mysql.sql' (less the outside quotes) and tap the 'Enter' key. The last entry to the screen should show 'Records: 4 Duplicates: 0 Warnings: 0' (less the outside quotes) and drop back to the mysql prompt. At the mysql CMD prompt type 'show tables;' (less the outside quotes) and tap the 'Enter' key. The last entry to the screen should show '22 rows in set (0.00 sec)' (less the outside quotes) and drop back to the mysql prompt. At the mysql CMD prompt type 'connect archive;' (less the outside quotes) and tap the 'Enter' key. It will display 'Current database: archive' and drop back to the mysql prompt. At the mysql CMD prompt type 'source d:\winids\barnyard2\schemas\create_mysql' (less the outside quotes), and tap the 'Enter' key. It will display multiple 'Query OK, 1 rows affected (0.0? sec)' entries and drop back to the mysql prompt. At the mysql CMD prompt type 'source d:\winids\wwwroot\base\sql\create_base_tbls_mysql.sql' (less the outside quotes) and tap the 'Enter' key. The last entry to the screen should show 'Records: 4 Duplicates: 0 Warnings: 0' (less the outside quotes) and drop back to the mysql prompt. At the mysql CMD prompt type 'show tables;' (less the outside quotes) and tap the 'Enter' key. The last entry to the screen should show '22 rows in set (0.00 sec)' (less the outside quotes) and drop back to the mysql prompt. Creating the Windows Intrusion Detection System Database Access and Authenticated Users At the mysql CMD prompt type 'CREATE USER 'snort' IDENTIFIED WITH mysql_native_password BY 'l0gg3r';' (less the outside quotes) and tap the 'Enter' key. It will display 'Query OK' and drop back to the mysql prompt. At the mysql CMD prompt type 'GRANT INSERT,SELECT,UPDATE ON snort.* TO 'snort';' (less the outside quotes) and tap the 'Enter' key. It will display 'Query OK' and drop back to the mysql prompt. At the mysql CMD prompt type 'CREATE USER 'base' IDENTIFIED WITH mysql_native_password BY 'an@l1st';' (less the outside quotes) and tap the 'Enter' key. It will display 'Query OK' and drop back to the mysql prompt. At the mysql CMD prompt type 'GRANT ALTER,CREATE,DELETE,INSERT,SELECT,UPDATE ON snort.* TO 'base';' (less the outside quotes) and tap the 'Enter' key. It will display 'Query OK' and drop back to the mysql prompt. At the mysql CMD prompt type 'GRANT ALTER,CREATE,DELETE,INSERT,SELECT,UPDATE ON archive.* TO 'base';' (less the outside quotes) and tap the 'Enter' key. It will display 'Query OK' and drop back to the mysql prompt. At the mysql CMD prompt type 'use mysql;' (less the outside quotes) and tap the 'Enter' key. At the mysql CMD prompt type 'select user from user;' (less the outside quotes) and tap the 'Enter' key. There should be several users listed, including base and snort At the mysql CMD prompt type 'quit;' (less the outside quotes) and tap the 'Enter' key. Confirming MySQL and Snort are operational At the CMD prompt type 'net stop mysql & net start mysql & net start snort' (less the outside quotes) and tap the 'Enter' key. Do not proceed until the MySQL Database has successfully restarted and Snort has successfully started! At the CMD prompt type 'taskmgr.exe' (less the outside quotes) and tap the 'Enter' key to start the Windows Task Manager. Left-click the 'Processes' tab. At the bottom, left-click 'Show processes from all users' or 'More Details' to view all running processes. In the 'Name' or 'Image Name' column 'snort.exe' and 'mysqld.exe' should be listed. Do not proceed until the processes above are running! eXit the 'Task Manager'. Configuring BASE the Windows Intrusion Detection Systems (WinIDS) Security Console At the CMD prompt type 'copy d:\winids\wwwroot\base\base_conf.php.dist d:\winids\wwwroot\base\base_conf.php' (less the outside quotes) and tap the 'Enter' key. Should display '1 file(s) copied.' and return to the CMD prompt. At the CMD prompt type 'notepad2 d:\winids\wwwroot\base\base_conf.php' (less the outside quotes) and tap the 'Enter' key. Use the Find option in Notepad2 to locate and change the variables below. Original Line(s): $DBlib_path = ''; Change to: $DBlib_path = 'd:\winids\adodb5'; Original Line(s): $DBtype = '?????'; Change to: $DBtype = 'mysql'; Original Line(s): $alert_dbname = 'snort_log'; $alert_host = 'localhost'; $alert_port = ''; $alert_user = 'snort'; $alert_password = 'mypassword'; Change to: $alert_dbname = 'snort'; $alert_host = 'winids'; $alert_port = ''; $alert_user = 'base'; $alert_password = 'an@l1st'; Original Line(s): $archive_exists = 0; # Set this to 1 if you have an archive DB $archive_dbname = 'snort_archive'; $archive_host = 'localhost'; $archive_port = ''; $archive_user = 'snort'; $archive_password = 'mypassword'; Change to: $archive_exists = 1; # Set this to 1 if you have an archive DB $archive_dbname = 'archive'; $archive_host = 'winids'; $archive_port = ''; $archive_user = 'base'; $archive_password = 'an@l1st'; Original Line(s): $resolve_IP = 0; Change to: $resolve_IP = 1; Original Line(s): $show_expanded_query = 0; Change to: $show_expanded_query = 1; Original Line(s): $portscan_file = ''; Change to: $portscan_file = 'd:\winids\snort\log\portscan.log'; Original Line(s): $colored_alerts = 0; Change to: $colored_alerts = 1; Save the file and eXit Notepad2. Configuring Barnyard2 At the CMD prompt type 'notepad2 d:\winids\barnyard2\etc\barnyard2.conf' (less the outside quotes) and tap the 'Enter' key. Use the Find option in Notepad2 to locate and change the variables below. Original Line(s): config reference_file: /etc/snort/reference.config config classification_file: /etc/snort/classification.config config gen_file: /etc/snort/gen-msg.map config sid_file: /etc/snort/sid-msg.map Change to: config reference_file: d:\winids\snort\etc\reference.config config classification_file: d:\winids\snort\etc\classification.config config gen_file: d:\winids\snort\etc\gen-msg.map config sid_file: d:\winids\snort\etc\sid-msg.map Original Line(s): # config event_cache_size: 4096 Change to: config event_cache_size: 32768 Original Line(s): # output database: log, mysql, user=root password=test dbname=db host=localhost Change to: output database: log, mysql, user=snort password=l0gg3r dbname=snort host=winids sensor_name=WinIDS_Master Save the file and eXit Notepad2. Testing the Barnyard2 configuration file At the CMD prompt type 'd:\winids\scripts\by2-test.bat' (less the outside quotes) and tap the 'Enter' key. This will start Barnyard2 in self-test mode for configuration testing and depending on the resources used and/or available it could take from 10 minutes to 1 hour to run the self-test mode. If all the tests are passed, the following is a confirmation that the Barnyard2 configuration file is good. Barnyard2 successfully loaded configuration file! Barnyard2 exiting database: Closing connection to database "snort" Do not proceed until Barnyard2 has successfully loaded the configuration file, eXited Barnyard2 and closed the connection to the Snort database! Installing the Non-Sucking Service Manager (nssm) At the CMD prompt type '7z e d:\temp\nssm-2.24.zip nssm-2.24\win64\nssm.exe -od:\winids\tools' (less the outside quotes) and tap the 'Enter' key. Adding Barnyard2 to the Windows Services Database using nssm At the CMD prompt type 'd:\winids\scripts\by2-service.bat' (less the outside quotes) and tap the 'Enter' key. The following is a confirmation that the Barnyard2 auto-start service has been successfully activated. Service "Barnyard2" installed successfully! Set parameter "Start" for service "Barnyard2". Barnyard2 service installed and started with auto-start. Do not proceed until the 'Barnyard2 service installed and started with auto-start' is displayed. At the CMD prompt type 'sc config Barnyard2 start= delayed-auto' (less the outside quotes) and tap the 'Enter' key. The following is a confirmation that the Barnyard2 delayed auto-start service has been successfully activated. [SC] ChangeServiceConfig SUCCESS Do not proceed until the Barnyard2 auto-start service has been successfully activated. Adding the Rules Updater to the Desktop At the CMD prompt type 'd:\winids\scripts\sc-create.bat' (less the outside quotes) and tap the 'Enter' key. Note: A "Rules Update" shortcut has been added to the desktop for manually initiating a Rules update. For a simple rule update just right-click the desktop icon and select 'Run as Administrator'. The Rules updater can be scheduled The Rules Updater can run silent The Rules Updater can Email results to a valid SMTP server Note: There is a tutorial located HERE to detail the above options. At the CMD prompt type 'shutdown /r /t 10' (less the outside quotes) and tap the 'Enter' key to reboot. Verifying Barnyard2 and Snort is running as a process after rebooting It could take several minutes for the Barnyard2 process to display after rebooting as