Morpheus

Administrators
 View profile  See their activity

  • Content count

    600

  • Joined

  • Last visited

  • Days Won

    101

Everything posted by Morpheus

  1. If the High-Volume Logging/Testing option was enabled during the initial Auto-Installer setup, the system likely generated a significant number of events. While this setting is an excellent diagnostic tool to verify that the Windows Intrusion Detection System (WinIDS) is actively receiving data—especially in environments where default traffic might take hours to trigger an alert—it is recommended to revert to the default policy once connectivity is confirmed. Procedure to Restore Default Rule Policy Follow these steps to deactivate the testing rules and return to the standard configuration: Modify Configuration: Navigate to the Pulledpork\etc folder via File Explorer. Right-click enablesid.conf and open it with Notepad. Locate the line beginning with pcre:. Comment out the line by adding a # at the start (e.g., # pcre:.) Save and exit. Clear Temporary Files: Navigate to the Pulledpork\temp folder. Delete the two files located in this directory. Close File Explorer. Update Rule Set: Open the Start Menu and open the WinSnort folder. Run the Rules Updater. This process will fetch the latest rule definitions and reconfigure Snort to the default policy setting, ensuring optimal performance and manageable log volumes.
  2. If the High-Volume Logging/Testing option was enabled during the initial Auto-Installer setup, the system likely generated a significant number of events. While this setting is an excellent diagnostic tool to verify that the Windows Intrusion Detection System (WinIDS) is actively receiving data—especially in environments where default traffic might take hours to trigger an alert—it is recommended to revert to the default policy once connectivity is confirmed. Procedure to Restore Default Rule Policy Follow these steps to deactivate the testing rules and return to the standard configuration: Modify Configuration: Navigate to the Pulledpork\etc folder via File Explorer. Right-click enablesid.conf and open it with Notepad. Locate the line beginning with pcre:. Comment out the line by adding a # at the start (e.g., # pcre:.) Save and exit. Clear Temporary Files: Navigate to the Pulledpork\temp folder. Delete the two files located in this directory. Close File Explorer. Update Rule Set: Open the Start Menu and open the WinSnort folder. Run the Rules Updater. This process will fetch the latest rule definitions and reconfigure Snort to the default policy setting, ensuring optimal performance and manageable log volumes.
  3. If the High-Volume Logging/Testing option was enabled during the initial Auto-Installer setup, the system likely generated a significant number of events. While this setting is an excellent diagnostic tool to verify that the Windows Intrusion Detection System (WinIDS) is actively receiving data—especially in environments where default traffic might take hours to trigger an alert—it is recommended to revert to the default policy once connectivity is confirmed. Procedure to Restore Default Rule Policy Follow these steps to deactivate the testing rules and return to the standard configuration: Modify Configuration: Navigate to the Pulledpork\etc folder via File Explorer. Right-click enablesid.conf and open it with Notepad. Locate the line beginning with pcre:. Comment out the line by adding a # at the start (e.g., # pcre:.) Save and exit. Clear Temporary Files: Navigate to the Pulledpork\temp folder. Delete the two files located in this directory. Close File Explorer. Update Rule Set: Open the Start Menu and open the WinSnort folder. Run the Rules Updater. This process will fetch the latest rule definitions and reconfigure Snort to the default policy setting, ensuring optimal performance and manageable log volumes.
  4. If the High-Volume Logging/Testing option was enabled during the initial Auto-Installer setup, the system likely generated a significant number of events. While this setting is an excellent diagnostic tool to verify that the Windows Intrusion Detection System (WinIDS) is actively receiving data—especially in environments where default traffic might take hours to trigger an alert—it is recommended to revert to the default policy once connectivity is confirmed. Procedure to Restore Default Rule Policy Follow these steps to deactivate the testing rules and return to the standard configuration: Modify Configuration: Navigate to the Pulledpork\etc folder via File Explorer. Right-click enablesid.conf and open it with Notepad. Locate the line beginning with pcre:. Comment out the line by adding a # at the start (e.g., # pcre:.) Save and exit. Clear Temporary Files: Navigate to the Pulledpork\temp folder. Delete the two files located in this directory. Close File Explorer. Update Rule Set: Open the Start Menu and locate and open the WinSnort folder. Run the Rules Updater. This process will fetch the latest rule definitions and reconfigure Snort to the default policy setting, ensuring optimal performance and manageable log volumes.

