Morpheus

Administrators
  • Content count

    563
  • Joined

  • Last visited

Everything posted by Morpheus

  1. It doesn't hurt to run the modder.vbs file for a second time. Not sure where the problem came from, but sounds like the modder.vbs file had a problem kicking the OS into Administrator mode prior to installing the  MS Visual C ++ redistributables.
  2. Not sure but it's not getting the MSV C++ installed correctly Did you run the modder.vbs file? Is this a fresh install of the operating system? Have you tried installing the MS Visual C ++ redistributable as 'Run as Administrator'?
  3. Looks like you are good to go with a sucessful configuration test.
  4. I just noticed:   Change this: d:winidssnortbinsnort -c d:winidssnortetcsnort.conf -l d:winidssnortlog –i1 -T   To this: d:winidssnortbinsnort -c d:winidssnortetcsnort.conf -l d:winidssnortlog -i1 -T
  5. I fixed the tutorial to be more informative for Windows 8.x. Internet Information Services installs on Windows 8.x exactly like Server 2012. 
  6. I'm not sure what you are getting at here.   According to the log files; the Windows Intrusion Detection System (WinIDS) has had one previous run that detected and logged two events (records).   The Windows Intrusion Detection System (WinIDS) has been ran again, and has detected one event (the data after the "Waiting for new data" shows data for one event)   At that point if Barnyard2 was stopped, you should be able to go into the Windows Intrusion Detection Systems (WinIDS) security console, and there should be a total of three events.   Restarting barnyard2, or rebooting, the barnyard2 terminal window should now show:   record_idx      = 3   Everything is normal...
  7.   1) Wonder what else didn't happen when the modder.vbs file ran?   2) Sourcefire has updated their snort.org site in the past few days and there has been issues with the rules, and opensource files?   3) I'm not sure as that has never happened here. This is most likely an issue related to item 1   I'll look into item 2 and adjust to the new name.   Update: Several of the file names were changed on the snort.org site, and all the tutorials now reflect those changes.
  8. I'm assuming that the modder.vbs file was ran, and that there were no problems up to that point. Open a CMD window, go back to the section labled 'Configuring IIS for the Windows Intrusion Detection Security Console' in the tutorial, and complete. At the CMD prompt type 'iisreset /restart' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'exit' (less the outside quotes), and tap the 'Enter' key. Open a web-browser and type 'http://winids' (less the outside quotes) into the URL Address box, and tap the 'Enter' key. Are you able to get to the Windows Intrusion Detection Systems (WinIDS) security console?
  9. The error indicates that Barnyard2 is having an issue with the time stamp on the snort.log file. Log file name Example: merged.log.1377185664 If there is no time stamp on the d:/winids/log/merged.log file then check the snort.conf lines below for accuracy. Original Line(s): # output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types Change to: output unified2: filename merged.log, limit 128
  10. The "Waiting for new data." is normal for Barnyard2. I'm assuming that events were being logged prior to installing PulledPork. I'm also assuming that you allowed the PulledPork process to complete, which could take from 30-60 minutes. If you are unsure; delete ALL the files in the pulledporktemp folder and try the process again. Note: The rules are monitored, and there is a 15 minute delay between rules downloads. If the rule downloads starts, and then exits 30 seconds later (for whatever reason), there is a 15 minute wait. Make SURE Snort and Barnyard2 are running processes. When the Windows Intrusion Detection System (WinIDS) was initially setup, there were more active rules being run, so you may not see the level of activity afer PulledPork gets installed. When PulledPork is setup there are three levels of monitoring. The 'Security' level is the highest level, and will trigger more events than the other two levels of monitoring. PulledPork activates a basic set of rules based on what the developer has deemed as a sufficient place to start monitoring, based on the level of monitoring selected. You can change this rule monitoring level at any time in the pulledpork.conf, but you will need to run pulledpork after making the change. PulledPork has a lot of configuration options. Reading the documentation, and joining the PulledPork users group is a must. The events that were seen while the test rules were activated, should have been displayed in the open Barnyard2 terminal window, and were they? They should also be visible in the Windows Intrusion Detection (WinIDS) security console, and were they? Note: It's possible there are no events being triggered based on improper configuration, even though the Windows Intrusion Detection System (WinIDS) is operating properly. HOME_NET set incorrectly Windows Intrusion Detection System plugged into a switch that is not mirroring Selecting the wrong monitoring interface
  11.   Snort needs to be restarted after the snort.conf gets edited.   Open a CMD window and type 'notepad2 d:winidsetcsnort.conf' (less the outside quotes) and tap the enter key.   Either hash out (#), or remove the line 'include $RULE_PATHtest.rules' (less the outside quotes), save the snort.conf, and eXit Notepad2.   At the CMD window type 'net stop snort & net start snort' (less the outside quotes) and tap the enter key.   At the CMD window type 'exit' (less the outside quotes) and tap the enter key.   Should be back to normal...
  12. The MODDER.VBS is only included in the software support pack.
  13. All the tests went as instructed during install?   Did you run the modder.vbs file?   What happens when you open a CMD terminal window and type "hostname' (less the outside quotes)?   Attach the configuration files:   1) php.ini 2) snort.conf 3) base.conf.php 4) barnyard2.conf
  14. The Windows Intrusion Detection Systems (WinIDS) tutorials are accessed by using the 'Tutorials' link in the main menu bar. The Windows Intrusion Detection System (WinIDS) is officially supported on the following operating systems in either 32bit or 64bit architecture. Windows 7 Professional Windows 8.x Professional Windows 10 Professional Windows Server 2008 R2 Standard Edition Windows Server 2012 R2 Standard Edition Windows Server 2016 Standard Edition Note: As an example; the Windows Intrusion Detection System (WinIDS) may have no issues being installed on any flavor of Windows 7, but Winsnort.com has not actually verified it works on any other Windows 7 platform than Professional. There is a very good chance that the Windows Intrusion Detection System (WinIDS) would install flawlessly on any of the Windows 7 platforms, and the same goes for Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012, and Windows Server 2016. Winsnort.com has simply not tested the install on anything other that the ones listed above. Winsnort.com has six specific tutorials for installing a Windows Intrusion Detection System (WinIDS) using a Microsoft Windows operating system. There are four full blown tutorials for installing a Master (stand alone) Windows Intrusion Detection Systems (WinIDS), and there are two tutorials dealing with installing slave sensors. If you are going to be installing a full blown Windows Intrusion Detection System (WinIDS) then there are only a couple of major decisions to make. Decision 1: Which of the two supported Web Servers to use: The Microsoft Internet Information Server (IIS) The Apache2 Web Server Decision 2: Which of the two supported Database Server to use: The MySQL Database Server The PostgreSQL Database Server If you are going to be installing a slave sensor then there is only one major decision to make. Decision 1: Which of the two supported Remote Database Servers the slave will be sending events too. The MySQL Database Server The PostgreSQL Database Server Note: There are a multitude of additional support programs that will be installed across all installations. Picking the correct tutorial always starts with one of the supported Operating Systems being installed, and it's always best to start with a fresh install. Now it comes down to which Web Server, and which Database server to use. The tutorials are written so installation can be any possible configuration of operating system, Web Server, or Database Server. It's completely the installers preference. Support Forums: Each tutorial has it's own specific support forum. It is important to request support in the correct forum that matches the tutorial. For the installers convenience there is a 'Get Support' button at the top of each tutorial that will open the correct support forum for that particular tutorial. It is important to use the correct support forum until the tutorial has been completed and events are being shuttled to the Windows Intrusion Detection Systems (WinIDS) security console. Once the Windows Intrusion Detection System has been verified to be working than questions should be asked in the Client forum. If there are any questions, reply to this topic for an answer. This topic will be followed by the moderator, and or administrator. Questions should be answered in a reasonable amount of time. However, it could take up to 24 hours for a response. Winsnort.com has a great community, and they may jump in and help for a quicker response. Good luck, and happy WinSnorting...
  15. How to Install a Windows Intrusion Detection System (WinIDS) Running IIS, and logging events to a local PostgreSQL Database Windows 7 / 8.x / 10 / 2008 R2 SE / 2012 R2 SE / 2016 SE / 2019 SE Written by: Michael E. Steele Get Community Support! Introduction During my research, and development I've found a lot of tutorials, and blogs describing the installation process for the UNIX environment. Yet, none of them specifically detailed setting this up in a Windows environment. I've been working on, and updating these tutorials for the past 12 plus years, and managed to get through the complete process in the Windows environment. These tutorials gives all the basic instructions on how to create a complete, and functioning stand alone Windows Intrusion Detection System (WinIDS). This is all made possible by simply wrapping Snort, a very powerful Intrusion Detection Engine into a multitude of free open source programs. Best of all, other than the cost of the Windows operating system, it's completely free. These tutorials are the basic of what is needed, and the starting point for installing any functioning Windows Intrusion Detection System (WinIDS). Advanced problems not related to the basic install should not be posted to the forum where the tutorial resides, and where general help is available for problems during the initial tutorial set-up. If there are any doubts which tutorial that should be used, there is a posted topic HERE that will provide the basics so an informed decision can be made based on which combination of software packages are best suited for the installation. Copyright Notice This document is Copyright © 2002-2019 Michael Steele. All rights reserved. Permission to distribute this document is hereby granted providing that distribution is electronic, in it's original form, no money is involved, and this copyright notice is maintained. Other requests for distribution will be considered. Use the information in this document at your own risk. Michael Steele disavows any potential liability of this document. Use of the concepts, examples, and/or other content of this document are entirely at your own risk. This tutorial is written in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. All copyrights are owned by their owners, unless specifically noted otherwise. Third party trademarks or brand names are the property of their owners. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements. Support Questions and Help All support questions related to this specific tutorial MUST be directed to the specific forum for which this Windows Intrusion Detection System (WinIDS) tutorial resides! By request, there is a premium fee service available for one on one support. If you have not acquired this tutorial directly from the winsnort.com website, then you most likely do not have the latest revision of this tutorial! This is a basic Windows Intrusion Detection System (WinIDS) deployment Microsoft's Windows operating systems are used exclusively for these tutorials. It is highly recommended to start with a fresh install of one of the supported 32bit or 64bit Windows operating systems listed below. Windows 7 Professional Windows 8.x Professional Windows 10 Professional Windows Server 2008 R2 Standard Edition Windows Server 2012 R2 Standard Edition Windows Server 2016 Standard Edition Windows Server 2019 Standard Edition All the operating systems listed above have been tested using both the 32bit, and 64bit architecture for this tutorial. However, any another Windows operating system listed above, under the same framework will most likely work. Major support programs used in this install Npcap allows 3rd party applications such as Snort to capture and transmit network packets bypassing the protocol stack. Snort performs real-time traffic analysis and network packet logging on Internet Protocol (IP) networks data streams. Barnyard2 is a dedicated spooler for Snort's unified2 binary output format, and on-forwarding to a PostgreSQL database. Strawberry Perl is everything needed to run perl scripts (.pl), and applications such as PulledPork. PostgreSQL-driven database stores processed events from Barnyard2 for analysis. Microsoft's Internet Information Services will drive the web based Windows Intrusion Detection Systems (WinIDS) GUI security console. BASE serves as the Windows Intrusion Detection Systems (WinIDS) web based GUI security console. History of Internet Information Services (IIS) IIS 7.5 - included with Windows 7, and Server 2008 IIS 8.0 - included with Windows 8 IIS 8.5 - included with Windows 8.1, and Server 2012 IIS 10.0 - included with Windows 10, Server 2016, and Server 2019 How this Hardware and Software was prepped for this Windows Intrusion Detection System (WinIDS) tutorial A fresh install of any 32/64bit Version of Windows listed above in will do. All available Service Packs and updates MUST be applied from the Microsoft Download Center. For these tutorials there are two partitions: C: (System) with 300GB, and D: (WinIDS) with 1TB. Installed memory should be no less than 4GB (more is always better). The Windows Intrusion Detection System (WinIDS) will fail if the default installation path is not Implemented correctly! The default installation path noted above is hard coded into this tutorial, and is also hard coded into some of the install scripts. Installers will need to make the appropriate changes in both places if the default installation path is anything other then 'd:\winids', or the support files are located anywhere other than the 'd:\temp' folder. The Windows Intrusion Detection System (WinIDS) will fail if the default installation path is not Implemented correctly! Prepping for the Windows Intrusion Detection System (WinIDS) Tutorial Downloading and extracting the core 'Windows Intrusion Detection Systems (WinIDS)' Software Support Pack It is imperative to only use the files included in the 'WinIDS - (32/64bit) Software Support Packs' below. These files have been thoroughly tested and compatible with this particular Windows Intrusion Detection Systems (WinIDS) tutorial. Depending on the processors architecture, download the appropriate support file below! 32bit Windows All: Download and save the 'WinIDS - 32bit Core Software Support Pack' to a temporary location. Open File Explore and navigate to the location of the 'winids-cssp-x32.zip' file, right-click the 'winids-cssp-x32.zip' file, highlight and left-click 'Extract all...', in the 'Files will be extracted to this folder:' dialog box type 'd:\temp' (less the outside quotes), left-click and uncheck the 'Show extracted files when complete' radio box, left-click extract, in the 'Password:' dialog box type 'w1nsn03t.c0m' (less the outside quotes), left-click 'OK', and eXit File Explorer.. 64bit Windows All: Download and save the 'WinIDS - 64bit Core Software Support Pack' to a temporary location. Open File Explore and navigate to the location of the 'winids-cssp-x64.zip' file, right-click the 'winids-cssp-x64.zip' file, highlight and left-click 'Extract all...', in the 'Files will be extracted to this folder:' dialog box type 'd:\temp' (less the outside quotes), left-click and uncheck the 'Show extracted files when complete' radio box, left-click extract, in the 'Password:' dialog box type 'w1nsn03t.c0m' (less the outside quotes), left-click 'OK', and eXit File Explorer.. Downloading additional, and required support files for all supported Windows operating systems It is imperative to only use the files downloaded from the URL links below. All the files have been verified as compatible with this particular Windows Intrusion Detection Systems (WinIDS) tutorial. All the files below will need to be downloaded into the folder (d:\temp) that was created when the files from the above 'WinIDS - (32/64bit) Software Support Pack' were extracted. npcap-0.996: Download and save the file to the d:\temp folder. In some instances after downloading the Snort executable below, the '.exe' extension might be missing. After downloading, navigate to the location of the Snort executable, and if the '.exe' extension is missing, add '.exe' (less the outside quotes) to the end of the filename. Snort 2_9_15: Download and save the file to the d:\temp folder. The next download requires the installer to be a registered user on the snort.org website, and logged in. Navigate to the snort.org website and either login or create a new account. While still being logged into the snort.org web site return to the Windows Intrusion Detection Systems (WinIDS) tutorial, and initiate the next download. Note: If the installer is not logged into the snort.org website prior to initiating the next download, the installer will be re-directed to the snort.org website. At that point either create a new account or login. While still being logged into the snort.org website return to the Windows Intrusion Detection Systems (WinIDS) tutorial, and initiate the next download. snortrules-snapshot-29150: Download and save the file to the d:\temp folder. Rule Documentation (opensource.gz): Download and save the file to the d:\temp folder. Downloading additional support files based on a specific Operating Systems Hardware Architecture There are several additional files listed under two groups below. Download only, and all the files listed under the appropriate processors architecture group that the Windows Intrusion Detection System (WinIDS) will be installed on. 32bit Windows All: Required additional downloads for the 32bit architecture install! Strawberry Perl 5.30.0.1: Download and save the file to the d:\temp folder. PostgreSQL Database 10.10-1: Download and save the file to the d:\temp folder. PHP 5.6.40 NTS (VC11): Download and save the file to the d:\temp folder. 