it is on a delayed start. After the reboot Open a CMD window and type 'taskmgr.exe' (less the outside quotes) and tap the 'Enter' key to start the Windows Task Manager. Left-click the 'Processes' tab. At the bottom, left-click 'Show processes from all users' or 'More Details' to view all running processes. In the 'Name' or 'Image Name' column 'snort.exe' and 'Barnyard2.exe' should both be listed. Do not proceed until both processes shows to be running! eXit the 'Task Manager'. At the CMD prompt type 'exit' (less the outside quotes) and tap the 'Enter' key. Starting the Windows Intrusion Detection Systems (WinIDS) Security Console Open a web-browser and type 'http://winids' (less the outside quotes) into the URL Address box and tap the 'Enter' key. Note: The Windows Intrusion Detection Systems (WinIDS) Security Console is configured to auto refresh every three minutes. Manually refreshing the browser (F5) will show new events and restart the auto refresh counter. Depending on the available resources and the active ruleset, it could take from 10-60 minutes to see events being added to the Windows Intrusion Detection System (WinIDS) console. If no events have been logged after a reasonable length of time then there is a topic here with detailed instruction on how to activate all the rules for testing purposes ONLY. Failure to follow the instructions completely to the end after events have been successfully logged will result in millions of useless events being added to the database. In Conclusion At this point the tutorial has been successfully completed. Events should be arriving into the Database and those events should be seen in the local Windows Intrusion Detection Systems (WinIDS) Security Console. I encourage some tweaks listed below to the post-installation to get a somewhat production-ready 'Windows Intrusion Detection System (WinIDS)'. Tuning your rules and preprocessors. Tuning Snort thresholds and limit values. Adding user authentication to the Windows Intrusion Detection Systems (WinIDS) Security Console. Securing your host (Maybe changing the default database user access, disabling unneeded services, etc.). Become a subscriber (fee based) on snort.org to get access to zero day rules. Scheduling a rules update (with the included Rules Updater). Security Issues Lets review what has happens so far: All support programs, including IIS have been installed to a separate partition, which closed a multitude of security holes. The Windows Intrusion Detection Systems (WinIDS) Security Console can ONLY be accessed locally. A desktop icon was installed to manually initiate a rules update using Pulledpork (rules updates can only be initiated every 15 minutes). Optional Companion Documents Be SURE to check out the available 'Companion Add-on Documents' to enhance the Windows Intrusion Detection System (WinIDS) experience. How to add Event Logging to a local Syslog Server. This tutorial will show how to configure Snort to send events to a local Syslog Server, on an existing Windows Intrusion Detection System (WinIDS). How to add Event Logging to a remote Syslog Server. This tutorial will show how to configure Snort to send events to a remote Syslog Server from an existing Windows Intrusion Detection System (WinIDS). How to add Email Alerting to an existing Windows Intrusion Detection System (WinIDS) This tutorial will show how to email user defined priority events on an existing Windows Intrusion Detection System (WinIDS). How to schedule automatic rules updating This tutorial is a simple to understand process on how to schedule automatic rules updating. How to compile Barnyard2 on Windows using Cygwin This tutorial is a simple to understand, step-by-step guide for Compiling Barnyard2 on Windows using Cygwin (UNIX emulator). How to build and deploy a passive Ethernet tap This tutorial will show how to build and deploy a passive Ethernet tap. Updating the Windows Intrusion Detection Systems (WinIDS) Major components How to update the Snort Intrusion Detection Engine This tutorial will show How to update the Snort Intrusion Detection Engine. How to update the Windows Intrusion Detection Systems rules This tutorial will show how to update the Windows Intrusion Detection Systems rules. Debugging Installation errors Check the Event Viewer as most of the support programs will throw FATAL errors into the Windows Application log or check the actual log file for the specific application. General tutorial issues For general problem issues that pertain to this specific tutorial, left-click the get community support button at the top of this tutorial, or manually navigate to the correct community support forum pertaining to this specific tutorial. Feedback I would love to get feedback on any recommendations, experiences or ideas for this tutorial. Please leave feedback HERE. Michael E. Steele | Microsoft Certified System Engineer (MCSE) Email Support: support@winsnort.com Snort: Open Source Network IDS - www.snort.org

