Morpheus

Administrators
  • Content count

    488
  • Joined

  • Last visited

7 Followers

About Morpheus

  • Rank
    Administrator

Profile Information

  • Country
    United States

Recent Profile Visitors

10,314 profile views
  1. Windows Intrusion Detection System - Companion Add-On Tutorial Configuring Barnyard2 to run as a Windows service Written by: Michael E. Steele Introduction This tutorial is a simple to understand, step-by-step tutorial to upgrade an existing Master Windows Intrusion Detection System to run Barnyard2 as a Windows service. By default the Master Windows Intrusion Detection System requires someone to be logged into the Windows Intrusion Detection System in order for Barnyard2 to shuttle events to the database. Running Barnyard2 as a Windows service, events are shuttled to the database immediately weather anyone is logged in or not. Copyright Notice This document is Copyright © 2002-2017 Michael Steele. All rights reserved. Permission to distribute this document is hereby granted providing that distribution is electronic, in it's original form, no money is involved, and this copyright notice is maintained. Other requests for distribution will be considered. Use the information in this document at your own risk. Michael Steele disavows any potential liability of this document. Use of the concepts, examples, and/or other content of this document are entirely at your own risk. This guide is written in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. All copyrights are owned by their owners, unless specifically noted otherwise. Third party trademarks or brand names are the property of their owners. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements. Support Questions and Help All support questions related to this specific tutorial MUST be directed to the specific forum for which this Windows Intrusion Detection System (WinIDS) tutorial resides! By request, there is a premium fee service available for one on one support. If you have not acquired this tutorial directly from the winsnort.com website, then you most likely do not have the latest revision of this tutorial! Operating System and Configuration Setup All existing Master Windows Intrusion Detection Systems (WinIDS) are supported. Prepping Barnyard2 to run as a Windows service This tutorial assumes the files from the original Windows Intrusion Detection System (WinIDS) tutorial have been downloaded, and are located in the d:\temp folder. It is imperative to only use the files included in the 'WinIDS - (32/64bit) Software Support Pack'. Those files have been thoroughly tested and compatible with this particular tutorial. Converting Barnyard2 to run as a Windows Service Tutorial Adding Barnyard2 to the Windows Services Database At the CMD prompt type 'unzip -oqq d:\temp\service_files.zip -d c:\windows' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'cd /d c:\windows' (less the outside quotes), and tap the enter key. At the CMD prompt type 'instsrv srvany c:\windows\srvany.exe' (less the outside quotes), and tap the enter key. The following is a confirmation that 'srvany' was successfully added to the Windows Services Database. The service was successfully added! Do not proceed until the srvany service has been successfully added! At the CMD prompt type 'instsrv Barnyard2 c:\windows\srvany.exe' (less the outside quotes), and tap the enter key. The following is a confirmation that Barnyard2 was successfully added to the Windows Services Database. The service was successfully added! Do not proceed until the Barnyard2 service has been successfully added! At the CMD window type 'd:\temp\auto-remote-barnyard2.reg' (less the outside quotes), and tap the 'Enter' key. The Registry Editor selection box opens and asks; 'Are you sure you want to continue?', left-click 'Yes', and at the next input selection left-click 'OK'. At the CMD prompt type 'sc config Barnyard2 start= delayed-auto' (less the outside quotes), and tap the 'Enter' key. The following as a confirmation that the Barnyard2 auto-start service has been successfully activated. [SC] ChangeServiceConfig SUCCESS Do not proceed until the Barnyard2 auto-start service has been successfully activated. Open a CMD window and type 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Barnyard2 /f' (less the outside single quotes), and tap the 'Enter' key. The above run line will remove the existing registry key that invokes Barnyard2 to run when someone logs in. The following is a confirmation that the registry key was removed successfully. The operation completed successfully. Do not proceed until 'The operation completed successfully.' At the CMD prompt type 'taskkill /F /IM barnyard2.exe' (less the outside quotes), and tap the 'Enter' key. The above run line