64bit Windows All: Required additional downloads for the 64bit architecture install! Strawberry Perl 5.30.0.1: Download and save the file to the d:\temp folder. PostgreSQL Database 10.10-1: Download and save the file to the d:\temp folder. PHP 5.6.40 NTS (VC11): Download and save the file to the d:\temp folder. Installing the core support files, and making basic configuration changes It is important when asked to 'Open a CMD window with Administrator privileges' it is done, or the install will fail. It is also important when asked to 'Close a CMD window' it is done, or the install will fail. Note: The user installing this tutorial MUST be a member of the Administrators group. Note: If the User Account Control dialog box appears at ANY time during this install ALWAYS left-click 'Yes' to continue, or the install will fail. Instructions on starting a command prompt as an Administrator In the Windows Search box, type cmd, and then press CTRL+SHIFT+ENTER. Windows 8.x / 10 / 2012 R2 SE / 2016 SE / 2019 SE: The original Windows install media (DVD/USB/ISO) is now required to be inserted or mounted.. Windows 8.x / 10 / 2012 R2 SE / 2016 SE / 2019 SE: Open a CMD window with Administrator privileges and type 'dism.exe /online /enable-feature /all /featurename:NetFX3 /Source:x:\sources\sxs' (less the outside quotes), and tap the 'Enter' key. The correct source drive letter where the Windows install media is located must be inserted into the 'x' position above. The following is a confirmation that the '.NET Framework 3.5 Features' were installed successfully. Deployment Image Servicing and Management tool Version: (redacted) Image Version: (redacted) Enabling feature(s) [==========================100.0%==========================] The operation completed successfully. Do not proceed until 'The operation completed successfully.', and the original Windows install media has been removed, or unmounted. Windows All: Open a CMD window with Administrator privileges if one is not opened and type 'd:\temp\modder.vbs' (less the outside quotes), and tap the 'Enter' key. Allow the script to automatically reboot the system! DO NOT INTERVENE! This background process could take several minutes to complete. The modder.vbs file preforms several tasks: Installs Microsoft Visual C++ 2012/2013/2017 Installs 'Notepad2' to Windows\System32 Installs 'unzip' to Windows\System32 Installs 'tartool' to Windows\System32 Installs the DejaVuSans font for BASE graphing Inserts 'winids' hostname into hosts file Inserts 'IGMP and SCTP' into the protocol file for Snort rules Inserts 'Nodosfilewarning' into User ENV to suppress CYGWIN warning message when starting Barnyard2 Sets 'Show File Extensions' as on in registry Reboots system After the reboot it is strongly advise that the Microsoft Baseline Security Analyzer (MBSA) be used to identify and correct common security miss configurations. Each issue should be resolved prior to starting this tutorial. Installing the Windows Intrusion Detection System (WinIDS) Installing Npcap Open a CMD window with Administrator privileges and type 'd:\temp\npcap-0.996.exe' (less the outside quotes), and tap the 'Enter' key. The 'License Agreement' window opens, left-click 'I Agree'. The 'Installation Options' window opens, uncheck everything, and then check 'Install Npcap in WinPcap API-compatible Mode', left-click 'Install'. The 'Installing' window opens, allow the install to complete. The 'Installation Complete' window opens, left-click 'Next'. The 'Finished' window opens, left-click 'Finish'. Installing Snort, the Traffic Detection and Inspection Engine At the CMD prompt type 'd:\temp\Snort_2_9_15_Installer.exe' (less the outside quotes), and tap the 'Enter' key. The 'License Agreement' window opens, left-click 'I Agree'. The 'Choose Components' window opens, left-click 'Next'. The 'Choose Install Location' window opens, in the 'Destination Folder' dialog box, type 'd:\winids\snort' (less the outside quotes), left-click 'Next' allowing the install to complete. The 'Snort has been successfully installed' window opens, left-click 'OK'. Testing the Windows Intrusion Detection System (WinIDS) for network traffic At the CMD prompt type 'd:\winids\snort\bin\snort -W' (less the outside quotes), and tap the 'Enter' key. The following is a partial example of what might be listed as valid Network Interface Cards. Index Physical Address IP Address ----- ---------------- ---------- 1 00:0C:29:25:B4:96 0000:0000:fe80:0000:0000:0000:ad63:31cf There may be several Network Interface Cards listed, and it will be up to the installer to determine the correct Network Interface Card (Index number) that will be monitoring the Windows Intrusion Detection System (WinIDS). The switch for the Network Interface Card will always be '-ix' (less the outside quotes), and the 'x' (less the outside quotes) will always represent the 'Index' number of Network Interface Card that will be monitoring the Windows Intrusion Detection System (WinIDS). At the CMD prompt type 'd:\winids\snort\bin\snort -v -ix' (less the outside quotes), and tap the 'Enter' key. The above run line will require the 'Index' number of the monitoring Network Interface Card inserted in the place of the 'x' position above. This will start Snort in verbose mode, verifying there is network traffic on interface 'x'. Open any web-browser and generate some traffic. There should now be multiple packets passing through the CMD window, and something similar to the following output is a confirmation indicating that everything is ready to proceed. 10/08-12:12:32.131826 10.0.0.29:1068 -> 65.55.121.241:80 TCP TTL:128 TOS:0x0 ID:1586 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x7430B82E Ack: 0x1850214F Win: 0xFAF0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Note: If no traffic is passing through the CMD window, try another 'Index' number. After verifying active network traffic, eXit the web-browser, activate the CMD window, and press the 'CTRL/C' keys to stop the Snort process. Do not proceed until network traffic is being displayed in the CMD window. Installing the Latest Rule Set At the CMD prompt type 'tartool d:\temp\snortrules-snapshot-29150.tar.gz d:\winids\snort' (less the outside quotes), and tap the 'Enter' key. Installing Strawberry Perl Depending on the processors architecture, install the appropriate support file below! 32bit Windows All: At the CMD prompt type 'd:\temp\strawberry-perl-5.30.0.1-32bit.msi' (less the outside quotes), and tap the 'Enter' key. 64bit Windows All: At the CMD prompt type 'd:\temp\strawberry-perl-5.30.0.1-64bit.msi' (less the outside quotes), and tap the 'Enter' key. The 'Welcome to the Setup Wizard for Strawberry Perl...' window opens, left-click 'Next'. The 'End-User License Agreement' window opens, left-click checking the 'I accept the terms...' radio button, and left-click 'Next'. The 'Destination Folder' window opens, in the 'Install Strawberry Perl to:' dialog box type 'd:\winids\strawberry\' (less the outside quotes), and left-click 'Next'. The 'Ready to install Strawberry Perl..' window opens, left-click 'Install'. The 'Install Strawberry Perl..' window opens, allow the install to complete, and left-click 'Next'. The 'Completed the Strawberry Perl...' window opens, uncheck the 'Read README file.' radio box, and left-click 'Finish'. At the CMD prompt type 'exit' (less the outside quotes), and tap the 'Enter' key. Installing Internet Information Services into Windows 7, 8.x, or 10 Open a CMD window with Administrator privileges and type 'appwiz.cpl' (less the outside quotes), and tap the 'Enter' key. The 'Program and Features' control panel opens. Under 'Control Panel Home' left-click 'Turn Windows features on or off'. In the 'Turn Windows features on or off' expand 'Internet Information Services'. To the left of 'Web Management tools' left-click checking the radio box (it may turn blue or black). To the left of the 'World Wide Web Services left-click checking the radio box (it may turn blue or black). Expand 'World Wide Web Services', and expand 'Application Development Features'. Under 'Application Development Features' scroll down and left-click ckecking the radio box titled 'CGI', and left-click 'OK' allowing windows to make changes to 'Windows Features', left-click 'Close', and eXit the 'Programs and Features' control panel. At the CMD prompt type 'd:\temp\moveiis.bat' (less the outside quotes), and tap the 'Enter' key. Installing Internet Information Services into Server 2008 R2 SE Open a CMD window with Administrator privileges and type 'appwiz.cpl' (less the outside quotes), and tap the 'Enter' key. The 'Program and Features' control panel opens. Under 'Control Panel Home' left-click 'Turn Windows features on or off'. The 'Server Manager' opens. Under 'Server Manager (Computer Name)' left click 'Roles'. Under 'Roles Summary' left-click 'Add Roles'. The 'Add Roles Wizard' control panel opens. At the 'Before you begin' selection window left-click 'Next'. At the 'Select Server Roles' selection window under 'Roles:' scroll down and left-click checking the select box to the left of 'Web Server (IIS)', and left-click 'Next'. At the 'Web Server (IIS)' selection window left-click 'Next'. At the 'Select Roles Services' selection window scroll down and expand 'Application Development'. Under 'Application Development' scroll down and left-click the select box titled 'CGI', and left-click 'Next'. At the 'Confirm Installation Selections' selection window left-click 'Install' allowing IIS to complete the roles, role services, or features installation, left-click 'Close', eXit the 'Server Manager', and eXit the 'Programs and Features' control panel. At the CMD prompt type 'd:\temp\moveiis.bat' (less the outside quotes), and tap the 'Enter' key. Installing Internet Information Services into Server 2012 R2 SE, 2016 SE, or 2019 SE Open a CMD window with Administrator privileges and type 'appwiz.cpl' (less the outside quotes), and tap the 'Enter' key. The 'Program and Features' control panel opens. Under 'Control Panel Home' left-click 'Turn Windows features on or off'. The 'Server Manager' window opens, and the 'Add Roles and Features Wizard' auto starts. At the 'Before you begin' left-click 'Next'. At the 'Select installation type' left-click 'Next'. At the 'Select Destination server' left-click 'Next'. At the 'Select server roles' under 'Roles' scroll down left-click 'Web Server (IIS)'. The 'Add features that are required for Web Server (IIS)?' opens, left-click 'Add Features', and left-click 'Next'. At the 'Select features' left-click 'Next'. At the 'Web Server Role (IIS)' left-click 'Next'. At the 'Select roles services' scroll down and expand 'Application Development'. Under 'Application Development' scroll down and left-click the select box titled 'CGI', and left-click 'Next'. At the 'Confirm installation selections' left-click 'Install' allowing IIS to complete the 'Feature installation', left-click 'Close', eXit 'Server Manager', and eXit the 'Programs and Features' control panel. At the CMD prompt type 'd:\temp\moveiis.bat' (less the outside quotes), and tap the 'Enter' key. Installing BASE, the Windows Intrusion Detection Systems (WinIDS) Security Console At the CMD prompt type 'unzip -oqq d:\temp\base-1.4.5.zip -d d:\winids\inetpub\wwwroot\base' (less the outside quotes), and tap the 'Enter' key. Installing Barnyard2 Depending on the processors architecture, install the appropriate support file below! 32bit Windows All: At the CMD prompt type 'unzip -oqq d:\temp\barnyard2-x86-2.1.14-build337.zip -d d:\winids\barnyard2' (less the outside quotes), and tap the 'Enter' key. 64bit Windows All: At the CMD prompt type 'unzip -oqq d:\temp\barnyard2-x64-2.1.14-build337.zip -d d:\winids\barnyard2' (less the outside quotes), and tap the 'Enter' key. Installing the PostgreSQL Database Server Depending on the processors architecture, install the appropriate support file below! 32bit Windows All: At the CMD prompt type 'd:\temp\postgresql-10.10-1-windows.exe' (less the outside quotes), and tap the 'Enter' key. 64bit Windows All: At the CMD prompt type 'd:\temp\postgresql-10.10-1-windows-x64.exe' (less the outside quotes), and tap the 'Enter' key. The 'Setup PostgreSQL' window opens, left-click 'Next'. the 'Installation Directory' window opens. In the dialog box type 'd:\winids\postgresql' (less the outside quotes), and left-click 'Next'. The 'Select Components' window opens. In the list of selected Components uncheck 'Stack Builder', and left-click 'Next'. The 'Data Directory' window opens. The dialog box should already be populated with 'd:\winids\postgresql\data' (less the outside quotes), and left-click 'Next'. The 'Password' window opens. In the 'Password' dialog box type 'd1ngd0ng' (less the outside quotes), in the 'Retype password' dialog box type 'd1ngd0ng' (less the outside quotes), left-click 'Next'. The 'port' window opens. The listening port dialog box should already be populated with '5432', left-click 'Next'. The 'Advanced Options' window opens. The 'Locale' pull-down select box should already be populated with '[Default local]', left-click 'Next'. The 'Pre Installation Summery' window opens. Verify all the below pre select settings are correct, and left-click 'Next'. Installation Directory: D:\winids\PostgreSQL Server Installation Directory: D:\winids\PostgreSQL Data Directory: D:\winids\PostgreSQL\data Database Port: 5432 Database Superuser: postgres Operating System Account: NT AUTHORITY\NetworkService Database Service: postgresql-x64-xx Command Line Tools Installation Directory: D:\winids\PostgreSQL pgAdmin4 Installation Directory: D:\winids\PostgreSQL\pgAdmin 4 The 'Ready to Install' window opens, left-click 'Next' allowing the installation to complete. The 'Completing the PostgreSQL Setup Wizard' window opens, left-click 'Finish'. Installing ADODB At the CMD prompt type 'unzip -oqq d:\temp\adodb-5.20.14.zip -d d:\winids' (less the outside quotes), and tap the 'Enter' key. Installing PHP Depending on the processors architecture, install the appropriate support file below! 