Windows Intrusion Detection System - Companion Add-On Tutorial Installing Event Email Alerting into an existing WinIDS Written by: Michael E. Steele Get Community Support! Introduction This tutorial is a simple to understand, step-by-step tutorial for adding priority e-mail event alerting to all existing Windows Intrusion Detection Systems (WinIDS). Copyright Notice This document is Copyright © 2002-2024 Michael Steele. All rights reserved. Permission to distribute this document is hereby granted providing that distribution is electronic, no money is involved, and this copyright notice is maintained. Other requests for distribution will be considered. Use the information in this document at your own risk. Michael Steele disavows any potential liability of this document. Use of the concepts, examples, and/or other content of this document are entirely at your own risk. This guide is written in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. All copyrights are owned by their owners, unless specifically noted otherwise. Third party trademarks or brand names are the property of their owners. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements. Support Questions and Help All support questions related to this specific tutorial MUST be directed to the specific forum for which this Windows Intrusion Detection System (WinIDS) tutorial resides! By request, there is a premium fee service available for one on one support. If you have not acquired this tutorial directly from the winsnort.com website, then you most likely do not have the latest revision of this tutorial! How to use this guide The Windows Intrusion Detection System (WinIDS) will fail if the default installation path is not Implemented correctly! The default installation path noted above is hard coded into this tutorial, and is also hard coded into some of the install scripts. Installers will need to make the appropriate changes in both places if the default installation path is anything other then 'd:\winids', or the support files are located anywhere other than the 'd:\temp' folder. The Windows Intrusion Detection System (WinIDS) will fail if the default installation path is not Implemented correctly! It is important when asked to 'Open a CMD window with Administrator privileges' it is done, or the install will fail. It is also important when asked to 'Close a CMD window' it is done, or the install will fail. Note: The user installing this tutorial MUST be a member of the Administrators group. Note: If the User Account Control dialog box appears at ANY time during this install ALWAYS left-click 'Yes' to continue, or the install will fail. Instructions on starting a command prompt as an Administrator In the Windows Search box, type cmd, and then press CTRL+SHIFT+ENTER. Mandatory prerequisites Access to a VALID outgoing SMTP server from the Windows Intrusion Detection System (WinIDS). A Master or Slave Windows Intrusion Detection System (WinIDS) has been installed. The files from the original Windows Intrusion Detection System (WinIDS) tutorial may be required for this tutorial. Installation will use the default path or paths as directed in the guide. Your paths may be different so be sure to replace the paths we used for the paths you used. Prepping for the Windows Intrusion Detection System (WinIDS) Tutorial Downloading and extracting the WinIDS Companion Software Development Pack It is imperative to only use the files included in the 'WinIDS Companion Software Development Pack' below. These files have been thoroughly tested and compatible with this particular Windows Intrusion Detection Systems (WinIDS) tutorial. Download and save the 'WinIDS Companion Software Development Pack' to a temporary location. Open File Explore and navigate to the location of the 'winids-csdp.zip' file, right-click