  5. Version

    0 downloads

    =============================================================================== WINIDS v2.4 - AUTOMATED INSTALLER (Apache2/PostgreSQL BUILD) =============================================================================== This package automates the deployment of a complete Windows Intrusion Detection System. Designed for fresh installs of Windows 10/11 or Windows Server 2016-2024 (64-bit). ------------------------------------------------------------------------------- 1. PRE-INSTALLATION ------------------------------------------------------------------------------- * Ensure you are working on a fresh OS installation. * Extract this ZIP file into an empty folder. * Open 'config.conf' and update the following four variables: $AllRules: Set to "Yes" for testing/high-volume logging or "No" for standard security defaults. $TempDir: Local path for downloaded support files (e.g., "D:\temp"). $WinIDSRoot: Local path for the final installation (e.g., "D:\winids"). $Oinkcode: Your unique 40-character Oinkcode. ------------------------------------------------------------------------------- 2. STEP 1: DOWNLOAD COMPONENTS ------------------------------------------------------------------------------- Open a Command Prompt as ADMINISTRATOR and run: powershell -NoProfile -ExecutionPolicy Bypass -NoExit -File Downloader.ps1 NOTE: If a download fails due to site security, manually download the specific version mentioned in the error, place it in your $TempDir, and re-run the script until all files are verified. ------------------------------------------------------------------------------- 3. STEP 2: INSTALL SYSTEM ------------------------------------------------------------------------------- Once downloads are complete, run the following in the Admin Command Prompt: powershell -NoProfile -ExecutionPolicy Bypass -NoExit -File Installer.ps1 The process takes ~10 minutes. The system will automatically reboot 30 seconds after completion. ------------------------------------------------------------------------------- 4. POST-INSTALLATION ------------------------------------------------------------------------------- After reboot, check the Start Menu for the "WinSnort" folder containing: * WinIDS Console (Event Monitoring) * Rules Updater (PulledPork Utility) * Database Utility (PosrgreSQL Maintenance) ===============================================================================

  6. Version

    0 downloads

    =============================================================================== WINIDS v2.4 - AUTOMATED INSTALLER (Apache2/MySQL BUILD) =============================================================================== This package automates the deployment of a complete Windows Intrusion Detection System. Designed for fresh installs of Windows 10/11 or Windows Server 2016-2024 (64-bit). ------------------------------------------------------------------------------- 1. PRE-INSTALLATION ------------------------------------------------------------------------------- * Ensure you are working on a fresh OS installation. * Extract this ZIP file into an empty folder. * Open 'config.conf' and update the following four variables: $AllRules: Set to "Yes" for testing/high-volume logging or "No" for standard security defaults. $TempDir: Local path for downloaded support files (e.g., "D:\temp"). $WinIDSRoot: Local path for the final installation (e.g., "D:\winids"). $Oinkcode: Your unique 40-character Oinkcode. ------------------------------------------------------------------------------- 2. STEP 1: DOWNLOAD COMPONENTS ------------------------------------------------------------------------------- Open a Command Prompt as ADMINISTRATOR and run: powershell -NoProfile -ExecutionPolicy Bypass -NoExit -File Downloader.ps1 NOTE: If a download fails due to site security, manually download the specific version mentioned in the error, place it in your $TempDir, and re-run the script until all files are verified. ------------------------------------------------------------------------------- 3. STEP 2: INSTALL SYSTEM ------------------------------------------------------------------------------- Once downloads are complete, run the following in the Admin Command Prompt: powershell -NoProfile -ExecutionPolicy Bypass -NoExit -File Installer.ps1 The process takes ~10 minutes. The system will automatically reboot 30 seconds after completion. ------------------------------------------------------------------------------- 4. POST-INSTALLATION ------------------------------------------------------------------------------- After reboot, check the Start Menu for the "WinSnort" folder containing: * WinIDS Console (Event Monitoring) * Rules Updater (PulledPork Utility) * Database Utility (MySQL Maintenance) ===============================================================================

  7. Version

    0 downloads

    =============================================================================== WINIDS v2.4 - AUTOMATED INSTALLER (IIS/PostgreSQL BUILD) =============================================================================== This package automates the deployment of a complete Windows Intrusion Detection System. Designed for fresh installs of Windows 10/11 or Windows Server 2016-2024 (64-bit). ------------------------------------------------------------------------------- 1. PRE-INSTALLATION ------------------------------------------------------------------------------- * Ensure you are working on a fresh OS installation. * Extract this ZIP file into an empty folder. * Open 'config.conf' and update the following four variables: $AllRules: Set to "Yes" for testing/high-volume logging or "No" for standard security defaults. $TempDir: Local path for downloaded support files (e.g., "D:\temp"). $WinIDSRoot: Local path for the final installation (e.g., "D:\winids"). $Oinkcode: Your unique 40-character Oinkcode. ------------------------------------------------------------------------------- 2. STEP 1: DOWNLOAD COMPONENTS ------------------------------------------------------------------------------- Open a Command Prompt as ADMINISTRATOR and run: powershell -NoProfile -ExecutionPolicy Bypass -NoExit -File Downloader.ps1 NOTE: If a download fails due to site security, manually download the specific version mentioned in the error, place it in your $TempDir, and re-run the script until all files are verified. ------------------------------------------------------------------------------- 3. STEP 2: INSTALL SYSTEM ------------------------------------------------------------------------------- Once downloads are complete, run the following in the Admin Command Prompt: powershell -NoProfile -ExecutionPolicy Bypass -NoExit -File Installer.ps1 The process takes ~10 minutes. The system will automatically reboot 30 seconds after completion. ------------------------------------------------------------------------------- 4. POST-INSTALLATION ------------------------------------------------------------------------------- After reboot, check the Start Menu for the "WinSnort" folder containing: * WinIDS Console (Event Monitoring) * Rules Updater (PulledPork Utility) * Database Utility (PostgreSQL Maintenance) ===============================================================================