32bit Windows All: At the CMD prompt type 'unzip -oqq d:\temp\php-5.6.40-nts-Win32-VC11-x86.zip -d d:\winids\php' (less the outside quotes), and tap the 'Enter' key. 64bit Windows All: At the CMD prompt type 'unzip -oqq d:\temp\php-5.6.40-nts-Win32-VC11-x64.zip -d d:\winids\php' (less the outside quotes), and tap the 'Enter' key. Updating the 'sid-msg.map' file At the CMD prompt type 'unzip -oqq d:\temp\activators.zip -d d:\winids\activators' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'unzip -oqq d:\temp\create-sidmap.zip -d d:\winids\create-sidmap' (less the outside quotes), and tap the 'Enter' key. The 'sid-msg.map' file essentially maps the Rule MSG alert name to the sid number assigned to the rule. This really comes into play when the output method from Snort is in unified2 format, taking that output, and reading it with Barnyard2 for input into the database. Since the rule msg is not stored in the unified2 file format, it's necessary for Barnyard2 to read the sid-msg.map file to correctly input the names of the events into the database when associated with an alert by sid. Without the 'sid-msg.map' being read by barnyard2, the events in the database will show up only as gid:sid. (1:2133 for example). Also, updating the rules and not updating the 'sid-msg.map' will also show events from all new rules as gid:sid. (1:2133 for example). At the CMD prompt type 'perl d:\winids\create-sidmap\create-sidmap.pl d:\winids\snort\rules\ > d:\winids\snort\etc\sid-msg.map' (less the outside quotes), and tap the 'Enter' key. Configuring Snort, the Heart of the Windows Intrusion Detection System (WinIDS) At the CMD prompt type 'type NUL > d:\winids\snort\rules\white_list.rules' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'type NUL > d:\winids\snort\rules\black_list.rules' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'notepad2 d:\winids\snort\etc\snort.conf' (less the outside quotes), and tap the 'Enter' key. Use the Find option in Notepad2 to locate and change the variables below. Original Line(s): ipvar HOME_NET any Change to: ipvar HOME_NET 192.168.1.0/24 In the above HOME_NET example (192.168.1.0/24), using a CIDR of 24 the Windows Intrusion Detection System (WinIDS) will monitor addresses 192.168.1.1 - 192.168.1.254. It is important to specify the correct internal IP segment of the Windows Intrusion Detection System (WinIDS) network that needs monitoring, and to set the correct CIDR. Original Line(s): var RULE_PATH ../rules Change to: var RULE_PATH d:\winids\snort\rules Original Line(s): var SO_RULE_PATH ../so_rules Change to: # var SO_RULE_PATH ../so_rules Original Line(s): var PREPROC_RULE_PATH ../preproc_rules Change to: var PREPROC_RULE_PATH d:\winids\snort\preproc_rules Original Line(s): var WHITE_LIST_PATH ../rules Change to: var WHITE_LIST_PATH d:\winids\snort\rules Original Line(s): var BLACK_LIST_PATH ../rules Change to: var BLACK_LIST_PATH d:\winids\snort\rules Original Line(s): dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ Change to: dynamicpreprocessor directory d:\winids\snort\lib\snort_dynamicpreprocessor Original Line(s): dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so Change to: dynamicengine d:\winids\snort\lib\snort_dynamicengine\sf_engine.dll Original Line(s): decompress_swf { deflate lzma } \ Change to: decompress_swf { deflate } \ Original Line(s): # preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } Change to: preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } logfile { portscan.log } Original Line(s): # output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types Change to: output unified2: filename merged.log, limit 128 Original Line(s): # include $PREPROC_RULE_PATH/preprocessor.rules # include $PREPROC_RULE_PATH/decoder.rules # include $PREPROC_RULE_PATH/sensitive-data.rules Change to: include $PREPROC_RULE_PATH/preprocessor.rules include $PREPROC_RULE_PATH/decoder.rules include $PREPROC_RULE_PATH/sensitive-data.rules Save the file, and eXit Notepad2. Testing the Snort configuration file At the CMD prompt type 'd:\winids\snort\bin\snort -W' (less the outside quotes), and tap the 'Enter' key. The following is a partial example of what might be listed as valid Network Interface Cards. Index Physical Address IP Address ----- ---------------- ---------- 1 00:0C:29:25:B4:96 0000:0000:fe80:0000:0000:0000:ad63:31cf There may be several Network Interface Cards listed, and it will be up to the installer to determine the correct Network Interface Card (Index number) that will be monitoring the Windows Intrusion Detection System (WinIDS). The switch for the Network Interface Card will always be '-ix' (less the outside quotes), and the 'x' (less the outside quotes) will always represent the 'Index' number of Network Interface Card that will be monitoring the Windows Intrusion Detection System (WinIDS). At the CMD prompt type 'd:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix -T' (less the outside quotes), and tap the 'Enter' key. The above run line will require the 'Index' number of the monitoring Network Interface Card added to the 'x' above. This will start Snort in self-test mode for configuration and rule file testing, and depending on the resources used, and/or available, it could take several minutes to run the self-test mode. If all the tests are passed, the following is a confirmation that the Snort configuration file and rules have tested good. Snort successfully validated the configuration! Snort exiting Do not proceed until 'Snort successfully validated the configuration!' Configuring PHP At the CMD prompt type 'copy d:\winids\php\php.ini-production d:\winids\php\php.ini' (less the outside quotes), and tap the 'Enter' key. Should display '1 file(s) copied.', and return to the CMD prompt. At the CMD prompt type 'notepad2 d:\winids\php\php.ini' (less the outside quotes), and tap the 'Enter' key. Use the Find option in Notepad2 to locate and change the variables below. Original Line(s): max_execution_time = 30 Change to: max_execution_time = 60 Original Line(s): error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT Change to: ; error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT Original Line(s): ;include_path = ".;c:\php\includes" Change to: include_path = "d:\winids\php;d:\winids\php\pear" Original Line(s): ; extension_dir = "ext" Change to: extension_dir = "d:\winids\php\ext" Original Line(s): ;cgi.force_redirect = 1 Change to: cgi.force_redirect = 0 Original Line(s): ;extension=php_gd2.dll Change to: extension=php_gd2.dll Original Line(s): ;extension=php_pgsql.dll Change to: extension=php_pgsql.dll Original Line(s): ;date.timezone = Change to: date.timezone = America/New_York In the above date.timezone setting, America/New_York is only the default. Inserting the correct Timezone setting where the Windows Intrusion Detection System (WinIDS) will be located is essential. Check out the PHP website for the List of Supported Timezones. Original Line(s): ;session.save_path = "/tmp" Change to: session.save_path = "c:\windows\temp" Save the file, and eXit Notepad2. Configuring IIS for PHP, and the Windows Intrusion Detection Systems security console At the CMD prompt type 'c:\windows\system32\inetsrv\iis.msc' (less the outside quotes), tap the 'Enter' key, and the 'Internet Information Services (IIS) Manager' opens. If the 'Internet Information Services (IIS) Manager' opens and asks 'Do you want to get started with...' left-click 'No'. On the left under 'Connections' left-click highlighting '<server name>' at the very top of the column, in the center window titled '<server name> Home' go down to the section labeled 'IIS', right-click 'Handler Mappings', left-click 'Open Feature', on the right under 'Actions' left-click 'Add Script Map...', in the 'Request Path:' dialog box type '*.php' (less the outside quotes), in the 'Executable:' dialog box type 'd:\winids\php\php-cgi.exe' (less the outside quotes), in the 'Name:' dialog box type 'PHP' (less the outside quotes), left-click 'OK', the 'Add Script Map' notification message appears, and left-click 'Yes'. In center window titled 'Handler Mappings' under the 'Name' column make sure 'PHP' (less the outside quotes) is listed at the very bottom. On the left under 'Connections' expand 'Sites', left-click 'Default Web Site', under the center window titled 'Default Web Site Home' go down to the section labeled 'IIS', right-click 'Default Document', left-click 'Open Feature', on the right under 'Actions' left-click 'Add...', the 'Add Default Document' applet appears, in the 'Name:' dialog box type 'base_main.php' (less the outside quotes), and left-click 'OK'. In the 'Default Document' under the 'Name' column 'base_main.php' (less the outside quotes) should be listed at the very top, and the 'Entry Type' should be 'Local'. Under 'Connections' right-click 'Default Web Site', highlight 'Manage Web Site', highlight and left-click 'Advanced Settings', in the 'Advanced Settings' applet under (General) left-click 'Physical Path', in the dialog box to the right of 'Physical Path' type 'd:\winids\inetpub\wwwroot\base' (less the outside quotes), left-click 'OK', and eXit the 'Internet Information Services (IIS) Manager' applet. At the CMD prompt type 'iisreset /restart' (less the outside quotes), and tap the 'Enter' key. Testing IIS, and the PHP installation Open a CMD window and type 'copy d:\temp\test.php d:\winids\inetpub\wwwroot\base' (less the outside quotes), and tap the 'Enter' key. Should display '1 file(s) copied.', and return to the CMD prompt. Open a web-browser and type 'http://winids/test.php' (less the outside quotes) into the URL Address box, and tap the 'Enter' key. Note: There is a possibility Edge may require additional privileges to open, and Internet Explore should be used if this happens. Several sections of information concerning the status and install of PHP should be displayed. In the first section of information make SURE that the item labeled 'Loaded Configuration File' is pointing to 'd:\winids\php\php.ini' (less the outside quotes). In the section labeled 'Configuration - PHP Core' (less the outside quotes) make SURE that the item labeled 'extension_dir' is pointing to 'd:\winids\php\ext' (less the outside quotes) in columns 'Local Values' (less the outside quotes), and 'Master Values' (less the outside quotes). In the section labeled 'Configuration - PHP Core' (less the outside quotes) make SURE that the item labeled 'include_path' is pointing to 'd:\winids\php;d:\winids\php\pear' (less the outside quotes) in columns 'Local Values' (less the outside quotes), and 'Master Values' (less the outside quotes). In the section labeled 'session' (less the outside quotes) make SURE that the item labeled 'session.save_path' is pointing to 'c:\windows\temp' (less the outside quotes) in columns 'Local Values' (less the outside quotes), and 'Master Values' (less the outside quotes). Do not proceed until all the above paths are correct! eXit the web-browser. At the CMD prompt type 'del d:\winids\inetpub\wwwroot\base\test.php' (less the outside quotes), and tap the 'Enter' key. Adding Snort to the Windows Services Database At the CMD prompt type 'cd /d d:\winids\snort\bin' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'd:\winids\snort\bin\snort -W' (less the outside quotes), and tap the 'Enter' key. The following is a partial example of what might be listed as valid Network Interface Cards. Index Physical Address IP Address ----- ---------------- ---------- 1 00:0C:29:25:B4:96 0000:0000:fe80:0000:0000:0000:ad63:31cf There may be several Network Interface Cards listed, and it will be up to the installer to determine the correct Network Interface Card (Index number) that will be monitoring the Windows Intrusion Detection System (WinIDS). The switch for the Network Interface Card will always be '-ix' (less the outside quotes), and the 'x' (less the outside quotes) will always represent the 'Index' number of Network Interface Card that will be monitoring the Windows Intrusion Detection System (WinIDS). At the CMD prompt type 'snort /SERVICE /INSTALL -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix' (less the outside quotes), and tap the 'Enter' key. The above run line will require the 'Index' number of the monitoring Network Interface Card added to the 'x' above. This will install Snort into the Windows Services Database. The following is a confirmation that the Snort service was successfully added to the Windows Services Database. [SNORT_SERVICE] Attempting to install the Snort service. [SNORT_SERVICE] The full path to the Snort binary appears to be: D:\winids\snort\bin\snort /SERVICE [SNORT_SERVICE] Successfully added registry keys to: \HKEY_LOCAL_MACHINE\SOFTWARE\Snort\ [SNORT_SERVICE] Successfully added the Snort service to the Windows Services Database. Do not proceed until the Snort service has been successfully added to the Windows Services Database. At the CMD prompt type 'sc config snortsvc start= auto' (less the outside quotes), and tap the 'Enter' key. The following is a confirmation that the Snort auto-start service has been successfully activated. [SC] ChangeServiceConfig SUCCESS Do not proceed until the Snort auto-start service has been SUCCESSfully activated. Configuring the PostgreSQL Database Server At the CMD prompt type 'd:\winids\postgresql\bin\psql -U postgres' (less the outside quotes), and tap the 'Enter' key. At the 'Password for user postgres: " prompt type 'd1ngd0ng' (less the outside quotes), and tap the 'Enter' key. Key presses will not echo the characters! Creating the Windows Intrusion Detection System Databases At the 'postgres=#' prompt type 'create database archive;' (less the outside quotes), and tap the 'Enter' key. At the 'postgres=#' prompt type 'create database snort;' (less the outside quotes), and tap the 'Enter' key. Creating the Windows Intrusion Detection System Authenticated Users At the 'postgres=#' prompt type 'create user snort with password 'l0gg3r';' (less the outside quotes), and tap the 'Enter' key. At the 'postgres=#' prompt type 'create user base with password 'an@l1st';' (less the outside quotes), and tap the 'Enter' key. Creating the Windows Intrusion Detection System Database Tables At the 'postgres=#' prompt type '\connect archive;' (less the outside quotes), and tap the 'Enter' key. At the 'archive=#' prompt type '\i d:/winids/barnyard2/schemas/create_postgresql;' (less the outside quotes), and tap the 'Enter' key. At the 'archive=#' prompt type '\i d:/winids/inetpub/wwwroot/base/sql/create_base_tbls_pgsql.sql;' (less the outside quotes), and tap the 'Enter' key. At the 'archive=#' prompt type '\i d:/winids/inetpub/wwwroot/base/sql/create_base_tbls_pgsql_extra.sql;' (less the outside quotes), and tap the 'Enter' key. At the 'archive=#' prompt type 'GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO base;' (less the outside quotes), and tap the 'Enter' key. At the 'archive=#' prompt type 'GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO base;' (less the outside quotes), and tap the 'Enter' key. At the 'archive=#' prompt type '\connect snort;' (less the outside quotes), and tap the 'Enter' key. At the 'snort=#' prompt type '\i d:/winids/barnyard2/schemas/create_postgresql;' (less the outside quotes), and tap the 'Enter' key. At the 'snort=#' prompt type '\i d:/winids/inetpub/wwwroot/base/sql/create_base_tbls_pgsql.sql;' (less the outside quotes), and tap the 'Enter' key. At the 'snort=#' prompt type '\i d:/winids/inetpub/wwwroot/base/sql/create_base_tbls_pgsql_extra.sql;' (less the outside quotes), and tap the 'Enter' key. At the 'snort=#' prompt type 'GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO base;' (less the outside quotes), and tap the 'Enter' key. At the 'snort=#' prompt type 'GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO base;' (less the outside quotes), and tap the 'Enter' key. At the 'snort=#' prompt type 'GRANT INSERT, SELECT, UPDATE ON ALL TABLES IN SCHEMA public TO snort;' (less the outside quotes), and tap the 'Enter' key. At the 'snort=#' prompt type 'GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO snort;' (less the outside quotes), and tap the 'Enter' key. At the 'snort=#' prompt type '\q' (less the outside quotes), and tap the 'Enter' key. Confirming PostgreSQL and Snort are operational At the CMD prompt type 'd:\winids\postgresql\bin\pg_ctl restart -w -t 10 -D d:\winids\postgresql\data\ -m f' (less the outside quotes), and tap the 'Enter' key. A 'Windows Security Alert' warning dialog box may appear stating 'Windows firewall may have blocked some features of this program', left-click 'Cancel'. At the CMD prompt type 'net start snort' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'taskmgr.exe' (less the outside quotes), and tap the 'Enter' key. The 'Windows Task Manager' starts, in the bottom left-click and check 'Show processes from all users', left-click the 'Processes' tab, in the 'Image name' category 'snort.exe', and several instances of 'postgres.exe' should be listed as a process. Do not proceed until the processes above are running! eXit the 'Task Manager'. Configuring the Windows Intrusion Detection Systems (WinIDS) Security Console At the CMD prompt type 'copy d:\winids\inetpub\wwwroot\base\base_conf.php.dist d:\winids\inetpub\wwwroot\base\base_conf.php' (less the outside quotes), and tap the 'Enter' key. Should display '1 file(s) copied.', and return to the CMD prompt. At the CMD prompt type 'rename d:\temp\opensource.gz opensource.tar.gz' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'tartool d:\temp\opensource.tar.gz d:\winids\inetpub\wwwroot\base\signatures' (less the outside quotes), and tap the 'Enter' key. The above command may take a few minutes to complete as its moving twenty thousand plus files. At the CMD prompt type 'notepad2 d:\winids\inetpub\wwwroot\base\base_conf.php' (less the outside quotes), and tap the 'Enter' key. Use the Find option in Notepad2 to locate and change the variables below. Original Line(s): $BASE_urlpath = ''; Change to: $BASE_urlpath = 'http://winids'; Original Line(s): $DBlib_path = ''; Change to: $DBlib_path = 'd:\winids\adodb5'; Original Line(s): $DBtype = '?????'; Change to: $DBtype = 'postgres'; Original Line(s): $alert_dbname = 'snort_log'; $alert_host = 'localhost'; $alert_port = ''; $alert_user = 'snort'; $alert_password = 'mypassword'; Change to: $alert_dbname = 'snort'; $alert_host = 'winids'; $alert_port = ''; $alert_user = 'base'; $alert_password = 'an@l1st'; Original Line(s): $archive_exists = 0; # Set this to 1 if you have an archive DB $archive_dbname = 'snort_archive'; $archive_host = 'localhost'; $archive_port = ''; $archive_user = 'snort'; $archive_password = 'mypassword'; Change to: $archive_exists = 1; # Set this to 1 if you have an archive DB $archive_dbname = 'archive'; $archive_host = 'winids'; $archive_port = ''; $archive_user = 'base'; $archive_password = 'an@l1st'; Original Line(s): $use_referential_integrity = 0; Change to: $use_referential_integrity = 1; Original Line(s): $show_rows = 48; Change to: $show_rows = 90; Original Line(s): $show_expanded_query = 0; Change to: $show_expanded_query = 1; Original Line(s): $portscan_file = ''; Change to: $portscan_file = 'd:\winids\snort\log\portscan.log'; Original Line(s): $colored_alerts = 0; Change to: $colored_alerts = 1; Original Line(s): $priority_colors = array ('FF0000','FFFF00','FF9900','999999','FFFFFF','006600'); Change to: $priority_colors = array('000000','FF0000','FF9900','FFFF00','999999'); Original Line(s): //$Geo_IPfree_file_ascii = "/var/www/html/ips-ascii.txt"; Change to: $Geo_IPfree_file_ascii = "d:\winids\inetpub\wwwroot\base\ips-ascii.txt"; Save the file, and eXit Notepad2. Installing The PHP Extension and Application Repository (PEAR) At the CMD prompt type 'copy d:\temp\go-pear.phar d:\winids\php' (less the outside quotes), and tap the 'Enter' key. Should display '1 file(s) copied.', and return to the CMD prompt. At the CMD prompt type 'cd /d d:\winids\php' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'php go-pear.phar' (less the outside quotes), and tap the 'Enter' key. At the next prompt tap the 'Enter' key to install 'System-Wide' PEAR. At the next prompt tap the 'Enter' key. At the 'Press any key to continue . . .', press any key to exit back to the CMD prompt. Configuring Graphing for the Windows Intrusion Detection Systems (WinIDS) Security Console At the CMD prompt type 'unzip -oqq d:\temp\graphing.zip -d d:\winids\php\tmp' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'pear install -O d:\winids\php\tmp\Auth_SASL-1.1.0.tgz' (less the outside quotes), and