the 'winids-csdp.zip' file, highlight and left-click 'Extract all...', in the 'Files will be extracted to this folder:' dialog box type 'd:\temp' (less the outside quotes), left-click and uncheck the 'Show extracted files when complete' radio box, left-click extract, in the 'Password:' dialog box type 'w1nsn03t.c0m' (less the outside quotes), left-click 'OK', and eXit File Explorer.. How to add Email Alerting to an existing Windows Intrusion Detection System (WinIDS) Installing and Configuring EventWatchNT In File Explore and navigate to the 'd:\temp' folder, right-click the 'eventwatchnt_v233.exe' file and left-click the 'Run as administrator. The 'WinZip Self-Extractor' starts. In the 'Unzip to folder:' dialog box type 'd:\winids\eventwatchnt', and left-click 'Unzip', a confirmation window opens stating 'x file(s) unzipped successfully', left-click 'OK', and Left-click 'Close' to eXit the 'WinZip Self-Extractor'. In File Explore and navigate to the 'd:\winids\eventwatchnt' folder, right-click the 'eventwatchnt.exe' file and left-click 'Run as administrator'. If this is the first run left-click 'I Agree' at the 'License Agreement for EventwatchNT' screen. The EventwatchNT Configuration wizard starts with some dialog boxes filled in. In the 'Sender Name:' dialog box type the name of the WinIDS In the next configuration you will enter the actual domainname.com of this sensor. When you receive an Email Alert this will be the originating address of the event. In the 'Sender Email Address:' dialog box type 'eventwatch@yourdomain.com' (less the outside quotes). In the 'Recipients:' dialog box type the email address where the events will be sent. In the 'SMPT Server:' dialog box type the name or IP of the VALID outgoing SMTP server. Logged events have a priority range from 1-3. One being the highest priority to 3 being the lowest priority event. This section of the documentation will walk you through setting up the IDS for sending events based on the highest priority event. In the 'Email Subject:' type 'WinIDS Priority 1 Alert!' (less the outside quotes). In the 'Filter(s):' dialog box type (including the [ ] and must be typed exact) '[Priority: 1]' (less the outside quotes). In the 'Type:' select box choose 'Include'. At this pint you should be able to click the 'Test' button and send a test message to the 'Senders Email Address' that was selected above. In the 'Event logs to monitor' select box, only 'Application' needs to be ticked. In the 'Events to report' select box, only 'WARNING' needs to be ticked. In the 'Options' select box. Only 'HTML Email' needs to be ticked. In the 'Installation' select box, left-click the 'Install' button. In the 'Service Control' Select box, left-click on the 'Start' button. Click the 'OK' button at the top right to eXit the EventwatchNT application. Exit File Explorer. Open a CMD window with Administrator privileges and type 'eventvwr' (less the outside quotes), and tap the 'Enter' key. Expand 'Windows Logs', right-click 'Application', select 'Properties', and tick 'Overwrite events as needed', left-click the 'Apply' button, left-click 'OK', and eXit the Event Viewer. Configuring the Snort Detection Engine for Application logging At the CMD prompt type 'notepad2 d:\winids\snort\etc\snort.conf' (less the outside quotes), and tap the 'Enter' key. Use the Find in Notepad2 to locate and change the variables below. Original Line(s): # output alert_syslog: LOG_AUTH LOG_ALERT Change to: output alert_syslog: LOG_AUTH LOG_INFO Save the file and eXit Notepad2. Testing the Snort configuration file At the CMD prompt type 'd:\winids\snort\bin\snort -W' (less the outside quotes), and tap the 'Enter' key. The following is a partial example of what might be listed as valid Network Interface Cards. Index Physical Address IP Address ----- ---------------- ---------- 1 00:0C:29:25:B4:96 0000:0000:fe80:0000:0000:0000:ad63:31cf In the above list, the 'Index' number is important, and will need to be remembered for later use in this tutorial. There may be several Network Interface Cards listed, and it will be up to the installer to determine the correct Network Interface Card (Index number) that will be monitoring the Windows Intrusion Detection System (WinIDS). The switch for the Network Interface Card will always be '-ix' (less the outside quotes), and the 'x' (less the outside quotes) will always represent the 'Index' number