Morpheus

Administrators
  • Content count

    470
  • Joined

  • Last visited

6 Followers

About Morpheus

  • Rank
    Administrator
  • Birthday 02/16/1954

Profile Information

  • Country
    United States

Recent Profile Visitors

7,294 profile views
  1. It might be easier to just start over. You can fix it but it would require reinstalling MySQL from scratch, fixing the password authentication in BASE and Barnyard2 to sync with the MySQL database. Uninstall MySQL Delete the MySQL folder Do section: Installing the MySQL Database Server Do Section: Configuring the MySQL Database Server Do Section: Creating the Windows Intrusion Detection System Databases Do Section: Creating the Windows Intrusion Detection System Database Tables Do Section: Creating the Windows Intrusion Detection System Database Access, and Authenticated Users Do Section: Confirming MySQL and Snort are operational Do Section: Configuring the Windows Intrusion Detection Systems (WinIDS) Security Console Do Section: Configuring Barnyard2 Do Section: Testing the Barnyard2 configuration file Reboot Do Section: Verifying Barnyard2, and Snort is running as a process after rebooting Do Section: Starting the Windows Intrusion Detection Systems (WinIDS) Security Console That should do it?
  2. Did you run the modder.vbs file? The httpd.conf file looks good. Drop the test.php into the d:\winids\apache24\htdocs\base\ folder. Now open a browser and in the URL dialog box type http://winids/test.php Does all the PHP information display?
  3. Go back to the section and configure again: Configuring IIS for PHP, and the Windows Intrusion Detection Systems security console
  4. Go back to the section Configuring IIS for PHP, and the Windows Intrusion Detection Systems security console and verify all the settings, and if all is good the attach the php.ini file.
  5. Attach your pulledpork.conf, and snort.conf files. Are there any files in the pulledpork/temp folder?
  6. As long as Pulled Pork finishes with Fly Piggy Fly! the process completed. I see there are some problems finding some files in the ET part. There is a different oinkcode for the ET rules. What are your concerns?
  7. Don't for get your oinkcode assignments for any of the other rule sets.
  8. #1: Original Line(s): var SO_RULE_PATH ../so_rules Change to: # var SO_RULE_PATH ../so_rules Yes, there is a change, as indicated above. #2: Original Line(s): dynamicdetection directory /usr/local/lib/snort_dynamicrules Change to: # dynamicdetection directory /usr/local/lib/snort_dynamicrules Yes, there is a change, as indicated above. Follow the tutorial, and don't make any changes. If you have to make changes there is something wrong.
  9. That is correct. Those two files are used by the Reputation preprocessor. Both files needs to exist or there will be a fatal error.
  10. Look on Snort.org in the documentation section. There are usually a collection of different installs.
  11. This is a Slave install, and it requires a master sensor being installed. The natural order of things would be to install a Master. Than a slave would be installed into any remote network not directly connected to the Master sensor.