tap the 'Enter' key. Should display 'install ok: channel://pear.php.net/Auth_SASL-1.1.0', and return to the CMD prompt. At the CMD prompt type 'pear install -O d:\winids\php\tmp\Math_BigInteger-1.0.3.tgz' (less the outside quotes), and tap the 'Enter' key. Should display 'install ok: channel://pear.php.net/Math_BigInteger-1.0.3', and return to the CMD prompt. At the CMD prompt type 'pear install -O d:\winids\php\tmp\Net_Socket-1.2.2.tgz' (less the outside quotes), and tap the 'Enter' key. Should display 'install ok: channel://pear.php.net/Net_Socket-1.2.2', and return to the CMD prompt. At the CMD prompt type 'pear install -O d:\winids\php\tmp\Net_SMTP-1.8.1.tgz' (less the outside quotes), and tap the 'Enter' key. Should display 'install ok: channel://pear.php.net/Net_SMTP-1.8.1', and return to the CMD prompt. At the CMD prompt type 'pear install -O d:\winids\php\tmp\Mail-1.4.1.tgz' (less the outside quotes), and tap the 'Enter' key. Should display 'install ok: channel://pear.php.net/Mail-1.4.1', and return to the CMD prompt. At the CMD prompt type 'pear install -O d:\winids\php\tmp\Mail_Mime-1.10.2.tgz' (less the outside quotes), and tap the 'Enter' key. Should display 'install ok: channel://pear.php.net/Mail_Mime-1.10.2', and return to the CMD prompt. At the CMD prompt type 'pear install -O d:\winids\php\tmp\Numbers_Words-0.18.2.tgz' (less the outside quotes), and tap the 'Enter' key. Should display 'install ok: channel://pear.php.net/Numbers_Words-0.18.2', and return to the CMD prompt. At the CMD prompt type 'pear install -O d:\winids\php\tmp\Numbers_Roman-1.0.2.tgz' (less the outside quotes), and tap the 'Enter' key. Should display 'install ok: channel://pear.php.net/Numbers_Roman-1.0.2', and return to the CMD prompt. At the CMD prompt type 'pear install -O d:\winids\php\tmp\Image_Color-1.0.4.tgz' (less the outside quotes), and tap the 'Enter' key. Should display 'install ok: channel://pear.php.net/Image_Color-1.0.4', and return to the CMD prompt. At the CMD prompt type 'pear install -O d:\winids\php\tmp\Image_Canvas-0.3.5.tgz' (less the outside quotes), and tap the 'Enter' key. Should display 'install ok: channel://pear.php.net/Image_Canvas-0.3.5', and return to the CMD prompt. At the CMD prompt type 'pear install -O d:\winids\php\tmp\Image_Graph-0.8.0.tgz' (less the outside quotes), and tap the 'Enter' key. Should display 'install ok: channel://pear.php.net/Image_Graph-0.8.0', and return to the CMD prompt. At the CMD prompt type 'pear list -a' (less the outside quotes), and tap the 'Enter' key. The above command line will list all the installed pear packages that are required for the graphing capabilities of BASE, the Windows Intrusion Detection Systems (WinIDS) web based GUI security console. INSTALLED PACKAGES, CHANNEL PEAR.PHP.NET: ========================================= PACKAGE VERSION STATE Archive_Tar 1.4.3 stable Auth_SASL 1.1.0 stable Console_Getopt 1.4.1 stable Image_Canvas 0.3.5 alpha Image_Color 1.0.4 stable Image_Graph 0.8.0 alpha Mail 1.4.1 stable Mail_Mime 1.10.2 stable Math_BigInteger 1.0.3 stable Net_SMTP 1.8.1 stable Net_Socket 1.2.2 stable Numbers_Roman 1.0.2 stable Numbers_Words 0.18.2 beta PEAR 1.10.5 stable Structures_Graph 1.1.1 stable XML_Util 1.4.2 stable Do not proceed until all the hilighted PEAR packages above has been successfully installed. At the CMD prompt type 'copy d:\winids\inetpub\wwwroot\base\world_map6.* d:\winids\php\pear\image\graph\images\maps' (less the outside quotes), and tap the 'Enter' key. Should display '2 file(s) copied.', and return to the CMD prompt. Configuring Barnyard2 At the CMD prompt type 'notepad2 d:\winids\barnyard2\etc\barnyard2.conf' (less the outside quotes), and tap the 'Enter' key. Use the Find option in Notepad2 to locate and change the variables below. Original Line(s): config reference_file: /etc/snort/reference.config config classification_file: /etc/snort/classification.config config gen_file: /etc/snort/gen-msg.map config sid_file: /etc/snort/sid-msg.map Change to: config reference_file: d:\winids\snort\etc\reference.config config classification_file: d:\winids\snort\etc\classification.config config gen_file: d:\winids\snort\etc\gen-msg.map config sid_file: d:\winids\snort\etc\sid-msg.map Original Line(s): # config event_cache_size: 4096 Change to: config event_cache_size: 32768 Original Line(s): #output database: alert, postgresql, user=snort dbname=snort Change to: output database: log, postgresql, user=snort password=l0gg3r dbname=snort host=winids sensor_name=WinIDS-Home Save the file, and eXit Notepad2. Testing the Barnyard2 configuration file At the CMD prompt type 'd:\winids\activators\by2-test' (less the outside quotes), and tap the 'Enter' key. This will start Barnyard2 in self-test mode for configuration testing, and depending on the resources used and/or available it could take up to 30 minutes to run the self-test mode. If all the tests are passed, the following is a confirmation that the Barnyard2 configuration file is good. Barnyard2 successfully loaded configuration file! Barnyard2 exiting database: Closing connection to database "snort" Do not proceed until Barnyard2 has successfully loaded the configuration file, eXited Snort, and closed the connection to database! Adding Barnyard2 to auto-run on user login At the CMD window type 'd:\temp\auto-local-barnyard2.reg' (less the outside quotes), and tap the 'Enter' key. The 'auto-barnyard.reg' file contains the run line for Barnyard2. The Registry Editor selection box opens and asks; 'Are you sure you want to add...', left-click 'Yes', and at the next input selection left-click 'OK'. At the CMD prompt type 'shutdown /r /t 10' (less the outside quotes), and tap the 'Enter' key to reboot. When the system is rebooted, Barnyard2 will be running in a Minimized window located in the Windows task bar. Opening the Barnyard2 CMD window will display the events as they are being shuttled to the database. Starting the Windows Intrusion Detection Systems (WinIDS) Security Console Open a web-browser and type 'http://winids' (less the outside quotes) into the URL Address box, and tap the 'Enter' key. After the reboot it could take several minutes for events to start populating into the Windows Intrusion Detection Systems (WinIDS) Security Console. Refreshing the browser will show new events when added. If no events start to show up in a reasonable length of time, come visit the forums for help on manually generating events. In Conclusion I hope this tutorial has been helpful to you. Please feel free to provide feedback, both issues you experienced and recommendations that you might have. The goal of this tutorial was not just for you to create a Windows Intrusion Detection System (WinIDS) using the most advanced intrusion detection engine known as Snort, but to understand how all the parts work together, and get a deeper understanding of all the components, so that you can troubleshoot and modify your Windows Intrusion Detection System (WinIDS) with confidence. At this point you are done with this tutorial, events should be arriving into the database, and you should be seeing events in the local Windows Intrusion Detection Systems (WinIDS) Security Console. I encourage you to perform some post-installation tasks needed to get a fully production-ready 'Windows Intrusion Detection System (WinIDS)'. This includes: Tuning your rules and preprocessors. Tuning Snort thresholds and limit values. Adding user authentication to the Windows Intrusion Detection Systems (WinIDS) Security Console. Securing your host (Maybe changing the default database user access, disabling unneeded services, etc.). Configure a system, such as PulledPork to auto-update the Windows Intrusion Detection Systems (WinIDS) rules and signatures. Security Issues Lets review what has happens so far: All support programs, including IIS have been installed to a separate partition, which closed a multitude of security holes. The Windows Intrusion Detection Systems (WinIDS) Security Console can ONLY be accessed locally. Optional Companion Documents Be SURE to check out the available 'Companion Add-on Documents' to enhance the Windows Intrusion Detection System (WinIDS) experience. How to Install Pulledpork for rule management in an existing Windows Intrusion Detection System (WinIDS) Master/Slave sensor. This tutorial will show how to Install Pulledpork for rule management in an existing Windows Intrusion Detection System (WinIDS) Master/Slave sensor. How to add Event Logging to a local Syslog Server. This tutorial will show how to configure Snort to send events to a local Syslog Server, on an existing Windows Intrusion Detection System (WinIDS). How to add Event Logging to a remote Syslog Server. This tutorial will show how to configure Snort to send events to a remote Syslog Server from an existing Windows Intrusion Detection System (WinIDS). How to compile Barnyard2 on Windows using Cygwin for PostgreSQL database support This tutorial is a simple to understand, step-by-step tutorial for Compiling Barnyard2 on Windows using Cygwin (UNIX emulator) for PostgreSQL database support. How to build and deploy a passive Ethernet tap This tutorial will show how to build and deploy a passive Ethernet tap. Updating the Windows Intrusion Detection Systems (WinIDS) Major components How to update the Snort Intrusion Detection Engine This tutorial will show How to update the Windows Intrusion Detection Systems Snort Intrusion Detection Engine. How to update the Rules, Signatures, and sig-msg.map file This tutorial will show how to update the Windows Intrusion Detection Systems rules, signatures, and the 'sig-msg.map' file. Debugging Installation errors Check the Event Viewer as most of the support programs will throw FATAL errors into the Windows Application log. General tutorial issues For general problem issues that pertain to this specific tutorial, left-click the get community support button at the top of this tutorial, or manually navigate to the correct community support forum pertaining to this specific tutorial. Feedback I would love to get feedback from you about this tutorial. Any recommendations, or ideas, please leave feedback HERE. Michael E. Steele | Microsoft Certified System Engineer (MCSE) Email Support: support@winsnort.com Snort: Open Source Network IDS - www.snort.org
  16. How to Install a Windows Intrusion Detection System (WinIDS) Running IIS, and logging events to a local MySQL Database Windows 7 / 8.x / 10 / 2008 R2 SE / 2012 R2 SE / 2016 SE / 2019 SE Written by: Michael E. Steele Get Community Support! Introduction During my research, and development I've found a lot of tutorials, and blogs describing the installation process for the UNIX environment. Yet, none of them specifically detailed setting this up in a Windows environment. I've been working on, and updating these tutorials for the past 12 plus years, and managed to get through the complete process in the Windows environment. These tutorials gives all the basic instructions on how to create a complete, and functioning stand alone Windows Intrusion Detection System (WinIDS). This is all made possible by simply wrapping Snort, a very powerful Intrusion Detection Engine into a multitude of free open source programs. Best of all, other than the cost of the Windows operating system, it's completely free. These tutorials are the basic of what is needed, and the starting point for installing any functioning Windows Intrusion Detection System (WinIDS). Advanced problems not related to the basic install should not be posted to the forum where the tutorial resides, and where general help is available for problems during the initial tutorial set-up. If there are any doubts which tutorial that should be used, there is a posted topic HERE that will provide the basics so an informed decision can be made based on which combination of software packages are best suited for the installation. Copyright Notice This document is Copyright © 2002-2019 Michael Steele. All rights reserved. Permission to distribute this document is hereby granted providing that distribution is electronic, in it's original form, no money is involved, and this copyright notice is maintained. Other requests for distribution will be considered. Use the information in this document at your own risk. Michael Steele disavows any potential liability of this document. Use of the concepts, examples, and/or other content of this document are entirely at your own risk. This tutorial is written in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. All copyrights are owned by their owners, unless specifically noted otherwise. Third party trademarks or brand names are the property of their owners. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements. Support Questions and Help All support questions related to this specific tutorial MUST be directed to the specific forum for which this Windows Intrusion Detection System (WinIDS) tutorial resides! By request, there is a premium fee service available for one on one support. If you have not acquired this tutorial directly from the winsnort.com website, then you most likely do not have the latest revision of this tutorial! This is a basic Windows Intrusion Detection System (WinIDS) deployment Microsoft's Windows operating systems are used exclusively for these tutorials. It is highly recommended to start with a fresh install of one of the supported 32bit or 64bit Windows operating systems listed below. Windows 7 Professional Windows 8.x Professional Windows 10 Professional Windows Server 2008 R2 Standard Edition Windows Server 2012 R2 Standard Edition Windows Server 2016 Standard Edition Windows Server 2019 Standard Edition All the operating systems listed above have been tested using both the 32bit, and 64bit architecture for this tutorial. However, any another Windows operating system listed above, under the same framework will most likely work. Major support programs used in this install Npcap allows 3rd party applications such as Snort to capture and transmit network packets bypassing the protocol stack. Snort performs real-time traffic analysis and network packet logging on Internet Protocol (IP) networks data streams. Barnyard2 is a dedicated spooler for Snort's unified2 binary output format, and on-forwarding to a MySQL database. Strawberry Perl is everything needed to run perl scripts (.pl), and applications such as PulledPork. MySQL-driven database stores processed events from Barnyard2 for analysis. Microsoft's Internet Information Services will drive the web based Windows Intrusion Detection Systems (WinIDS) GUI security console. BASE serves as the Windows Intrusion Detection Systems (WinIDS) web based GUI security console. History of Internet Information Services (IIS) IIS 7.5 - included with Windows 7, and Server 2008 IIS 8.0 - included with Windows 8 IIS 8.5 - included with Windows 8.1, and Server 2012 IIS 10.0 - included with Windows 10, Server 2016, and Server 2019 How this Hardware and Software was prepped for this Windows Intrusion Detection System (WinIDS) tutorial A fresh install of any 32/64bit Version of Windows listed above in will do. All available Service Packs and updates MUST be applied from the Microsoft Download Center. For these tutorials there are two partitions: C: (System) with 300GB, and D: (WinIDS) with 1TB. Installed memory should be no less than 4GB (more is always better). The Windows Intrusion Detection System (WinIDS) will fail if the default installation path is not Implemented correctly! The default installation path noted above is hard coded into this tutorial, and is also hard coded into some of the install scripts. Installers will need to make the appropriate changes in both places if the default installation path is anything other then 'd:\winids', or the support files are located anywhere other than the 'd:\temp' folder. The Windows Intrusion Detection System (WinIDS) will fail if the default installation path is not Implemented correctly! Prepping for the Windows Intrusion Detection System (WinIDS) Tutorial Downloading and extracting the core 'Windows Intrusion Detection Systems (WinIDS)' Software Support Pack It is imperative to only use the files included in the 'WinIDS - (32/64bit) Software Support Packs' below. These files have been thoroughly tested and compatible with this particular Windows Intrusion Detection Systems (WinIDS) tutorial. Depending on the processors architecture, download the appropriate support file below! 32bit Windows All: Download and save the 'WinIDS - 32bit Core Software Support Pack' to a temporary location. Open File Explore and navigate to the location of the 'winids-cssp-x32.zip' file, right-click the 'winids-cssp-x32.zip' file, highlight and left-click 'Extract all...', in the 'Files will be extracted to this folder:' dialog box type 'd:\temp' (less the outside quotes), left-click and uncheck the 'Show extracted files when complete' radio box, left-click extract, in the 'Password:' dialog box type 'w1nsn03t.c0m' (less the outside quotes), left-click 'OK', and eXit File Explorer.. 