terminates the existing Barnyard2 process. The following is a confirmation that the Barnyard2 process has been successfully terminated. SUCCESS: The process "barnyard2.exe" with PID 2340 has been terminated. Do not proceed until the Barnyard2 process has been terminated. At the CMD prompt type 'net start barnyard2' (less the outside quotes), and tap the 'Enter'. The above run line starts the new Barnyard2 Windows service. The following is a confirmation that the Barnyard2 Windows service was successfully started. The Barnyard2 service is starting. The Barnyard2 service was started successfully. Do not proceed until the Barnyard2 service has been started successfully. Note: It may take several minutes before events start arriving in the Windows Intrusion Detection Systems security console. In conclusion Congratulations, you have just converted the default Barnyard2 to run as a Windows service. I hope this tutorial has been of great assistance. Optional Companion Documents Be SURE to check out the available 'Companion Add-on Documents' to enhance the Windows Intrusion Detection System (WinIDS) experience. How to update the Master Sensor rules, signatures, and sig-msg.map using PulledPork This tutorial will show how to update the Master Sensor rules, signatures, and the sig-msg.map file using PulledPork on an existing Windows Intrusion Detection System (WinIDS). How to update the Slave sensor rules using PulledPork This tutorial will show how to update the Slave Sensor rules using PulledPork on an existing Windows Intrusion Detection System (WinIDS). How to add Email Alerting to an existing Windows Intrusion Detection System (WinIDS) This tutorial will show how to send user defined priority events sent to a Windows Application Log file being eMailed to user defined eMail accounts, on an existing Windows Intrusion Detection System (WinIDS). How to add Event Logging to a remote Syslog server This tutorial will show how to configure Snort to send events to a remote UNIX syslog server, on an existing Windows Intrusion Detection System (WinIDS). How to install MySQL Tools into a MySQL enabled Windows Intrusion Detection System (WinIDS) This tutorial will show how to install the 'MySQL System Tray Monitor' as a service to monitor the condition of the MySQL database in real time, on an existing Windows Intrusion Detection System (WinIDS). This will allow starting and stopping of the database. The 'MySQL System Tray Monitor' has two tools associated with it that can be accessed directly from the 'MySQL System Tray Monitor'. These tools will allow editing, maintaining, and repairing of the MySQL database. Use extreme caution using these tools. How to compile Barnyard2 on Windows using Cygwin for PostgreSQL database support This tutorial is a simple to understand, step-by-step tutorial for Compiling Barnyard2 on Windows using Cygwin (UNIX emulator) for PostgreSQL database support. How to build and deploy a passive Ethernet tap This tutorial will show how to build and deploy a passive Ethernet tap. Updating the Windows Intrusion Detection Systems (WinIDS) Major components How to update the Snort Intrusion Detection Engine This tutorial will show How to update the Windows Intrusion Detection Systems Snort Intrusion Detection Engine. How to update the Rules, Signatures, and sig-msg.map file This tutorial will show how to update the Windows Intrusion Detection Systems rules, signatures, and the 'sig-msg.map' file. How to update the PHP General-Purpose Scripting Language This tutorial will show how to update the Windows Intrusion Detection Systems PHP General-Purpose Scripting Language. Debugging Installation errors Check the Event Viewer as most of the support programs will throw FATAL errors into the Application log. General problems For general help, left-click the support button at the top of this tutorial, or manually navigate to the correct forum. Michael E. Steele | Microsoft Certified System Engineer (MCSE) Email Support: support@winsnort.com Snort: Open Source Network IDS - www.snort.org
  2. The Windows Intrusion Detection System is probably plugged into a SWITCH. The Windows Intrusion Detection System needs to be plugged into a HUB with all the other PC's on the network, or if The Windows Intrusion Detection System is plugged into a SWITCH all the ports for the PC's to be monitored MUST be mirrored to the port The Windows Intrusion Detection System is plugged into. You could do this