  12. Windows Intrusion Detection System - Companion Add-On Tutorial Installing Slave Sensor Rule Management Using PulledPork Written by: Michael E. Steele Get Support! Introduction This tutorial is a simple to understand, step-by-step tutorial for adding automated rule management using the PulledPork into an existing Windows Intrusion Detection System (WinIDS) slave sensor. Copyright Notice This document is Copyright © 2002-2017 Michael Steele. All rights reserved. Permission to distribute this document is hereby granted providing that distribution is electronic, in it's original form, no money is involved, and this copyright notice is maintained. Other requests for distribution will be considered. Use the information in this document at your own risk. Michael Steele disavows any potential liability of this document. Use of the concepts, examples, and/or other content of this document are entirely at your own risk. This guide is written in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. All copyrights are owned by their owners, unless specifically noted otherwise. Third party trademarks or brand names are the property of their owners. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements. Support Questions and Help All support questions related to this specific tutorial MUST be directed to the specific forum for which this Windows Intrusion Detection System (WinIDS) tutorial resides, and this is a FREE service. By request, there is a premium fee service available for one on one support. If you haven't acquired this tutorial directly from the winsnort.com website, then you most likely don't have the latest revision of this tutorial! Operating System and Configuration Setup All existing Windows Intrusion Detection Systems (WinIDS are supported. This is how I've setup and tested Pulledpork into my Windows Intrusion Detection System (WinIDS). Make sure that all the necessary changes are made if you configuration is different. Failure to make the appropriate changes will most likely cause a failure. Internet access to the outside. An internet connection to the outside is required for This tutorial to work. It could take up to 45 minutes for the process to complete. We are working on a quicker way to do this using the existing support programs. Any help would be grateful. There is a bottle-neck extracting over 20k signatures using Perl for the process. Install into any existing Windows Intrusion Detection System (WinIDS) slave sensor. I'm installing the Pulledpork rule management solution logged on as user 'Operator' with 'Administrator' privileges. I'm installing the Pulledpork rule management solution into the existing 'd:\winids' folder. The Windows Intrusion Detection System (WinIDS) will fail if the default installation path is not Implemented correctly! The default installation path noted above is hard coded into this tutorial, and is also hard coded into some of the install scripts. Installers will need to make the appropriate changes in both places if the default installation path is anything other then 'd:\winids', or the support files are located anywhere other than the 'd:\temp' folder. The Windows Intrusion Detection System (WinIDS) will fail if the default installation path is not Implemented correctly! Prepping for the Pulledpork Tutorial Backing up the current Snort Installation Open a CMD window and type 'xcopy /E /I d:\winids\snort d:\winids\snort-old' (less the outside quotes), and tap the 'Enter' key. The above procedure will create a backup of the original installation. Acquiring your unique Oinkcode In order for PulledPork to work you MUST; open an account on the snort.org web-site, and acquire a unique Oinkcode. Once an account has been setup, 'Sign In' to the account, left-click your user login in the top right, Under 'Accounts' left-click 'Oinkcode', in the center under 'Oinkcode' your unique 'Oinkcode is in red, and you will need this exact code to complete this tutorial, so write it down somewhere as it will need to be entered in later on, and you can close the browser. Downloading and extracting the WinIDS Companion Software Development Pack This tutorial assumes one of the Windows Intrusion Detection System (WinIDS) tutorials were used to create the Windows Intrusion Detection System (WinIDS) that this tutorial is being implemented into. The files from the original Windows Intrusion Detection System (WinIDS) tutorial may be required for this tutorial. It is imperative to only use the files included in the 'WinIDS Companion Software Development Pack' below. These files have been thoroughly tested, and found compatible with all the supported Windows Intrusion Detection Systems (WinIDS) tutorials. Windows All: Download and save the 'WinIDS Companion Software Development Pack' to a temporary location. Open an Explorer window and navigate to the location of the 'winids-csdp.zip' file, right-click the 