64bit Windows All: Download and save the 'WinIDS - 64bit Core Software Support Pack' to a temporary location. Open File Explore and navigate to the location of the 'winids-cssp-x64.zip' file, right-click the 'winids-cssp-x64.zip' file, highlight and left-click 'Extract all...', in the 'Files will be extracted to this folder:' dialog box type 'd:\temp' (less the outside quotes), left-click and uncheck the 'Show extracted files when complete' radio box, left-click extract, in the 'Password:' dialog box type 'w1nsn03t.c0m' (less the outside quotes), left-click 'OK', and eXit File Explorer.. Downloading additional, and required support files for all supported Windows operating systems It is imperative to only use the files downloaded from the URL links below. All the files have been verified as compatible with this particular Windows Intrusion Detection Systems (WinIDS) tutorial. All the files below will need to be downloaded into the folder (d:\temp) that was created when the files from the above 'WinIDS - (32/64bit) Software Support Pack' were extracted. npcap-0.996: Download and save the file to the d:\temp folder. In some instances after downloading the Snort executable below, the '.exe' extension might be missing. After downloading, navigate to the location of the Snort executable, and if the '.exe' extension is missing, add '.exe' (less the outside quotes) to the end of the filename. Snort 2_9_15: Download and save the file to the d:\temp folder. The next download requires the installer to be a registered user on the snort.org website, and logged in. Navigate to the snort.org website and either login or create a new account. While still being logged into the snort.org web site return to the Windows Intrusion Detection Systems (WinIDS) tutorial, and initiate the next download. Note: If the installer is not logged into the snort.org website prior to initiating the next download, the installer will be re-directed to the snort.org website. At that point either create a new account or login. While still being logged into the snort.org website return to the Windows Intrusion Detection Systems (WinIDS) tutorial, and initiate the next download. snortrules-snapshot-29150: Download and save the file to the d:\temp folder. Rule Documentation (opensource.gz): Download and save the file to the d:\temp folder. Downloading additional support files based on a specific Operating Systems Hardware Architecture There are several additional files listed under two groups below. Download only, and all the files listed under the appropriate processors architecture group that the Windows Intrusion Detection System (WinIDS) will be installed on. 32bit Windows All: Required additional downloads for the 32bit architecture install! Strawberry Perl 5.30.0.1: Download and save the file to the d:\temp folder. MySQL Database 8.0.17.0: Download and save the file to the d:\temp folder. PHP 5.6.40 NTS (VC11): Download and save the file to the d:\temp folder. 64bit Windows All: Required additional downloads for the 64bit architecture install! Strawberry Perl 5.30.0.1: Download and save the file to the d:\temp folder. MySQL Database 8.0.17.0: Download and save the file to the d:\temp folder. PHP 5.6.40 NTS (VC11): Download and save the file to the d:\temp folder. Installing the core support files, and making basic configuration changes It is important when asked to 'Open a CMD window with Administrator privileges' it is done, or the install will fail. It is also important when asked to 'Close a CMD window' it is done, or the install will fail. Note: The user installing this tutorial MUST be a member of the Administrators group. Note: If the User Account Control dialog box appears at ANY time during this install ALWAYS left-click 'Yes' to continue, or the install will fail. Instructions on starting a command prompt as an Administrator In the Windows Search box, type cmd, and then press CTRL+SHIFT+ENTER. Windows 8.x / 10 / 2012 R2 SE / 2016 SE / 2019 SE: The original Windows install media (DVD/USB/ISO) is now required to be inserted or mounted.. Windows 8.x / 10 / 2012 R2 SE / 2016 SE / 2019 SE: Open a CMD window with Administrator privileges and type 'dism.exe /online /enable-feature /all /featurename:NetFX3 /Source:x:\sources\sxs' (less the outside quotes), and tap the 'Enter' key. The correct source drive letter where the Windows install media is located must be inserted into the 'x' position above. The following is a confirmation that the '.NET Framework 3.5 Features' were installed successfully. Deployment Image Servicing and Management tool Version: (redacted) Image Version: (redacted) Enabling feature(s) [==========================100.0%==========================] The operation completed successfully. Do not proceed until 'The operation completed successfully.', and the original Windows install media has been removed, or unmounted. Windows All: Open a CMD window with Administrator privileges if one is not opened and type 'd:\temp\modder.vbs' (less the outside quotes), and tap the 'Enter' key. Allow the script to automatically reboot the system! DO NOT INTERVENE! This background process could take several minutes to complete. The modder.vbs file preforms several tasks: Installs Microsoft Visual C++ 2012/2013/2017 Installs 'Notepad2' to Windows\System32 Installs 'unzip' to Windows\System32 Installs 'tartool' to Windows\System32 Installs the DejaVuSans font for BASE graphing Inserts 'winids' hostname into hosts file Inserts 'IGMP and SCTP' into the protocol file for Snort rules Inserts 'Nodosfilewarning' into User ENV to suppress CYGWIN warning message when starting Barnyard2 Sets 'Show File Extensions' as on in registry Reboots system After the reboot it is strongly advise that the Microsoft Baseline Security Analyzer (MBSA) be used to identify and correct common security miss configurations. Each issue should be resolved prior to starting this tutorial. Installing the Windows Intrusion Detection System (WinIDS) Installing Npcap Open a CMD window with Administrator privileges and type 'd:\temp\npcap-0.996.exe' (less the outside quotes), and tap the 'Enter' key. The 'License Agreement' window opens, left-click 'I Agree'. The 'Installation Options' window opens, uncheck everything, and then check 'Install Npcap in WinPcap API-compatible Mode', left-click 'Install'. The 'Installing' window opens, allow the install to complete. The 'Installation Complete' window opens, left-click 'Next'. The 'Finished' window opens, left-click 'Finish'. Installing Snort, the Traffic Detection and Inspection Engine At the CMD prompt type 'd:\temp\Snort_2_9_15_Installer.exe' (less the outside quotes), and tap the 'Enter' key. The 'License Agreement' window opens, left-click 'I Agree'. The 'Choose Components' window opens, left-click 'Next'. The 'Choose Install Location' window opens, in the 'Destination Folder' dialog box, type 'd:\winids\snort' (less the outside quotes), left-click 'Next' allowing the install to complete. The 'Snort has been successfully installed' window opens, left-click 'OK'. Testing the Windows Intrusion Detection System (WinIDS) for network traffic At the CMD prompt type 'd:\winids\snort\bin\snort -W' (less the outside quotes), and tap the 'Enter' key. The following is a partial example of what might be listed as valid Network Interface Cards. Index Physical Address IP Address ----- ---------------- ---------- 1 00:0C:29:25:B4:96 0000:0000:fe80:0000:0000:0000:ad63:31cf There may be several Network Interface Cards listed, and it will be up to the installer to determine the correct Network Interface Card (Index number) that will be monitoring the Windows Intrusion Detection System (WinIDS). The switch for the Network Interface Card will always be '-ix' (less the outside quotes), and the 'x' (less the outside quotes) will always represent the 'Index' number of Network Interface Card that will be monitoring the Windows Intrusion Detection System (WinIDS). At the CMD prompt type 'd:\winids\snort\bin\snort -v -ix' (less the outside quotes), and tap the 'Enter' key. The above run line will require the 'Index' number of the monitoring Network Interface Card inserted in the place of the 'x' position above. This will start Snort in verbose mode, verifying there is network traffic on interface 'x'. Open any web-browser and generate some traffic. There should now be multiple packets passing through the CMD window, and something similar to the following output is a confirmation indicating that everything is ready to proceed. 10/08-12:12:32.131826 10.0.0.29:1068 -> 65.55.121.241:80 TCP TTL:128 TOS:0x0 ID:1586 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x7430B82E Ack: 0x1850214F Win: 0xFAF0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Note: If no traffic is passing through the CMD window, try another 'Index' number. After verifying active network traffic, eXit the web-browser, activate the CMD window, and press the 'CTRL/C' keys to stop the Snort process. Do not proceed until network traffic is being displayed in the CMD window. Installing the Latest Rule Set At the CMD prompt type 'tartool d:\temp\snortrules-snapshot-29150.tar.gz d:\winids\snort' (less the outside quotes), and tap the 'Enter' key. Installing Strawberry Perl Depending on the processors architecture, install the appropriate support file below! 32bit Windows All: At the CMD prompt type 'd:\temp\strawberry-perl-5.30.0.1-32bit.msi' (less the outside quotes), and tap the 'Enter' key. 64bit Windows All: At the CMD prompt type 'd:\temp\strawberry-perl-5.30.0.1-64bit.msi' (less the outside quotes), and tap the 'Enter' key. The 'Welcome to the Setup Wizard for Strawberry Perl...' window opens, left-click 'Next'. The 'End-User License Agreement' window opens, left-click checking the 'I accept the terms...' radio button, and left-click 'Next'. The 'Destination Folder' window opens, in the 'Install Strawberry Perl to:' dialog box type 'd:\winids\strawberry\' (less the outside quotes), and left-click 'Next'. The 'Ready to install Strawberry Perl..' window opens, left-click 'Install'. The 'Install Strawberry Perl..' window opens, allow the install to complete, and left-click 'Next'. The 'Completed the Strawberry Perl...' window opens, uncheck the 'Read README file.' radio box, and left-click 'Finish'. At the CMD prompt type 'exit' (less the outside quotes), and tap the 'Enter' key. Installing Internet Information Services into Windows 7, 8.x, or 10 Open a CMD window with Administrator privileges and type 'appwiz.cpl' (less the outside quotes), and tap the 'Enter' key. The 'Program and Features' control panel opens. Under 'Control Panel Home' left-click 'Turn Windows features on or off'. In the 'Turn Windows features on or off' expand 'Internet Information Services'. To the left of 'Web Management tools' left-click checking the radio box (it may turn blue or black). To the left of the 'World Wide Web Services left-click checking the radio box (it may turn blue or black). Expand 'World Wide Web Services', and expand 'Application Development Features'. Under 'Application Development Features' scroll down and left-click ckecking the radio box titled 'CGI', and left-click 'OK' allowing windows to make changes to 'Windows Features', left-click 'Close', and eXit the 'Programs and Features' control panel. At the CMD prompt type 'd:\temp\moveiis.bat' (less the outside quotes), and tap the 'Enter' key. Installing Internet Information Services into Server 2008 R2 SE Open a CMD window with Administrator privileges and type 'appwiz.cpl' (less the outside quotes), and tap the 'Enter' key. The 'Program and Features' control panel opens. Under 'Control Panel Home' left-click 'Turn Windows features on or off'. The 'Server Manager' opens. Under 'Server Manager (Computer Name)' left click 'Roles'. Under 'Roles Summary' left-click 'Add Roles'. The 'Add Roles Wizard' control panel opens. At the 'Before you begin' selection window left-click 'Next'. At the 'Select Server Roles' selection window under 'Roles:' scroll down and left-click checking the select box to the left of 'Web Server (IIS)', and left-click 'Next'. At the 'Web Server (IIS)' selection window left-click 'Next'. At the 'Select Roles Services' selection window scroll down and expand 'Application Development'. Under 'Application Development' scroll down and left-click the select box titled 'CGI', and left-click 'Next'. At the 'Confirm Installation Selections' selection window left-click 'Install' allowing IIS to complete the roles, role services, or features installation, left-click 'Close', eXit the 'Server Manager', and eXit the 'Programs and Features' control panel. At the CMD prompt type 'd:\temp\moveiis.bat' (less the outside quotes), and tap the 'Enter' key. Installing Internet Information Services into Server 2012 R2 SE, 2016 SE, or 2019 SE Open a CMD window with Administrator privileges and type 'appwiz.cpl' (less the outside quotes), and tap the 'Enter' key. The 'Program and Features' control panel opens. Under 'Control Panel Home' left-click 'Turn Windows features on or off'. The 'Server Manager' window opens, and the 'Add Roles and Features Wizard' auto starts. At the 'Before you begin' left-click 'Next'. At the 'Select installation type' left-click 'Next'. At the 'Select Destination server' left-click 'Next'. At the 'Select server roles' under 'Roles' scroll down left-click 'Web Server (IIS)'. The 'Add features that are required for Web Server (IIS)?' opens, left-click 'Add Features', and left-click 'Next'. At the 'Select features' left-click 'Next'. At the 'Web Server Role (IIS)' left-click 'Next'. At the 'Select roles services' scroll down and expand 'Application Development'. Under 'Application Development' scroll down and left-click the select box titled 'CGI', and left-click 'Next'. At the 'Confirm installation selections' left-click 'Install' allowing IIS to complete the 'Feature installation', left-click 'Close', eXit 'Server Manager', and eXit the 'Programs and Features' control panel. At the CMD prompt type 'd:\temp\moveiis.bat' (less the outside quotes), and tap the 'Enter' key. Installing BASE, the Windows Intrusion Detection Systems (WinIDS) Security Console At the CMD prompt type 'unzip -oqq d:\temp\base-1.4.5.zip -d d:\winids\inetpub\wwwroot\base' (less the outside quotes), and tap the 'Enter' key. Installing Barnyard2 Depending on the processors architecture, install the appropriate support file below! 32bit Windows All: At the CMD prompt type 'unzip -oqq d:\temp\barnyard2-x86-2.1.14-build337.zip -d d:\winids\barnyard2' (less the outside quotes), and tap the 'Enter' key. 64bit Windows All: At the CMD prompt type 'unzip -oqq d:\temp\barnyard2-x64-2.1.14-build337.zip -d d:\winids\barnyard2' (less the outside quotes), and tap the 'Enter' key. Installing the MySQL Database Server At the CMD prompt type 'd:\temp\mysql-installer-community-8.0.17.0.msi' (less the outside quotes), and tap the 'Enter' key. The MySQL installer 'License Agreement' window opens. Left-click checking the 'I accept the license terms' radio box, and left-click 'Next'. The MySQL installer 'Choosing a Setup Type' window opens. Left-click selecting the 'Custom' radio button, and left-click 'Next'. The MySQL installer 'Select Products and Features' window opens. Under 'Available Products:' left-click expanding 'MySQL Servers', left-click expanding 'MySQL Server', and left-click expanding 'MySQL Servers 8.0'. Depending on the processors architecture, make the appropriate selection below! 32bit Windows All: Left-click highlighting 'MySQL Server 8.0.xx - X86'. 64bit Windows All: Left-click highlighting 'MySQL Server 8.0.xx - X64'. Left click the arrow pointing to the right moving the 'MySql Server 8.0.xx - Xxx' to the 'Products/Features To Be Installed:' section. Under 'Products/Features To Be Installed:' left-click highlighting 'MySql Server 8.0.xx - Xxx'. Just above the 'Cancel' button left-click 'Advanced Options', and the 'Advanced Options for MySQL Server 8.0.xx' opens. In the 'Install Directory:' dialog box type 'd:\winids\mysql' (less the outside quotes). In the 'Data Directory:' dialog box type 'd:\winids\mysql' (less the outside quotes), left-click 'OK', and left-click 'Next'. The MySQL installer 'Installation' window opens. Left-click 'Execute' allowing the MySQL server to 'Complete' the install, and left-click 'Next'. The MySQL installer 'Product Configuration' window opens, and left-click 'Next'. The MySQL installer 'Group Replication' window opens. Verify the radio button to the left of 'Standalone MySQL Server / Classic MySQL Replication' is selected, left-click 'Next'. The MySQL installer 'Type and Networking' window opens. Under 'Server Configuration Type' left-click the 'Config Type:", left-click selecting 'Server Computer', and left-click 'Next'. The MySQL installer 'Authentication Method' window opens. To the left of 'Use Legacy Authentication Method...' left-click the radio button, left-click 'Next'. The MySQL installer 'Accounts and Roles' window opens. In the 'MySQL Root Password:' dialog box type 'd1ngd0ng' (less the outside quotes). In the 'Repeat Password:' dialog box type 'd1ngd0ng' (less the outside quotes), and left-click 'Next'. The MySQL installer 'Windows Service' window opens. In the 'Windows Service Name:' dialog box type 'MySQL' (less the outside quotes), and left-click 'Next'. The MySQL installer 'Plugins and Extensions' window opens, and left-click 'Next'. The MySQL installer 'Apply Configuration' window opens. Left-click 'Execute' allowing the configuration for MySQL Server to succeed, and left-click 'Finish'. The MySQL installer 'Product Configuration' window opens. Left-click 'Next'. The MySQL installer 'Installation Complete' window opens. Left-click 'Finish' to complete the MySQL Database installation. At the CMD prompt type 'copy d:\winids\mysql\lib\libmysql.dll c:\windows\system32' (less the outside quotes), and tap the 'Enter' key. Should display '1 file(s) copied.', and return to the command prompt. Installing ADODB At the CMD prompt type 'unzip -oqq d:\temp\adodb-5.20.14.zip -d d:\winids' (less the outside quotes), and tap the 'Enter' key. Installing PHP Depending on the processors architecture, install the appropriate support file below! 