  3. You should have checked and verified the tables per the tutorial. The error states there is a problem with the archive database. Below is how to check the existence of the tables in the archive database. If the tables are missing then you might need to reinstall, and make sure that no steps are missed. Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\Operator>mysql -u root -pd1ngd0ng mysql: [Warning] Using a password on the command line interface can be insecure. Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 7 Server version: 5.7.18-log MySQL Community Server (GPL) Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> connect archive; Connection id: 8 Current database: archive mysql> show tables; +-------------------+ | Tables_in_archive | +-------------------+ | acid_ag | | acid_ag_alert | | acid_event | | acid_ip_cache | | base_roles | | base_users | | data | | detail | | encoding | | event | | icmphdr | | iphdr | | opt | | reference | | reference_system | | schema | | sensor | | sig_class | | sig_reference | | signature | | tcphdr | | udphdr | +-------------------+ 22 rows in set (0.00 sec) mysql>
  4. Remember: The Windows Intrusion Detection Systems security console (BASE) will never work with PHP-7 Do not preform function if it's not detailed in the tutorial. The portscan.log will be created when it is needed.
  5. Only use the versions that are detailed in the tutorial. There MIGHT be a failure by using newer/older versions. If you are using PHP 7.x then the BASE console will not work, and PHP is only installed for that one program. Note: It is possible to run multiple versions of PHP at the same time.
  6. I have no idea what you are doing but you are working on a non-standard (not following tutorial) and it is really hard to diagnose problems. Note: PHP that is supported in the tutorial has extension=php_mysql as an option. There are a couple of solutions: Preform a complete reinstall and follow the tutorial. I am available for a one on support, and I guarantee to get it 100%. However, there is a $250 US fee and I would need remote access to the PC. Everything will be installed on one device, and the OS has to be one that is officially supported, and memory has to be a minimum of 3 gigs for non-server and 6 gigs for server.
  7. This has been fixed in the current version. To fix this: Open a CMD window and type 'cd /d d:\winids\php' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'pear install mail mail_mime' (less the outside quotes), and tap the 'Enter' key. Close the CMD window and try it again.
  8. You have a non-standard path assigned. I'm betting you failed to edit one of the .reg files to match your path.
  9. Sorry for the delay. There is no event mechanism setup for auto-updating the rules using Pulledpork. This has to be completed manually unless you create something to auto-update. Remember: there needs to be faults checked throughout the complete update process because if one error occurs the Windows Intrusion Detection will shut down without notice. A script would need to very detailed and faults would need to be handled properly.
  10. Preform a fresh install of Windows 10, and then use this tutorial to install the Windows Intrusion Detection System per the support programs you requested.
  11. Make a copy of your barnyard2 folder, and then dissolve the attached by2.zip into the barnyard2 folder and overwrite everything. Then try the test again. Your original barnyard2.conf will not be over written. by2.zip
  12. I just tried on a new install of Windows 7 and there is no problem. I'm not sure what your problem could be, but make sure you are running the modder.vbs from a command window with administrator privileges. You might be able to right click the modder.vbs and Run as Administrator. You might mod the modder.vbs file to bypass the check.
  13. Using Regedit go to this key and what is the value in the Data column for CurrentVersion HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
  14. Did you run the modder.vbs file? When you type hostname from a CMD prompt what do you get?
  15. It might be easier to just start over. You can fix it but it would require reinstalling MySQL from scratch, fixing the password authentication in BASE and Barnyard2 to sync with the MySQL database. Uninstall MySQL Delete the MySQL folder Do section: Installing the MySQL Database Server Do Section: Configuring the MySQL Database Server Do Section: Creating the Windows Intrusion Detection System Databases Do Section: Creating the Windows Intrusion Detection System Database Tables Do Section: Creating the Windows Intrusion Detection System Database Access, and Authenticated Users Do Section: Confirming MySQL and Snort are operational Do Section: Configuring the Windows Intrusion Detection Systems (WinIDS) Security Console Do Section: Configuring Barnyard2 Do Section: Testing the Barnyard2 configuration file Reboot Do Section: Verifying Barnyard2, and Snort is running as a process after rebooting Do Section: Starting the Windows Intrusion Detection Systems (WinIDS) Security Console That should do it?