'winids-csdp.zip' file, highlight and left-click 'Extract all...', in the 'Files will be extracted to this folder:' dialog box type 'd:\temp' (less the outside quotes), left-click and uncheck the 'Show extracted files when complete' radio box, left-click extract, in the 'Password:' dialog box type 'w1nsn03t.c0m' (less the outside quotes), and left-click 'OK'. How to automatically update the rules using PulledPork Installing PulledPork During this updating procedure the Windows Intrusion Detection System (WinIDS) will continue to monitor the network. At the CMD prompt type 'unzip -oq d:\temp\pulledpork-0.7.2.zip -d d:\winids\pulledpork' (less the outside quotes), and tap the 'Enter' key. Installing Perl Pre-Requisites At the CMD prompt type 'cpan install Sys::Syslog' (less the outside quotes), and tap the 'Enter' key. It could take several minutes to install the Syslog module. Configuring the existing Windows Intrusion Detection System (WinIDS) Prepping the Rules At the CMD prompt type 'del d:\winids\snort\rules\*.* /Q' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'rd d:\winids\snort\so_rules /S /Q' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'rd d:\winids\snort\preproc_rules /S /Q' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'xcopy d:\winids\snort-old\rules\*_list.* d:\winids\snort\rules /Q /Y' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'xcopy d:\winids\snort-old\rules\local.* d:\winids\snort\rules /Q /Y' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'xcopy d:\winids\snort-old\rules\experimental.* d:\winids\snort\rules /Q /Y' (less the outside quotes), and tap the 'Enter' key. Prepping the Configuration File At the CMD prompt type 'notepad2 d:\winids\snort\etc\snort.conf' (less the outside quotes), and tap the 'Enter' key. Use the Replace option in Notepad2 to Find and Replace the following sections below. Original: var PREPROC_RULE_PATH d:\winids\snort\preproc_rules Change to: # var PREPROC_RULE_PATH d:\winids\snort\preproc_rules In Step #7 replace ALL the 'include $RULE_PATH/...' lines with the next 3 lines below. include $RULE_PATH/experimental.rules include $RULE_PATH/local.rules include $RULE_PATH/winids.rules Use the Find in Notepad2 to locate and change the variables below. Original Line(s): include $PREPROC_RULE_PATH/preprocessor.rules include $PREPROC_RULE_PATH/decoder.rules include $PREPROC_RULE_PATH/sensitive-data.rules Change to: # include $PREPROC_RULE_PATH/preprocessor.rules # include $PREPROC_RULE_PATH/decoder.rules # include $PREPROC_RULE_PATH/sensitive-data.rules Save the file, and eXit Notepad2. Configuring PulledPork At the CMD prompt type 'mkdir d:\winids\pulledpork\temp' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'notepad2 d:\winids\pulledpork\etc\pulledpork.conf' (less the outside quotes), and tap the 'Enter' key. Use the Find option in Notepad2 to locate and change the variables below. Original Line(s): rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode> Change to: rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|insert your unique oinkcode Original Line(s): rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community Change to: # rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community Original Line(s): rule_url=https://www.snort.org/reg-rules/|opensource.gz|<oinkcode> Change to: # rule_url=https://www.snort.org/reg-rules/|opensource.gz|<oinkcode> Original Line(s): temp_path=/tmp Change to: temp_path=d:\winids\pulledpork\temp Original Line(s): rule_path=/usr/local/etc/snort/rules/snort.rules Change to: rule_path=d:\winids\snort\rules\winids.rules Original Line(s): local_rules=/usr/local/etc/snort/rules/local.rules Change to: local_rules=d:\winids\snort\rules\local.rules Original Line(s): sid_msg=/usr/local/etc/snort/sid-msg.map Change to: sid_msg=d:\winids\snort\etc\sid-msg.map Original Line(s): sid_changelog=/var/log/sid_changes.log Change to: sid_changelog=d:\winids\snort\log\sid_changes.log Original Line(s): black_list=/usr/local/etc/snort/rules/iplists/default.blacklist Change to: # black_list=/usr/local/etc/snort/rules/iplists/default.blacklist Original Line(s): IPRVersion=/usr/local/etc/snort/rules/iplists Change to: # IPRVersion=/usr/local/etc/snort/rules/iplists Original Line(s): snort_control=/usr/local/bin/snort_control Change to: # snort_control=/usr/local/bin/snort_control Original Line(s): # snort_version=2.9.8.0 Change to: snort_version=x.x.x.x For this to work correctly; Snort version and the rule set version MUST be in sync. If the Windows Intrusion Detection System is running Snort version 2_9_8_0, then the above must be 'snort_version=2.9.8.0'. There are two 'Official Snort Rule sets' available for download: Subscriber Release: There is an annual fee associated with this type of account. However, paid users are privy to the very latest in new and modified rules (Zero Day). Registered User Release: There is no annual fee associated with this type of