32bit Windows All: At the CMD prompt type 'unzip -oqq d:\temp\php-5.6.40-nts-Win32-VC11-x86.zip -d d:\winids\php' (less the outside quotes), and tap the 'Enter' key. 64bit Windows All: At the CMD prompt type 'unzip -oqq d:\temp\php-5.6.40-nts-Win32-VC11-x64.zip -d d:\winids\php' (less the outside quotes), and tap the 'Enter' key. Updating the 'sid-msg.map' file At the CMD prompt type 'unzip -oqq d:\temp\activators.zip -d d:\winids\activators' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'unzip -oqq d:\temp\create-sidmap.zip -d d:\winids\create-sidmap' (less the outside quotes), and tap the 'Enter' key. The 'sid-msg.map' file essentially maps the Rule MSG alert name to the sid number assigned to the rule. This really comes into play when the output method from Snort is in unified2 format, taking that output, and reading it with Barnyard2 for input into the database. Since the rule msg is not stored in the unified2 file format, it's necessary for Barnyard2 to read the sid-msg.map file to correctly input the names of the events into the database when associated with an alert by sid. Without the 'sid-msg.map' being read by barnyard2, the events in the database will show up only as gid:sid. (1:2133 for example). Also, updating the rules and not updating the 'sid-msg.map' will also show events from all new rules as gid:sid. (1:2133 for example). At the CMD prompt type 'perl d:\winids\create-sidmap\create-sidmap.pl d:\winids\snort\rules\ > d:\winids\snort\etc\sid-msg.map' (less the outside quotes), and tap the 'Enter' key. Configuring Snort, the Heart of the Windows Intrusion Detection System (WinIDS) At the CMD prompt type 'type NUL > d:\winids\snort\rules\white_list.rules' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'type NUL > d:\winids\snort\rules\black_list.rules' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'notepad2 d:\winids\snort\etc\snort.conf' (less the outside quotes), and tap the 'Enter' key. Use the Find option in Notepad2 to locate and change the variables below. Original Line(s): ipvar HOME_NET any Change to: ipvar HOME_NET 192.168.1.0/24 In the above HOME_NET example (192.168.1.0/24), using a CIDR of 24 the Windows Intrusion Detection System (WinIDS) will monitor addresses 192.168.1.1 - 192.168.1.254. It is important to specify the correct internal IP segment of the Windows Intrusion Detection System (WinIDS) network that needs monitoring, and to set the correct CIDR. Original Line(s): var RULE_PATH ../rules Change to: var RULE_PATH d:\winids\snort\rules Original Line(s): var SO_RULE_PATH ../so_rules Change to: # var SO_RULE_PATH ../so_rules Original Line(s): var PREPROC_RULE_PATH ../preproc_rules Change to: var PREPROC_RULE_PATH d:\winids\snort\preproc_rules Original Line(s): var WHITE_LIST_PATH ../rules Change to: var WHITE_LIST_PATH d:\winids\snort\rules Original Line(s): var BLACK_LIST_PATH ../rules Change to: var BLACK_LIST_PATH d:\winids\snort\rules Original Line(s): dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ Change to: dynamicpreprocessor directory d:\winids\snort\lib\snort_dynamicpreprocessor Original Line(s): dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so Change to: dynamicengine d:\winids\snort\lib\snort_dynamicengine\sf_engine.dll Original Line(s): decompress_swf { deflate lzma } \ Change to: decompress_swf { deflate } \ Original Line(s): # preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } Change to: preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } logfile { portscan.log } Original Line(s): # output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types Change to: output unified2: filename merged.log, limit 128 Original Line(s): # include $PREPROC_RULE_PATH/preprocessor.rules # include $PREPROC_RULE_PATH/decoder.rules # include $PREPROC_RULE_PATH/sensitive-data.rules Change to: include $PREPROC_RULE_PATH/preprocessor.rules include $PREPROC_RULE_PATH/decoder.rules include $PREPROC_RULE_PATH/sensitive-data.rules Save the file, and eXit Notepad2. Testing the Snort configuration file At the CMD prompt type 'd:\winids\snort\bin\snort -W' (less the outside quotes), and tap the 'Enter' key. The following is a partial example of what might be listed as valid Network Interface Cards. Index Physical Address IP Address ----- ---------------- ---------- 1 00:0C:29:25:B4:96 0000:0000:fe80:0000:0000:0000:ad63:31cf There may be several Network Interface Cards listed, and it will be up to the installer to determine the correct Network Interface Card (Index number) that will be monitoring the Windows Intrusion Detection System (WinIDS). The switch for the Network Interface Card will always be '-ix' (less the outside quotes), and the 'x' (less the outside quotes) will always represent the 'Index' number of Network Interface Card that will be monitoring the Windows Intrusion Detection System (WinIDS). At the CMD prompt type 'd:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix -T' (less the outside quotes), and tap the 'Enter' key. The above run line will require the 'Index' number of the monitoring Network Interface Card added to the 'x' above. This will start Snort in self-test mode for configuration and rule file testing, and depending on the resources used, and/or available, it could take several minutes to run the self-test mode. If all the tests are passed, the following is a confirmation that the Snort configuration file and rules have tested good. Snort successfully validated the configuration! Snort exiting Do not proceed until 'Snort successfully validated the configuration!' Configuring PHP At the CMD prompt type 'copy d:\winids\php\php.ini-production d:\winids\php\php.ini' (less the outside quotes), and tap the 'Enter' key. Should display '1 file(s) copied.', and return to the CMD prompt. At the CMD prompt type 'notepad2 d:\winids\php\php.ini' (less the outside quotes), and tap the 'Enter' key. Use the Find option in Notepad2 to locate and change the variables below. Original Line(s): max_execution_time = 30 Change to: max_execution_time = 60 Original Line(s): error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT Change to: ; error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT Original Line(s): ;include_path = ".;c:\php\includes" Change to: include_path = "d:\winids\php;d:\winids\php\pear" Original Line(s): ; extension_dir = "ext" Change to: extension_dir = "d:\winids\php\ext" Original Line(s): ;cgi.force_redirect = 1 Change to: cgi.force_redirect = 0 Original Line(s): ;extension=php_gd2.dll Change to: extension=php_gd2.dll Original Line(s): ; extension=php_mysql.dll Change to: extension=php_mysql.dll Original Line(s): ;date.timezone = Change to: date.timezone = America/New_York In the above date.timezone setting, America/New_York is only the default. Inserting the correct Timezone setting where the Windows Intrusion Detection System (WinIDS) will be located is essential. Check out the PHP website for the List of Supported Timezones. Original Line(s): ;session.save_path = "/tmp" Change to: session.save_path = "c:\windows\temp" Save the file, and eXit Notepad2. Configuring IIS for PHP, and the Windows Intrusion Detection Systems security console At the CMD prompt type 'c:\windows\system32\inetsrv\iis.msc' (less the outside quotes), tap the 'Enter' key, and the 'Internet Information Services (IIS) Manager' opens. If the 'Internet Information Services (IIS) Manager' opens and asks 'Do you want to get started with...' left-click 'No'. On the left under 'Connections' left-click highlighting '<server name>' at the very top of the column, in the center window titled '<server name> Home' go down to the section labeled 'IIS', right-click 'Handler Mappings', left-click 'Open Feature', on the right under 'Actions' left-click 'Add Script Map...', in the 'Request Path:' dialog box type '*.php' (less the outside quotes), in the 'Executable:' dialog box type 'd:\winids\php\php-cgi.exe' (less the outside quotes), in the 'Name:' dialog box type 'PHP' (less the outside quotes), left-click 'OK', the 'Add Script Map' notification message appears, and left-click 'Yes'. In center window titled 'Handler Mappings' under the 'Name' column make sure 'PHP' (less the outside quotes) is listed at the very bottom. On the left under 'Connections' expand 'Sites', left-click 'Default Web Site', under the center window titled 'Default Web Site Home' go down to the section labeled 'IIS', right-click 'Default Document', left-click 'Open Feature', on the right under 'Actions' left-click 'Add...', the 'Add Default Document' applet appears, in the 'Name:' dialog box type 'base_main.php' (less the outside quotes), and left-click 'OK'. In the 'Default Document' under the 'Name' column 'base_main.php' (less the outside quotes) should be listed at the very top, and the 'Entry Type' should be 'Local'. Under 'Connections' right-click 'Default Web Site', highlight 'Manage Web Site', highlight and left-click 'Advanced Settings', in the 'Advanced Settings' applet under (General) left-click 'Physical Path', in the dialog box to the right of 'Physical Path' type 'd:\winids\inetpub\wwwroot\base' (less the outside quotes), left-click 'OK', and eXit the 'Internet Information Services (IIS) Manager' applet. At the CMD prompt type 'iisreset /restart' (less the outside quotes), and tap the 'Enter' key. Testing IIS, and the PHP installation Open a CMD window and type 'copy d:\temp\test.php d:\winids\inetpub\wwwroot\base' (less the outside quotes), and tap the 'Enter' key. Should display '1 file(s) copied.', and return to the CMD prompt. Open a web-browser and type 'http://winids/test.php' (less the outside quotes) into the URL Address box, and tap the 'Enter' key. Note: There is a possibility Edge may require additional privileges to open, and Internet Explore should be used if this happens. Several sections of information concerning the status and install of PHP should be displayed. In the first section of information make SURE that the item labeled 'Loaded Configuration File' is pointing to 'd:\winids\php\php.ini' (less the outside quotes). In the section labeled 'Configuration - PHP Core' (less the outside quotes) make SURE that the item labeled 'extension_dir' is pointing to 'd:\winids\php\ext' (less the outside quotes) in columns 'Local Values' (less the outside quotes), and 'Master Values' (less the outside quotes). In the section labeled 'Configuration - PHP Core' (less the outside quotes) make SURE that the item labeled 'include_path' is pointing to 'd:\winids\php;d:\winids\php\pear' (less the outside quotes) in columns 'Local Values' (less the outside quotes), and 'Master Values' (less the outside quotes). In the section labeled 'session' (less the outside quotes) make SURE that the item labeled 'session.save_path' is pointing to 'c:\windows\temp' (less the outside quotes) in columns 'Local Values' (less the outside quotes), and 'Master Values' (less the outside quotes). Do not proceed until all the above paths are correct! eXit the web-browser. At the CMD prompt type 'del d:\winids\inetpub\wwwroot\base\test.php' (less the outside quotes), and tap the 'Enter' key. Adding Snort to the Windows Services Database At the CMD prompt type 'cd /d d:\winids\snort\bin' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'd:\winids\snort\bin\snort -W' (less the outside quotes), and tap the 'Enter' key. The following is a partial example of what might be listed as valid Network Interface Cards. Index Physical Address IP Address ----- ---------------- ---------- 1 00:0C:29:25:B4:96 0000:0000:fe80:0000:0000:0000:ad63:31cf There may be several Network Interface Cards listed, and it will be up to the installer to determine the correct Network Interface Card (Index number) that will be monitoring the Windows Intrusion Detection System (WinIDS). The switch for the Network Interface Card will always be '-ix' (less the outside quotes), and the 'x' (less the outside quotes) will always represent the 'Index' number of Network Interface Card that will be monitoring the Windows Intrusion Detection System (WinIDS). At the CMD prompt type 'snort /SERVICE /INSTALL -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix' (less the outside quotes), and tap the 'Enter' key. The above run line will require the 'Index' number of the monitoring Network Interface Card added to the 'x' above. This will install Snort into the Windows Services Database. The following is a confirmation that the Snort service was successfully added to the Windows Services Database. [SNORT_SERVICE] Attempting to install the Snort service. [SNORT_SERVICE] The full path to the Snort binary appears to be: D:\winids\snort\bin\snort /SERVICE [SNORT_SERVICE] Successfully added registry keys to: \HKEY_LOCAL_MACHINE\SOFTWARE\Snort\ [SNORT_SERVICE] Successfully added the Snort service to the Windows Services Database. Do not proceed until the Snort service has been successfully added to the Windows Services Database. At the CMD prompt type 'sc config snortsvc start= auto' (less the outside quotes), and tap the 'Enter' key. The following is a confirmation that the Snort auto-start service has been successfully activated. [SC] ChangeServiceConfig SUCCESS Do not proceed until the Snort auto-start service has been SUCCESSfully activated. Configuring the MySQL Database Server Open a CMD window and type 'notepad2 d:\winids\mysql\my.ini' (less the outside quotes), and tap the 'Enter' key. Use the find and locate the line '[mysqld]' (less the outside quotes), and just below add the next two lines. character-set-server=utf8 bind-address=127.0.0.1 Save the file, and eXit Notepad2. Creating the Windows Intrusion Detection System Databases At the CMD prompt type 'mysql -u root -pd1ngd0ng' (less the outside quotes), and tap the 'Enter' key. You will be dropped into the MySQL administration console CMD prompt. At the mysql CMD prompt type 'create database snort;' (less the outside quotes), and tap the 'Enter' key. It will display 'Query OK...' and drop back to the mysql prompt. At the mysql CMD prompt type 'create database archive;' (less the outside quotes), and tap the 'Enter' key. It will display 'Query OK...' and drop back to the mysql prompt. At the mysql CMD prompt type 'show databases;' (less the outside quotes), and tap the 'Enter' key. There should be several databases listed, 'information_schema', 'archive', 'mysql', and 'snort'. Creating the Windows Intrusion Detection System Database Tables At the mysql CMD prompt type 'connect snort;' (less the outside quotes), and tap the 'Enter' key. It will display 'Current database: snort' and drop back to the mysql prompt. At the mysql CMD prompt type 'source d:\winids\barnyard2\schemas\create_mysql' (less the outside quotes), and tap the 'Enter' key. It will display multiple 'Query OK, 1 rows affected (0.0? sec)' entries and drop back to the mysql prompt. At the mysql CMD prompt type 'source d:\winids\inetpub\wwwroot\base\sql\create_base_tbls_mysql.sql' (less the outside quotes), and tap the 'Enter' key. The last entry to the screen should show 'Records: 4 Duplicates: 0 Warnings: 0' (less the outside quotes), and drop back to the mysql prompt. At the mysql CMD prompt type 'show tables;' (less the outside quotes), and tap the 'Enter' key. The last entry to the screen should show '22 rows in set (0.00 sec)' (less the outside quotes), and drop back to the mysql prompt. At the mysql CMD prompt type 'connect archive;' (less the outside quotes), and tap the 'Enter' key. It will display 'Current database: archive' and drop back to the mysql prompt. At the mysql CMD prompt type 'source d:\winids\barnyard2\schemas\create_mysql' (less the outside quotes), and tap the 'Enter' key. It will display multiple 'Query OK, 1 rows affected (0.0? sec)' entries and drop back to the mysql prompt. At the mysql CMD prompt type 'source d:\winids\inetpub\wwwroot\base\sql\create_base_tbls_mysql.sql' (less the outside quotes), and tap the 'Enter' key. The last entry to the screen should show 'Records: 4 Duplicates: 0 Warnings: 0' (less the outside quotes), and drop back to the mysql prompt. At the mysql CMD prompt type 'show tables;' (less the outside quotes), and tap the 'Enter' key. The last entry to the screen should show '22 rows in set (0.00 sec)' (less the outside quotes), and drop back to the mysql prompt. Creating the Windows Intrusion Detection System Database Access, and Authenticated Users At the mysql CMD prompt type 'CREATE USER 'snort' IDENTIFIED BY 'l0gg3r';' (less the outside quotes), and tap the 'Enter' key. It will display 'Query OK' and drop back to the mysql prompt. At the mysql CMD prompt type 'GRANT INSERT,SELECT,UPDATE ON snort.* TO 'snort';' (less the outside quotes), and tap the 'Enter' key. It will display 'Query OK' and drop back to the mysql prompt. At the mysql CMD prompt type 'CREATE USER 'base' IDENTIFIED BY 'an@l1st';' (less the outside quotes), and tap the 'Enter' key. It will display 'Query OK' and drop back to the mysql prompt. At the mysql CMD prompt type 'GRANT INSERT,SELECT,UPDATE,DELETE,CREATE ON snort.* TO 'base';' (less the outside quotes), and tap the 'Enter' key. It will display 'Query OK' and drop back to the mysql prompt. At the mysql CMD prompt type 'GRANT INSERT,SELECT,UPDATE,DELETE,CREATE ON archive.