Morpheus

I'm not sure what Windows XP has to do with this problem? It appears by the screen shot that NO traffic is being detected. This could be a MULTITUDE of problems. 1) NIC drivers, or compatibility 2) Not specifying the correct NIC in the run line 3) Connected to a unmanaged switch (needs to see ALL traffic). 4) Short not configured correctly for HOME_NET

    I found a few quirks but nothing major. Swap the files in the attached .zip with your existing files. winIDS.zip

Are you able to ping locally (127.0.0.1)?   Unable to detect ping could be firewall, or router issues?

If you are still getting these timeout errors, you may need to look at physical memory, or possibly a memory managemet problem?

This is happening because you have a gazillion events being processed and the Windows Intrusion Detection Systems (WinIDS) security console is working overtime.   Open the php.ini and change:   Original Line(s): max_execution_time = 60 Change to: max_execution_time = xx   Change the xx to accommodate the time required.   My guess is that you are processing hundreds of thousands if not millions of events that are irrelevant. Try adjusting the preprocessors and the rules to accommodate your specific needs. If you need help doing this join the snort-users mailing list. You will find a lot of advanced uses that are willing to help. 

Read this and give it a try and see if it clears up your problem.

Read >this and give it a try and see if it clears up your problem.

Getting to the point where I'm unable to reboot to fix things

It appears that the sys::syslog module failed to install per the tutorial. Go back and try installing it again.

Great

Have you tried > http://winids/base_main.php   Is there an error?

Did you follow the tutorial (exactly) and run the modder.vbs file?   Did you return to the section labeled 'Configuring Internet Information Services for PHP', and complete.   Did you try running the test.php again, and see if it displays.   Note: The test.php needs to be copied to the d:winidsinetpubwwwrootbase folder, and then accessed from the URL http://winids/test.php

What log files are in the snort/log folder, and the size?

Follow the tutorial. you are using -ix and that is wrong. The tutorial instructs you on the correct way to set the -ix switch.

It appears you missed a step. The tutorial specifically details how to get the file that is missing.

I ended up deleteing the log files to get it to correctly update the date. The events were correct but didn't have the correct date. I believe this is due to a corrupted waldo file. To fix; use the Windows Intrusion Detection Systems security console and delete all the events. Stop snort and Barnyard2 from the Task Manager, Go into the d:\winids\snort\logs folder, delete all the files, and reboot.

  Did you try this: >Link

Did you follow the tutorial, and install IIS as described using the moveiis.bat file?   Attach the configuration files requested above.

So the events are being logged but the date is not being updated?

Make sure MySQL is running by verifying in task manager. Go back to the 'Configuring Barnyard2' section and make SURE it is applied correctly.

Attach the snort.conf, barnyard2.conf, php.ini, and the base.conf.php   If you are unable to post them individually as an attachment, the place them into a zip file and attach. I am unable to work with configuration files posted as raw text.

BASE runs fine on PHP5 when there is a fresh install of any of the supported windows operating system, and the tutorial is followed exactly as instructed.   There could be problems installing the Windows Intrusion Detection System on an existing supported, or unsupported Windows operating system.   Make SURE configuring PHP is followed exactly as outlined in the tutorial.

The tutorial works as is. All the latest files are referenced for installation in the Tutitorals, and only use those files as they have been tested.    Not sure exactly what you mean by running BASE normally. I had no idea the tutorials were running BASE abnormally.

Check this >topic out.

The Windows Intrusion Detection Systems security console (BASE) automatically incraments the alerts based on a setting in the base.conf file. This only happes when the Windows Intrusion Detection Systems security console is open.   If you want to be aleted by email on specific events, then there is a companion add-on for that.