account. However, Registered account users are always 30 days behind in modified and new rules (no Zero Day). Updating the rules is crucial for both of the above groups. However, there is a definite plus to becoming a 'Subscriber' (paid user). As a 'Subscriber' (paid user) the update process can be executed once every minute. For 'Registered' (non-paid) users the update process can only be ran once every 15 minutes. Once the update session reaches the update server your session is logged, and for whatever reason the update session ends before the new rule set is downloaded 'Registered' (non-paid) users MUST wait 15 minutes before another session can be started. Your unique Oinkcode tells the rule set repository which rule set you belong too, and pushes the correct rule set. By no means is this a lesson in rule updating. I can't state how IMPORTANT it is to read the documentation for PulledPork, and Snort. It is also IMPORTANT to join the Snort-users list, and the PulledPork-users list. The rules are the life blood of the Windows Intrusion Detection System (WinIDS). Original Line(s): # enablesid=/usr/local/etc/snort/enablesid.conf # dropsid=/usr/local/etc/snort/dropsid.conf # disablesid=/usr/local/etc/snort/disablesid.conf # modifysid=/usr/local/etc/snort/modifysid.conf Change to: enablesid=d:\winids\pulledpork\etc\enablesid.conf dropsid=d:\winids\pulledpork\etc\dropsid.conf disablesid=d:\winids\pulledpork\etc\disablesid.conf modifysid=d:\winids\pulledpork\etc\modifysid.conf Original Line(s): # ips_policy=security Change to: ips_policy=security In the above, the 'ips_policy' switch is set to 'security'. There are three pre-configured policies (connectivity, balanced, and security) that can be used. Change the above to your specific needs. Each policy has the Sourcefire recommended rules applied, and the 'ips_policy' switch is only an option. By placing a hash '#' (less the outside quotes) mark in front of the 'ips_policy' switch PulledPork will process the stock rules as they are. Connectivity: Means "Connectivity over Security". Meaning this is a speedy policy for people that insist on blocking only the really known bad with no false positives. Balanced: Means "Balanced between Connectivity and Security". Meaning that this is a good starter policy for everyone. It's quick, has a good base coverage level, and covers the latest threats of the day. The policy contains everything that is in Connectivity. Security: Means "Security over Connectivity". Meaning that this is a stringent policy that everyone should strive to get to through tuning. It's quick, but has some policy-type rules in it. Rules that will alert on Flash contained within an Excel file and things like that. This policy contains everything that is in Connectivity, and Balanced. Save the file, and eXit Notepad2. If the Windows Intrusion Detection System (WinIDS) was monitoring prior to starting this tutorial, it should still be monitoring while Pulledpork is updating the rules. At the CMD prompt type 'perl d:\winids\pulledpork\pulledpork.pl -c d:\winids\pulledpork\etc\pulledpork.conf -nPT' (less the outside quotes), and tap the 'Enter' key. The above procedure could take less than a minute to complete! The below is displayed in the terminal window after a successful update. Done Please review d:\winids\snort\log\sid_changes.log for additional details Fly Piggy Fly! Do not continue or intervene until 'Fly Piggy Fly!' is displayed in the terminal window. Testing the Snort configuration and rules At the CMD prompt type 'd:\winids\snort\bin\snort /service /show' (less the outside quotes), and tap the 'Enter' key. The current Snort run line will be displayed as an example below. Snort is currently configured to run as a Windows service using the following command-line parameters: -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -i1 The above run line will need to be replaced in the procedure outlined below in red. Be SURE to use your own unique run line as the above is only an example. At the CMD prompt type 'd:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -i1 -T' (less the outside quotes), and tap the 'Enter' key. The above command will cause Snort to start up in self-test mode, checking all the supplied command line switches and rules that are passed to it and indicating that everything is ready to proceed. If all the tests are passed, the following is a confirmation that the snort configuration file is good. Snort successfully validated the configuration! Snort exiting Do not continue until 'Snort successfully validated the configuration!' At the CMD prompt type 'net stop barnyard2 & net stop snort' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'net start snort & net start barnyard2' (less the outside quotes), and tap the 'Enter' key. Snort will drop the old rule set from memory and grab the new rule set. Verifying Barnyard2, and Snort is running as a process It could