* TO 'base';' (less the outside quotes), and tap the 'Enter' key. It will display 'Query OK' and drop back to the mysql prompt. At the mysql CMD prompt type 'use mysql;' (less the outside quotes), and tap the 'Enter' key. At the mysql CMD prompt type 'select user from user;' (less the outside quotes), and tap the 'Enter' key. There should be several users listed, including base, and snort At the mysql CMD prompt type 'quit;' (less the outside quotes), and tap the 'Enter' key. Confirming MySQL and Snort are operational At the CMD prompt type 'net stop mysql & net start mysql' (less the outside quotes), and tap the 'Enter'. At the CMD prompt type 'net start snort' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'taskmgr.exe' (less the outside quotes), and tap the 'Enter' key. The 'Windows Task Manager' starts, in the bottom left-click and check 'Show processes from all users', left-click the 'Processes' tab, in the 'Image name' category 'snort.exe', and 'mysqld.exe' should be listed as a process. Do not proceed until the processes above are running! eXit the 'Task Manager'. Configuring the Windows Intrusion Detection Systems (WinIDS) Security Console At the CMD prompt type 'copy d:\winids\inetpub\wwwroot\base\base_conf.php.dist d:\winids\inetpub\wwwroot\base\base_conf.php' (less the outside quotes), and tap the 'Enter' key. Should display '1 file(s) copied.', and return to the CMD prompt. At the CMD prompt type 'rename d:\temp\opensource.gz opensource.tar.gz' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'tartool d:\temp\opensource.tar.gz d:\winids\inetpub\wwwroot\base\signatures' (less the outside quotes), and tap the 'Enter' key. The above command may take a few minutes to complete as its moving twenty thousand plus files. At the CMD prompt type 'notepad2 d:\winids\inetpub\wwwroot\base\base_conf.php' (less the outside quotes), and tap the 'Enter' key. Use the Find option in Notepad2 to locate and change the variables below. Original Line(s): $BASE_urlpath = ''; Change to: $BASE_urlpath = 'http://winids'; Original Line(s): $DBlib_path = ''; Change to: $DBlib_path = 'd:\winids\adodb5'; Original Line(s): $DBtype = '?????'; Change to: $DBtype = 'mysql'; Original Line(s): $alert_dbname = 'snort_log'; $alert_host = 'localhost'; $alert_port = ''; $alert_user = 'snort'; $alert_password = 'mypassword'; Change to: $alert_dbname = 'snort'; $alert_host = 'winids'; $alert_port = ''; $alert_user = 'base'; $alert_password = 'an@l1st'; Original Line(s): $archive_exists = 0; # Set this to 1 if you have an archive DB $archive_dbname = 'snort_archive'; $archive_host = 'localhost'; $archive_port = ''; $archive_user = 'snort'; $archive_password = 'mypassword'; Change to: $archive_exists = 1; # Set this to 1 if you have an archive DB $archive_dbname = 'archive'; $archive_host = 'winids'; $archive_port = ''; $archive_user = 'base'; $archive_password = 'an@l1st'; Original Line(s): $show_rows = 48; Change to: $show_rows = 90; Original Line(s): $show_expanded_query = 0; Change to: $show_expanded_query = 1; Original Line(s): $portscan_file = ''; Change to: $portscan_file = 'd:\winids\snort\log\portscan.log'; Original Line(s): $colored_alerts = 0; Change to: $colored_alerts = 1; Original Line(s): $priority_colors = array ('FF0000','FFFF00','FF9900','999999','FFFFFF','006600'); Change to: $priority_colors = array('000000','FF0000','FF9900','FFFF00','999999'); Original Line(s): //$Geo_IPfree_file_ascii = "/var/www/html/ips-ascii.txt"; Change to: $Geo_IPfree_file_ascii = "d:\winids\inetpub\wwwroot\base\ips-ascii.txt"; Save the file, and eXit Notepad2. Installing The PHP Extension and Application Repository (PEAR) At the CMD prompt type 'copy d:\temp\go-pear.phar d:\winids\php' (less the outside quotes), and tap the 'Enter' key. Should display '1 file(s) copied.', and return to the CMD prompt. At the CMD prompt type 'cd /d d:\winids\php' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'php go-pear.phar' (less the outside quotes), and tap the 'Enter' key. At the next prompt tap the 'Enter' key to install 'System-Wide' PEAR. At the next prompt tap the 'Enter' key. At the 'Press any key to continue . . .', press any key to exit back to the CMD prompt. Configuring Graphing for the Windows Intrusion Detection Systems (WinIDS) Security Console At the CMD prompt type 'unzip -oqq d:\temp\graphing.zip -d d:\winids\php\tmp' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'pear install -O d:\winids\php\tmp\Auth_SASL-1.1.0.tgz' (less the outside quotes), and tap the 'Enter' key. Should display 'install ok: channel://pear.php.net/Auth_SASL-1.1.0', and return to the CMD prompt. At the CMD prompt type 'pear install -O d:\winids\php\tmp\Math_BigInteger-1.0.3.tgz' (less the outside quotes), and tap the 'Enter' key. Should display 'install ok: channel://pear.php.net/Math_BigInteger-1.0.3', and return to the CMD prompt. At the CMD prompt type 'pear install -O d:\winids\php\tmp\Net_Socket-1.2.2.tgz' (less the outside quotes), and tap the 'Enter' key. Should display 'install ok: channel://pear.php.net/Net_Socket-1.2.2', and return to the CMD prompt. At the CMD prompt type 'pear install -O d:\winids\php\tmp\Net_SMTP-1.8.1.tgz' (less the outside quotes), and tap the 'Enter' key. Should display 'install ok: channel://pear.php.net/Net_SMTP-1.8.1', and return to the CMD prompt. At the CMD prompt type 'pear install -O d:\winids\php\tmp\Mail-1.4.1.tgz' (less the outside quotes), and tap the 'Enter' key. Should display 'install ok: channel://pear.php.net/Mail-1.4.1', and return to the CMD prompt. At the CMD prompt type 'pear install -O d:\winids\php\tmp\Mail_Mime-1.10.2.tgz' (less the outside quotes), and tap the 'Enter' key. Should display 'install ok: channel://pear.php.net/Mail_Mime-1.10.2', and return to the CMD prompt. At the CMD prompt type 'pear install -O d:\winids\php\tmp\Numbers_Words-0.18.2.tgz' (less the outside quotes), and tap the 'Enter' key. Should display 'install ok: channel://pear.php.net/Numbers_Words-0.18.2', and return to the CMD prompt. At the CMD prompt type 'pear install -O d:\winids\php\tmp\Numbers_Roman-1.0.2.tgz' (less the outside quotes), and tap the 'Enter' key. Should display 'install ok: channel://pear.php.net/Numbers_Roman-1.0.2', and return to the CMD prompt. At the CMD prompt type 'pear install -O d:\winids\php\tmp\Image_Color-1.0.4.tgz' (less the outside quotes), and tap the 'Enter' key. Should display 'install ok: channel://pear.php.net/Image_Color-1.0.4', and return to the CMD prompt. At the CMD prompt type 'pear install -O d:\winids\php\tmp\Image_Canvas-0.3.5.tgz' (less the outside quotes), and tap the 'Enter' key. Should display 'install ok: channel://pear.php.net/Image_Canvas-0.3.5', and return to the CMD prompt. At the CMD prompt type 'pear install -O d:\winids\php\tmp\Image_Graph-0.8.0.tgz' (less the outside quotes), and tap the 'Enter' key. Should display 'install ok: channel://pear.php.net/Image_Graph-0.8.0', and return to the CMD prompt. At the CMD prompt type 'pear list -a' (less the outside quotes), and tap the 'Enter' key. The above command line will list all the installed pear packages that are required for the graphing capabilities of BASE, the Windows Intrusion Detection Systems (WinIDS) web based GUI security console. INSTALLED PACKAGES, CHANNEL PEAR.PHP.NET: ========================================= PACKAGE VERSION STATE Archive_Tar 1.4.3 stable Auth_SASL 1.1.0 stable Console_Getopt 1.4.1 stable Image_Canvas 0.3.5 alpha Image_Color 1.0.4 stable Image_Graph 0.8.0 alpha Mail 1.4.1 stable Mail_Mime 1.10.2 stable Math_BigInteger 1.0.3 stable Net_SMTP 1.8.1 stable Net_Socket 1.2.2 stable Numbers_Roman 1.0.2 stable Numbers_Words 0.18.2 beta PEAR 1.10.5 stable Structures_Graph 1.1.1 stable XML_Util 1.4.2 stable Do not proceed until all the hilighted PEAR packages above has been successfully installed. At the CMD prompt type 'copy d:\winids\inetpub\wwwroot\base\world_map6.* d:\winids\php\pear\image\graph\images\maps' (less the outside quotes), and tap the 'Enter' key. Should display '2 file(s) copied.', and return to the CMD prompt. Configuring Barnyard2 At the CMD prompt type 'notepad2 d:\winids\barnyard2\etc\barnyard2.conf' (less the outside quotes), and tap the 'Enter' key. Use the Find option in Notepad2 to locate and change the variables below. Original Line(s): config reference_file: /etc/snort/reference.config config classification_file: /etc/snort/classification.config config gen_file: /etc/snort/gen-msg.map config sid_file: /etc/snort/sid-msg.map Change to: config reference_file: d:\winids\snort\etc\reference.config config classification_file: d:\winids\snort\etc\classification.config config gen_file: d:\winids\snort\etc\gen-msg.map config sid_file: d:\winids\snort\etc\sid-msg.map Original Line(s): # config event_cache_size: 4096 Change to: config event_cache_size: 32768 Original Line(s): #output database: log, mysql, user=root password=test dbname=db host=localhost Change to: output database: log, mysql, user=snort password=l0gg3r dbname=snort host=winids sensor_name=WinIDS-Home Save the file, and eXit Notepad2. Testing the Barnyard2 configuration file At the CMD prompt type 'd:\winids\activators\by2-test' (less the outside quotes), and tap the 'Enter' key. This will start Barnyard2 in self-test mode for configuration testing, and depending on the resources used and/or available it could take up to 30 minutes to run the self-test mode. If all the tests are passed, the following is a confirmation that the Barnyard2 configuration file is good. Barnyard2 successfully loaded configuration file! Barnyard2 exiting database: Closing connection to database "snort" Do not proceed until Barnyard2 has successfully loaded the configuration file, eXited Snort, and closed the connection to database! Adding Barnyard2 to auto-run on user login At the CMD window type 'd:\temp\auto-local-barnyard2.reg' (less the outside quotes), and tap the 'Enter' key. The 'auto-barnyard.reg' file contains the run line for Barnyard2. The Registry Editor selection box opens and asks; 'Are you sure you want to add...', left-click 'Yes', and at the next input selection left-click 'OK'. At the CMD prompt type 'shutdown /r /t 10' (less the outside quotes), and tap the 'Enter' key to reboot. When the system is rebooted, Barnyard2 will be running in a Minimized window located in the Windows task bar. Opening the Barnyard2 CMD window will display the events as they are being shuttled to the database. Starting the Windows Intrusion Detection Systems (WinIDS) Security Console Open a web-browser and type 'http://winids' (less the outside quotes) into the URL Address box, and tap the 'Enter' key. After the reboot it could take several minutes for events to start populating into the Windows Intrusion Detection Systems (WinIDS) Security Console. Refreshing the browser will show new events when added. If no events start to show up in a reasonable length of time, come visit the forums for help on manually generating events. In Conclusion I hope this tutorial has been helpful to you. Please feel free to provide feedback, both issues you experienced and recommendations that you might have. The goal of this tutorial was not just for you to create a Windows Intrusion Detection System (WinIDS) using the most advanced intrusion detection engine known as Snort, but to understand how all the parts work together, and get a deeper understanding of all the components, so that you can troubleshoot and modify your Windows Intrusion Detection System (WinIDS) with confidence. At this point you are done with this tutorial, events should be arriving into the database, and you should be seeing events in the local Windows Intrusion Detection Systems (WinIDS) Security Console. I encourage you to perform some post-installation tasks needed to get a fully production-ready 'Windows Intrusion Detection System (WinIDS)'. This includes: Tuning your rules and preprocessors. Tuning Snort thresholds and limit values. Adding user authentication to the Windows Intrusion Detection Systems (WinIDS) Security Console. Securing your host (Maybe changing the default database user access, disabling unneeded services, etc.). Configure a system, such as PulledPork to auto-update the Windows Intrusion Detection Systems (WinIDS) rules and signatures. Security Issues Lets review what has happens so far: All support programs, including IIS have been installed to a separate partition, which closed a multitude of security holes. The Windows Intrusion Detection Systems (WinIDS) Security Console can ONLY be accessed locally. Optional Companion Documents Be SURE to check out the available 'Companion Add-on Documents' to enhance the Windows Intrusion Detection System (WinIDS) experience. How to Install Pulledpork for rule management in an existing Windows Intrusion Detection System (WinIDS) Master/Slave sensor. This tutorial will show how to Install Pulledpork for rule management in an existing Windows Intrusion Detection System (WinIDS) Master/Slave sensor. How to add Event Logging to a local Syslog Server. This tutorial will show how to configure Snort to send events to a local Syslog Server, on an existing Windows Intrusion Detection System (WinIDS). How to add Event Logging to a remote Syslog Server. This tutorial will show how to configure Snort to send events to a remote Syslog Server from an existing Windows Intrusion Detection System (WinIDS). How to compile Barnyard2 on Windows using Cygwin for PostgreSQL database support This tutorial is a simple to understand, step-by-step tutorial for Compiling Barnyard2 on Windows using Cygwin (UNIX emulator) for PostgreSQL database support. How to build and deploy a passive Ethernet tap This tutorial will show how to build and deploy a passive Ethernet tap. Updating the Windows Intrusion Detection Systems (WinIDS) Major components How to update the Snort Intrusion Detection Engine This tutorial will show How to update the Windows Intrusion Detection Systems Snort Intrusion Detection Engine. How to update the Rules, Signatures, and sig-msg.map file This tutorial will show how to update the Windows Intrusion Detection Systems rules, signatures, and the 'sig-msg.map' file. Debugging Installation errors Check the Event Viewer as most of the support programs will throw FATAL errors into the Windows Application log. General tutorial issues For general problem issues that pertain to this specific tutorial, left-click the get community support button at the top of this tutorial, or manually navigate to the correct community support forum pertaining to this specific tutorial. Feedback I would love to get feedback from you about this tutorial. Any recommendations, or ideas, please leave feedback HERE. Michael E. Steele | Microsoft Certified System Engineer (MCSE) Email Support: support@winsnort.com Snort: Open Source Network IDS - www.snort.org
  17. How to Install a Windows Intrusion Detection System (WinIDS) Running Apache2, and logging events to a local PostgreSQL Database Windows 7 / 8.x / 10 / 2008 R2 SE / 2012 R2 SE / 2016 SE / 2019 SE Written by: Michael E. Steele Get Community Support! Introduction During my research, and development I've found a lot of tutorials, and blogs describing the installation process for the UNIX environment. Yet, none of them specifically detailed setting this up in a Windows environment. I've been working on, and updating these tutorials for the past 12 plus years, and managed to get through the complete process in the Windows environment. These tutorials gives all the basic instructions on how to create a complete, and functioning stand alone Windows Intrusion Detection System (WinIDS). This is all made possible by simply wrapping Snort, a very powerful Intrusion Detection Engine into a multitude of free open source programs. Best of all, other than the cost of the Windows operating system, it's completely free. These tutorials are the basic of what is needed, and the starting point for installing any functioning Windows Intrusion Detection System (WinIDS). Advanced problems not related to the basic install should not be posted to the forum where the tutorial resides, and where general help is available for problems during the initial tutorial set-up. If there are any doubts which tutorial that should be used, there is a posted topic HERE that will provide the basics so an informed decision can be made based on which combination of software packages are best suited for the installation. Copyright Notice This document is Copyright © 2002-2019 Michael Steele. All rights reserved. Permission to distribute this document is hereby granted providing that distribution is electronic, in it's original form, no money is involved, and this copyright notice is maintained. Other requests for distribution will be considered. Use the information in this document at your own risk. Michael Steele disavows any potential liability of this document. Use of the concepts, examples, and/or other content of this document are entirely at your own risk. This tutorial is written in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. All copyrights are owned by their owners, unless specifically noted otherwise. Third party trademarks or brand names are the property of their owners. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements. Support Questions and Help All support questions related to this specific tutorial MUST be directed to the specific forum for which this Windows Intrusion Detection System (WinIDS) tutorial resides! By request, there is a premium fee service available for one on one support. If you have not acquired this tutorial directly from the winsnort.com website, then you most likely do not have the latest revision of this tutorial! This is a basic Windows Intrusion Detection System (WinIDS) deployment Microsoft's Windows operating systems are used exclusively for these tutorials. It is highly recommended to start with a fresh install of one of the supported 32bit or 64bit Windows operating systems listed below. Windows 7 Professional Windows 8.x Professional Windows 10 Professional Windows Server 2008 R2 Standard Edition Windows Server 2012 R2 Standard Edition Windows Server 2016 Standard Edition Windows Server 2019 Standard Edition All the operating systems listed above have been tested using both the 32bit, and 64bit architecture for this tutorial. However, any another Windows operating system listed above, under the same framework will most likely work. Major support programs used in this install Npcap allows 3rd party applications such as Snort to capture and transmit network packets bypassing the protocol stack. Snort performs real-time traffic analysis and network packet logging on Internet Protocol (IP) networks data streams. Barnyard2 is a dedicated spooler for Snort's unified2 binary output format, and on-forwarding to a PostgreSQL database. Strawberry Perl is everything needed to run perl scripts (.pl), and applications such as PulledPork. PostgreSQL-driven database stores processed events from Barnyard2 for analysis. Apache2 will drive the web based Windows Intrusion Detection Systems (WinIDS) GUI security console. BASE serves as the Windows Intrusion Detection Systems (WinIDS) web based GUI security console. How this Hardware and Software was prepped for this Windows Intrusion Detection System (WinIDS) tutorial A fresh install of any 32/64bit Version of Windows listed above in will do. All available Service Packs and updates MUST be applied from the Microsoft Download Center. For these tutorials there are two partitions: C: (System) with 300GB, and D: (WinIDS) with 1TB. Installed memory should be no less than 4GB (more is always better). The Windows Intrusion Detection System (WinIDS) will fail if the default installation path is not Implemented correctly! The default installation path noted above is hard coded into this tutorial, and is also hard coded into some of the install scripts. Installers will need to make the appropriate changes in both places if the default installation path is anything other then 'd:\winids', or the support files are located anywhere other than the 'd:\temp' folder. The Windows Intrusion Detection System (WinIDS) will fail if the default installation path is not Implemented correctly! Prepping for the Windows Intrusion Detection System (WinIDS) Tutorial Downloading and extracting the core 'Windows Intrusion Detection Systems (WinIDS)' Software Support Pack It is imperative to only use the files included in the 'WinIDS - (32/64bit) Software Support Packs' below. These files have been thoroughly tested and compatible with this particular Windows Intrusion Detection Systems (WinIDS) tutorial. Depending on the processors architecture, download the appropriate support file below! 