  8. Version

    2 downloads

    =============================================================================== WINIDS v2.4 - AUTOMATED INSTALLER (IIS/MySQL BUILD) =============================================================================== This package automates the deployment of a complete Windows Intrusion Detection System. Designed for fresh installs of Windows 10/11 or Windows Server 2016-2024 (64-bit). ------------------------------------------------------------------------------- 1. PRE-INSTALLATION ------------------------------------------------------------------------------- * Ensure you are working on a fresh OS installation. * Extract this ZIP file into an empty folder. * Open 'config.conf' and update the following four variables: $AllRules: Set to "Yes" for testing/high-volume logging or "No" for standard security defaults. $TempDir: Local path for downloaded support files (e.g., "D:\temp"). $WinIDSRoot: Local path for the final installation (e.g., "D:\winids"). $Oinkcode: Your unique 40-character Oinkcode. ------------------------------------------------------------------------------- 2. STEP 1: DOWNLOAD COMPONENTS ------------------------------------------------------------------------------- Open a Command Prompt as ADMINISTRATOR and run: powershell -NoProfile -ExecutionPolicy Bypass -NoExit -File Downloader.ps1 NOTE: If a download fails due to site security, manually download the specific version mentioned in the error, place it in your $TempDir, and re-run the script until all files are verified. ------------------------------------------------------------------------------- 3. STEP 2: INSTALL SYSTEM ------------------------------------------------------------------------------- Once downloads are complete, run the following in the Admin Command Prompt: powershell -NoProfile -ExecutionPolicy Bypass -NoExit -File Installer.ps1 The process takes ~10 minutes. The system will automatically reboot 30 seconds after completion. ------------------------------------------------------------------------------- 4. POST-INSTALLATION ------------------------------------------------------------------------------- After reboot, check the Start Menu for the "WinSnort" folder containing: * WinIDS Console (Event Monitoring) * Rules Updater (PulledPork Utility) * Database Utility (MySQL Maintenance) ===============================================================================

  9. Snort Cheat Sheet

    Morpheus posted a file in Windows Security Tools

    Version 1.0.0

    10 downloads

    The Snort Cheat Sheet covers: Sniffer mode, Packet logger mode, and NIDS mode operation Snort rules format Logger mode command line options NIDS mode options Alert and rule examples
  10. You will need to bridge the two NIC's and in Windows 10 do it as below: Bridging Your Internet Connections on Windows 10 Step 1: Go to your Control Panel from the Start menu. Step 2: Navigate to Network Connections. Step 3: Click on the first NIC that you want to bridge. Step 4: Hold down the CTRL key while clicking on the second NIC that you want to bridge. Step 5: Right-click on one of the selected NICs and click "Bridge Connections." I have not tested the above on anything other than Windows 10.
  11. To test the MySQL database server and authentications open a CMD window with Administrator access and type d:\activators\db_tools\test_mysql-php7.php
  12. The problem is that it is not finding the base.php file, or possibly the base_conf.php file? It has to find the file first before trying to execute it. Not sure if it could be the problem but make sure the config file is correctly named: base_conf.php Maybe some sort of a permission problem with the files in the base folder? Not sure how a permission problem could be the problem when the test.php file is working. You are going to have issues with WinPcap and Npcap both installed. Use either one but not both. Note: Uninstall both and then install the one you are going to use. Make sure Snort is not running when you uninstall.
  13. Does this work: http://winids/base.php
  14. I'm not sur but there appears to be a formatting error with the Apache config. Try the attached one. Also try moving the test.php file to the base folder and then try http://winids/test.php httpd.conf
  15. That is not normal?
  16. The only thing I can tell is that it's not allowing you to access the test.php because you don't have sufficient permissions? What happens if you remove the test.php file and try accessing it when it is missing. You should get the same error? Do you have a space in the word base? Look at your Physical Path - It appears you have a space in base -> ba se
  17. All the files look good. Attached id my config for IIS, try it. You will need to stop IIS, replace the file, and then restart IIS. applicationHost.config
  18. Go back in and verify the PHP setting in IIS. For some reason the setting sometime does not save and the settings need to be re-applied. No need to reinstall because the same problem could come back. I checked your setting and the php.ini file is good but the IIS files are for version 10 and I don't have that set of configs to match yours with. I would need to install IIS 10 to get it. What OS version are you running?
  19. Go back to the section below and do over. Configuring IIS for PHP, and the Windows Intrusion Detection Systems security console If that fails then zip up all the files in the Windows\System32\inetsrv\config folder and attach. Also attach the php.ini file
  20. No, you are supposed to enable the lines by removing the # (hash tags).
  21. No you don't need to do anything. What you are seeing is correct. I made an error in the tutorial and have since corrected it. Check out the tutorial, and it should match your install.
  22. All fixed, thanks...
  23. What is the process you used and I'll check it on another build. Did you just add the below to your local.rules file? alert ( msg: "ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK"; sid: 4; gid: 112; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) Did you use something to generate the alert?
  24. Try here
  25. Do as the topic instructs to remove it.