take 1-2 minutes for the Barnyard2 process to display after restarting the process as it is on a delayed start. Open a CMD window and type 'taskmgr.exe' (less the outside quotes), and tap the 'Enter' key. The 'Windows Task Manager' starts, in the bottom left-click and check 'Show processes from all users' or left click 'More Details', left-click the 'Details' tab, in the 'Status' column 'Barnyard2.exe', and 'Snort.exe' should be listed as running. Do not proceed until both processes shows to be running! eXit the 'Task Manager'. At the CMD prompt type 'exit' (less the outside quotes), and tap the 'Enter' key. It may take several minutes for events to start showing up in the Windows Intrusion Detection Systems (WinIDS) Security Console. If no events start to show up in a reasonable length of time, come visit the forums for help on manually generating events. An emergency backup was mirrored to 'd:\winids\snort-old'. If this add-on was a complete failure all that is needed to revert back to the original Snort installation is to delete the new 'd:\winids\snort' folder, rename the 'd:\winids\snort-old' to 'd:\winids\snort', return to the section labeled 'Testing the Snort configuration file', and complete. If the updating process has been successful and the backup is no longer needed the below process will scrub the backup folder Open a CMD window and type 'rd d:\winids\snort-old /S /Q' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'exit' (less the outside quotes), and tap the 'Enter' key. In conclusion Congratulations, you have just completed setting up your Windows Intrusion Detection System(WinIDS) to automatically update the rules. I hope this tutorial has been of great assistance. Windows Intrusion Detection System (WinIDS) - Future Updating Updating the rules and signatures The rules should be updated frequently. New and modified rules are being added to the Subscriber's (paid) rule set, and rules are being moved from the Subscriber's rule set to the Registered rule set hourly or daily. It's important to keep the rule set updated to minimize exposure to inside/outside threats to your network. During this updating procedure the Windows Intrusion Detection System (WinIDS) will continue to monitor the network using the existing set of rules, as long as The Windows Intrusion System continues to run. On the initial execution PulledPork downloaded the latest rules, and corresponding MD5 file. On future updating pulledPork first retrieves the latest MD5 file for the rules, then compares that MD5 checksum with the existing rules tarball, and if the MD5 check sum does not match the new rules file is downloaded and processed. It only takes about 10-15 seconds to process the rules. The Windows Intrusion Detection System (WinIDS) is still monitoring under the old rules. At the end of the update it will take about 10 seconds to recycle the Windows Intrusion Detection System (WinIDS) in order to drop the old rules, and pick-up the new rules. If the Windows Intrusion Detection System (WinIDS) was monitoring prior to starting this tutorial, it should still be monitoring while Pulledpork is updating the rules. Open a CMD window and type 'xcopy /E /I d:\winids\snort d:\winids\snort-old' (less the outside quotes), and tap the 'Enter' key. The above procedure will create a backup of the original installation. At the CMD prompt type 'perl d:\winids\pulledpork\pulledpork.pl -c d:\winids\pulledpork\etc\pulledpork.conf -nPT' (less the outside quotes), and tap the 'Enter' key. The above procedure could take less than a minute to complete! The below is displayed in the terminal window after a successful update. Done Please review d:\winids\snort\log\sid_changes.log for additional details Fly Piggy Fly! Do not continue or intervene until 'Fly Piggy Fly!' is displayed in the terminal window. If there was no update the CMD window can be closed, and this tutorial can be exited! Subscribers (paid) can check for rule set updates once every minute but Registered users are limited to once every 15 minutes. If you are a registered user and your rule set update fails instantly, there will be a 15 minutes wait before the update can be ran again. Testing the Snort configuration and rules At the CMD prompt type 'd:\winids\snort\bin\snort /service /show' (less the outside quotes), and tap the 'Enter' key. The current Snort run line will be displayed as an example below. Snort is currently configured to run as a Windows service using the following command-line parameters: -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -i1 The above run line will need to be replaced in the procedure outlined below in red. Be SURE to use your own unique run line as the above is only an example. At the CMD prompt type 'd:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -i1 -T' (less the outside quotes), and tap the 'Enter' key. The above command will cause Snort to start up in self-test