of Network Interface Card that will be monitoring the Windows Intrusion Detection System (WinIDS). At the CMD prompt type 'd:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix -T' (less the outside quotes), and tap the 'Enter' key. The above run line will require the 'Index' number of the monitoring Network Interface Card added to the 'x' above. This will start Snort in self-test mode for configuration and rule file testing, and depending on the resources used, and/or available, it could take several minutes to run the self-test mode. If all the tests are passed, the following is a confirmation that the Snort configuration file and rules have tested good. Snort successfully validated the configuration! Snort exiting Do not proceed until 'Snort successfully validated the configuration!' At the CMD prompt type 'shutdown -r -t 01' (less the outside quotes), and tap the 'Enter' key to reboot. After the system is rebooted, Barnyard2 will be running in a Minimized window located in the Windows task bar. It could take several minutes for Barnyard2 to initialize and start shuttling triggered events to the database. If everything is working correctly all events with a '[Priority: 1]' (less the outside quotes) should be emailed to the specified account. In Conclusion Congratulations, you have just completed setting up the Windows Intrusion Detection System (WinIDS) to send out e-Mails based on Priority-1 events. At this point you are done with this tutorial, all events should be arriving into the Windows Application log in event viewer, and you should be receiving e-Mail alerts based on Priority-1 events. If no emails are being received check the Application Log in the Event Viewer to verify the existence of any Priority-1 events. An example of what the events should look line in the email: ________________________________________ EVENT # : 2310 EVENTLOG : Application EVENT TYPE: WARNING (2) SOURCE : snort EVENT ID : 1 TIME : 3/4/2019 11:26:59 PM MESSAGE : [1:16282:4] PUA-P2P Bittorrent uTP peer request [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 220.86.45.46:7388 -> 192.168.1.3:18318 ________________________________________ Optional Companion Documents Be SURE to check out the available 'Companion Add-on Documents' to enhance the Windows Intrusion Detection System (WinIDS) experience. How to add Event Logging to a local Syslog Server. This tutorial will show how to configure Snort to send events to a local Syslog Server, on an existing Windows Intrusion Detection System (WinIDS). How to add Event Logging to a remote Syslog Server. This tutorial will show how to configure Snort to send events to a remote Syslog Server from an existing Windows Intrusion Detection System (WinIDS). How to add Email Alerting to an existing Windows Intrusion Detection System (WinIDS) This tutorial will show how to email user defined priority events on an existing Windows Intrusion Detection System (WinIDS). How to configure Barnyard2 to run as a service This tutorial is a simple to understand process on how to configure Barnyard2 to run as a service. How to compile Barnyard2 on Windows using Cygwin This tutorial is a simple to understand, step-by-step guide for Compiling Barnyard2 on Windows using Cygwin (UNIX emulator). How to build and deploy a passive Ethernet tap This tutorial will show how to build and deploy a passive Ethernet tap. Updating the Windows Intrusion Detection Systems (WinIDS) Major components How to update the Snort Intrusion Detection Engine This tutorial will show How to update the Snort Intrusion Detection Engine. How to update the Windows Intrusion Detection Systems rules This tutorial will show how to update the Windows Intrusion Detection Systems rules. Debugging Installation errors Check the Event Viewer as most of the support programs will throw FATAL errors into the Windows Application log. General tutorial issues For general problem issues that pertain to this specific tutorial, left-click the get community support button at the top of this tutorial, or manually navigate to the correct community support forum pertaining to this specific tutorial. Feedback I would love to get feedback from you about this tutorial. Any recommendations, or ideas, please leave feedback HERE. Michael E. Steele | Microsoft Certified System Engineer (MCSE) Email Support: support@winsnort.com Snort: Open Source Network IDS - www.snort.org