mode, checking all the supplied command line switches and rules files that are passed to it and indicating that everything is ready to proceed. If all the tests are passed, the following is a confirmation that the snort configuration file is good. Snort successfully validated the configuration! Snort exiting Do not continue until 'Snort successfully validated the configuration!' At the CMD prompt type 'net stop barnyard2 & net stop snort' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'net start snort & net start barnyard2' (less the outside quotes), and tap the 'Enter' key. Snort will drop the old rule set from memory and grab the new rule set. At the CMD prompt type 'exit' (less the outside quotes), and tap the 'Enter' key. It may take several minutes for events to start showing up in the Windows Intrusion Detection Systems (WinIDS) Security Console. If no events start to show up in a reasonable length of time, come visit the forums for help on manually generating events. An emergency backup was mirrored to 'd:\winids\snort-old'. If this add-on was a complete failure all that is needed to revert back to the original Snort installation is to delete the new 'd:\winids\snort' folder, rename the 'd:\winids\snort-old' to 'd:\winids\snort', return to the section labeled 'Testing the Snort configuration file', and complete. If the updating process has been successful and the backup is no longer needed the below process will scrub the backup folder Open a CMD window and type 'rd d:\winids\snort-old /S /Q' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'exit' (less the outside quotes), and tap the 'Enter' key. In conclusion Congratulations, you have just completed setting up your Windows Intrusion Detection System(WinIDS) to automatically update the rules. I hope this tutorial has been of great assistance. Optional Companion Documents Be SURE to check out the available 'Companion Add-on Documents' to enhance the Windows Intrusion Detection System (WinIDS) experience. How to update the Master Sensor rules, signatures, and sig-msg.map using PulledPork This tutorial will show how to update the Master Sensor rules, signatures, and the sig-msg.map file using PulledPork on an existing Windows Intrusion Detection System (WinIDS). How to update the Slave sensor rules using PulledPork This tutorial will show how to update the Slave Sensor rules using PulledPork on an existing Windows Intrusion Detection System (WinIDS). How to add Email Alerting to an existing Windows Intrusion Detection System (WinIDS) This tutorial will show how to send user defined priority events sent to a Windows Application Log file being eMailed to user defined eMail accounts, on an existing Windows Intrusion Detection System (WinIDS). How to add Event Logging to a remote Syslog server This tutorial will show how to configure Snort to send events to a remote UNIX syslog server, on an existing Windows Intrusion Detection System (WinIDS). How to install MySQL Tools into a MySQL enabled Windows Intrusion Detection System (WinIDS) This tutorial will show how to install the 'MySQL System Tray Monitor' as a service to monitor the condition of the MySQL database in real time, on an existing Windows Intrusion Detection System (WinIDS). This will allow starting and stopping of the database. The 'MySQL System Tray Monitor' has two tools associated with it that can be accessed directly from the 'MySQL System Tray Monitor'. These tools will allow editing, maintaining, and repairing of the MySQL database. Use extreme caution using these tools. How to compile Barnyard2 on Windows using Cygwin for PostgreSQL database support This tutorial is a simple to understand, step-by-step tutorial for Compiling Barnyard2 on Windows using Cygwin (UNIX emulator) for PostgreSQL database support. How to build and deploy a passive Ethernet tap This tutorial will show how to build and deploy a passive Ethernet tap. Updating the Windows Intrusion Detection Systems (WinIDS) Major components How to update the Snort Intrusion Detection Engine This tutorial will show How to update the Windows Intrusion Detection Systems Snort Intrusion Detection Engine. How to update the Rules, Signatures, and sig-msg.map file This tutorial will show how to update the Windows Intrusion Detection Systems rules, signatures, and the 'sig-msg.map' file. How to update the PHP General-Purpose Scripting Language This tutorial will show how to update the Windows Intrusion Detection Systems PHP General-Purpose Scripting Language. Debugging Installation errors Check the Event Viewer as most of the support programs will throw FATAL errors into the Application log. General problems For general help, left-click the support button at the top of this tutorial, or manually navigate to the correct forum. Michael E. Steele | Microsoft Certified System Engineer (MCSE) Email Support: support@winsnort.com Snort: Open Source Network IDS - www.snort.org