32bit Windows All: Download and save the 'WinIDS - 32bit Core Software Support Pack' to a temporary location. Open File Explore and navigate to the location of the 'winids-cssp-x32.zip' file, right-click the 'winids-cssp-x32.zip' file, highlight and left-click 'Extract all...', in the 'Files will be extracted to this folder:' dialog box type 'd:\temp' (less the outside quotes), left-click and uncheck the 'Show extracted files when complete' radio box, left-click extract, in the 'Password:' dialog box type 'w1nsn03t.c0m' (less the outside quotes), left-click 'OK', and eXit File Explorer.. 64bit Windows All: Download and save the 'WinIDS - 64bit Core Software Support Pack' to a temporary location. Open File Explore and navigate to the location of the 'winids-cssp-x64.zip' file, right-click the 'winids-cssp-x64.zip' file, highlight and left-click 'Extract all...', in the 'Files will be extracted to this folder:' dialog box type 'd:\temp' (less the outside quotes), left-click and uncheck the 'Show extracted files when complete' radio box, left-click extract, in the 'Password:' dialog box type 'w1nsn03t.c0m' (less the outside quotes), left-click 'OK', and eXit File Explorer.. Downloading additional, and required support files for all supported Windows operating systems It is imperative to only use the files downloaded from the URL links below. All the files have been verified as compatible with this particular Windows Intrusion Detection Systems (WinIDS) tutorial. All the files below will need to be downloaded into the folder (d:\temp) that was created when the files from the above 'WinIDS - (32/64bit) Software Support Pack' were extracted. npcap-0.996: Download and save the file to the d:\temp folder. In some instances after downloading the Snort executable below, the '.exe' extension might be missing. After downloading, navigate to the location of the Snort executable, and if the '.exe' extension is missing, add '.exe' (less the outside quotes) to the end of the filename. Snort 2_9_15: Download and save the file to the d:\temp folder. The next download requires the installer to be a registered user on the snort.org website, and logged in. Navigate to the snort.org website and either login or create a new account. While still being logged into the snort.org web site return to the Windows Intrusion Detection Systems (WinIDS) tutorial, and initiate the next download. Note: If the installer is not logged into the snort.org website prior to initiating the next download, the installer will be re-directed to the snort.org website. At that point either create a new account or login. While still being logged into the snort.org website return to the Windows Intrusion Detection Systems (WinIDS) tutorial, and initiate the next download. snortrules-snapshot-29150: Download and save the file to the d:\temp folder. Rule Documentation (opensource.gz): Download and save the file to the d:\temp folder. Downloading additional support files based on a specific Operating Systems Hardware Architecture There are several additional files listed under two groups below. Download only, and all the files listed under the appropriate processors architecture group that the Windows Intrusion Detection System (WinIDS) will be installed on. 32bit Windows All: Required additional downloads for the 32bit architecture install! Strawberry Perl 5.30.0.1: Download and save the file to the d:\temp folder. Apache2 2.4.41 (VS16): Download and save the file to the d:\temp folder. Apache2 FastCGI module 2.3.10 (VS16): Download and save the file to the d:\temp folder. PostgreSQL Database 10.10-1: Download and save the file to the d:\temp folder. PHP 5.6.40 TS (VC11): Download and save the file to the d:\temp folder. 64bit Windows All: Required additional downloads for the 64bit architecture install! Strawberry Perl 5.30.0.1: Download and save the file to the d:\temp folder. Apache2 2.4.41 (VS16): Download and save the file to the d:\temp folder. Apache2 FastCGI module 2.3.10 (VS16): Download and save the file to the d:\temp folder. PostgreSQL Database 10.10-1: Download and save the file to the d:\temp folder. PHP 5.6.40 TS (VC11): Download and save the file to the d:\temp folder. Installing the core support files, and making basic configuration changes It is important when asked to 'Open a CMD window with Administrator privileges' it is done, or the install will fail. It is also important when asked to 'Close a CMD window' it is done, or the install will fail. Note: The user installing this tutorial MUST be a member of the Administrators group. Note: If the User Account Control dialog box appears at ANY time during this install ALWAYS left-click 'Yes' to continue, or the install will fail. Instructions on starting a command prompt as an Administrator In the Windows Search box, type cmd, and then press CTRL+SHIFT+ENTER. Windows 8.x / 10 / 2012 R2 SE / 2016 SE: The original Windows install media (DVD/USB/ISO) is now required to be inserted or mounted.. Windows 8.x / 10 / 2012 R2 SE / 2016 SE: Open a CMD window with Administrator privileges and type 'dism.exe /online /enable-feature /all /featurename:NetFX3 /Source:x:\sources\sxs' (less the outside quotes), and tap the 'Enter' key. The correct source drive letter where the Windows install media is located must be inserted into the 'x' position above. The following is a confirmation that the '.NET Framework 3.5 Features' were installed successfully. Deployment Image Servicing and Management tool Version: (redacted) Image Version: (redacted) Enabling feature(s) [==========================100.0%==========================] The operation completed successfully. Do not proceed until 'The operation completed successfully.', and the original Windows install media has been removed, or unmounted. Windows All: Open a CMD window with Administrator privileges if one is not opened and type 'd:\temp\modder.vbs' (less the outside quotes), and tap the 'Enter' key. Allow the script to automatically reboot the system! DO NOT INTERVENE! This background process could take several minutes to complete. The modder.vbs file preforms several tasks: Installs Microsoft Visual C++ 2012/2013/2017 Installs 'Notepad2' to Windows\System32 Installs 'unzip' to Windows\System32 Installs 'tartool' to Windows\System32 Installs the DejaVuSans font for BASE graphing Inserts 'winids' hostname into hosts file Inserts 'IGMP and SCTP' into the protocol file for Snort rules Inserts 'Nodosfilewarning' into User ENV to suppress CYGWIN warning message when starting Barnyard2 Sets 'Show File Extensions' as on in registry Reboots system After the reboot it is strongly advise that the Microsoft Baseline Security Analyzer (MBSA) be used to identify and correct common security miss configurations. Each issue should be resolved prior to starting this tutorial. Installing the Windows Intrusion Detection System (WinIDS) Installing Npcap Open a CMD window with Administrator privileges and type 'd:\temp\npcap-0.996.exe' (less the outside quotes), and tap the 'Enter' key. The 'License Agreement' window opens, left-click 'I Agree'. The 'Installation Options' window opens, uncheck everything, and then check 'Install Npcap in WinPcap API-compatible Mode', left-click 'Install'. The 'Installing' window opens, allow the install to complete. The 'Installation Complete' window opens, left-click 'Next'. The 'Finished' window opens, left-click 'Finish'. Installing Snort, the Traffic Detection and Inspection Engine At the CMD prompt type 'd:\temp\Snort_2_9_15_Installer.exe' (less the outside quotes), and tap the 'Enter' key. The 'License Agreement' window opens, left-click 'I Agree'. The 'Choose Components' window opens, left-click 'Next'. The 'Choose Install Location' window opens, in the 'Destination Folder' dialog box, type 'd:\winids\snort' (less the outside quotes), left-click 'Next' allowing the install to complete. The 'Snort has been successfully installed' window opens, left-click 'OK'. Testing the Windows Intrusion Detection System (WinIDS) for network traffic At the CMD prompt type 'd:\winids\snort\bin\snort -W' (less the outside quotes), and tap the 'Enter' key. The following is a partial example of what might be listed as valid Network Interface Cards. Index Physical Address IP Address ----- ---------------- ---------- 1 00:0C:29:25:B4:96 0000:0000:fe80:0000:0000:0000:ad63:31cf There may be several Network Interface Cards listed, and it will be up to the installer to determine the correct Network Interface Card (Index number) that will be monitoring the Windows Intrusion Detection System (WinIDS). The switch for the Network Interface Card will always be '-ix' (less the outside quotes), and the 'x' (less the outside quotes) will always represent the 'Index' number of Network Interface Card that will be monitoring the Windows Intrusion Detection System (WinIDS). At the CMD prompt type 'd:\winids\snort\bin\snort -v -ix' (less the outside quotes), and tap the 'Enter' key. The above run line will require the 'Index' number of the monitoring Network Interface Card inserted in the place of the 'x' position above. This will start Snort in verbose mode, verifying there is network traffic on interface 'x'. Open any web-browser and generate some traffic. There should now be multiple packets passing through the CMD window, and something similar to the following output is a confirmation indicating that everything is ready to proceed. 10/08-12:12:32.131826 10.0.0.29:1068 -> 65.55.121.241:80 TCP TTL:128 TOS:0x0 ID:1586 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x7430B82E Ack: 0x1850214F Win: 0xFAF0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Note: If no traffic is passing through the CMD window, try another 'Index' number. After verifying active network traffic, eXit the web-browser, activate the CMD window, and press the 'CTRL/C' keys to stop the Snort process. Do not proceed until network traffic is being displayed in the CMD window. Installing the Latest Rule Set At the CMD prompt type 'tartool d:\temp\snortrules-snapshot-29150.tar.gz d:\winids\snort' (less the outside quotes), and tap the 'Enter' key. Installing Strawberry Perl Depending on the processors architecture, install the appropriate support file below! 32bit Windows All: At the CMD prompt type 'd:\temp\strawberry-perl-5.30.0.1-32bit.msi' (less the outside quotes), and tap the 'Enter' key. 64bit Windows All: At the CMD prompt type 'd:\temp\strawberry-perl-5.30.0.1-64bit.msi' (less the outside quotes), and tap the 'Enter' key. The 'Welcome to the Setup Wizard for Strawberry Perl...' window opens, left-click 'Next'. The 'End-User License Agreement' window opens, left-click checking the 'I accept the terms...' radio button, and left-click 'Next'. The 'Destination Folder' window opens, in the 'Install Strawberry Perl to:' dialog box type 'd:\winids\strawberry\' (less the outside quotes), and left-click 'Next'. The 'Ready to install Strawberry Perl..' window opens, left-click 'Install'. The 'Install Strawberry Perl..' window opens, allow the install to complete, and left-click 'Next'. The 'Completed the Strawberry Perl...' window opens, uncheck the 'Read README file.' radio box, and left-click 'Finish'. At the CMD prompt type 'exit' (less the outside quotes), and tap the 'Enter' key. Installing the Apache2 Web-Server Depending on the processors architecture, install the appropriate support file below! 32bit Windows All: Open a CMD window with Administrator privileges and type 'unzip -oqq d:\temp\httpd-2.4.41-win32-VS16.zip -d d:\winids' (less the outside quotes), and tap the 'Enter' key. 64bit Windows All: Open a CMD window with Administrator privileges and type 'unzip -oqq d:\temp\httpd-2.4.41-win64-VS16.zip -d d:\winids' (less the outside quotes), and tap the 'Enter' key. Installing the FastCGI ASF support module for Apache2 Depending on the processors architecture, install the appropriate support file below! 32bit Windows All: At the CMD prompt type 'unzip -joqq d:\temp\mod_fcgid-2.3.10-win32-VS16.zip "mod_fcgid-2.3.10\*.so" -d d:\winids\Apache24\modules' (less the outside quotes), and tap the 'Enter' key. 64bit Windows All: At the CMD prompt type 'unzip -joqq d:\temp\mod_fcgid-2.3.10-win64-VS16.zip "mod_fcgid-2.3.10\*.so" -d d:\winids\Apache24\modules' (less the outside quotes), and tap the 'Enter' key. Installing BASE, the Windows Intrusion Detection Systems (WinIDS) Security Console At the CMD prompt type 'unzip -oqq d:\temp\base-1.4.5.zip -d d:\winids\apache24\htdocs\base' (less the outside quotes), and tap the 'Enter' key. Installing Barnyard2 Depending on the processors architecture, install the appropriate support file below! 32bit Windows All: At the CMD prompt type 'unzip -oqq d:\temp\barnyard2-x86-2.1.14-build337.zip -d d:\winids\barnyard2' (less the outside quotes), and tap the 'Enter' key. 64bit Windows All: At the CMD prompt type 'unzip -oqq d:\temp\barnyard2-x64-2.1.14-build337.zip -d d:\winids\barnyard2' (less the outside quotes), and tap the 'Enter' key. Installing the PostgreSQL Database Server Depending on the processors architecture, install the appropriate support file below! 32bit Windows All: At the CMD prompt type 'd:\temp\postgresql-10.10-1-windows.exe' (less the outside quotes), and tap the 'Enter' key. 64bit Windows All: At the CMD prompt type 'd:\temp\postgresql-10.10-1-windows-x64.exe' (less the outside quotes), and tap the 'Enter' key. The 'Setup PostgreSQL' window opens, left-click 'Next'. the 'Installation Directory' window opens. In the dialog box type 'd:\winids\postgresql' (less the outside quotes), and left-click 'Next'. The 'Select Components' window opens. In the list of selected Components uncheck 'Stack Builder', and left-click 'Next'. The 'Data Directory' window opens. The dialog box should already be populated with 'd:\winids\postgresql\data' (less the outside quotes), and left-click 'Next'. The 'Password' window opens. In the 'Password' dialog box type 'd1ngd0ng' (less the outside quotes), in the 'Retype password' dialog box type 'd1ngd0ng' (less the outside quotes), left-click 'Next'. The 'port' window opens. The listening port dialog box should already be populated with '5432', left-click 'Next'. The 'Advanced Options' window opens. The 'Locale' pull-down select box should already be populated with '[Default local]', left-click 'Next'. The 'Pre Installation Summery' window opens. Verify all the below pre select settings are correct, and left-click 'Next'. Installation Directory: D:\winids\PostgreSQL Server Installation Directory: D:\winids\PostgreSQL Data Directory: D:\winids\PostgreSQL\data Database Port: 5432 Database Superuser: postgres Operating System Account: NT AUTHORITY\NetworkService Database Service: postgresql-x64-xx Command Line Tools Installation Directory: D:\winids\PostgreSQL pgAdmin4 Installation Directory: D:\winids\PostgreSQL\pgAdmin 4 The 'Ready to Install' window opens, left-click 'Next' allowing the installation to complete. The 'Completing the PostgreSQL Setup Wizard' window opens, left-click 'Finish'. Installing ADODB At the CMD prompt type 'unzip -oqq d:\temp\adodb-5.20.14.zip -d d:\winids' (less the outside quotes), and tap the 'Enter' key. Installing PHP Depending on the processors architecture, install the appropriate support file below! 32bit Windows All: At the CMD prompt type 'unzip -oqq d:\temp\php-5.6.40-Win32-VC11-x86.zip -d d:\winids\php' (less the outside quotes), and tap the 'Enter' key. 64bit Windows All: At the CMD prompt type 'unzip -oqq d:\temp\php-5.6.40-Win32-VC11-x64.zip -d d:\winids\php' (less the outside quotes), and tap the 'Enter' key. Updating the 'sid-msg.map' file At the CMD prompt type 'unzip -oqq d:\temp\activators.zip -d d:\winids\activators' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'unzip -oqq d:\temp\create-sidmap.zip -d d:\winids\create-sidmap' (less the outside quotes), and tap the 'Enter' key. The 'sid-msg.map' file essentially maps the Rule MSG alert name to the sid number assigned to the rule. This really comes into play when the output method from Snort is in unified2 format, taking that output, and reading it with Barnyard2 for input into the database. Since the rule msg is not stored in the unified2 file format, it's necessary for Barnyard2 to read the sid-msg.map file to correctly input the names of the events into the database when associated with an alert by sid. Without the 'sid-msg.map' being read by barnyard2, the events in the database will show up only as gid:sid. (1:2133 for example). Also, updating the rules and not updating the 'sid-msg.map' will also show events from all new rules as gid:sid. (1:2133 for example). At the CMD prompt type 'perl d:\winids\create-sidmap\create-sidmap.pl d:\winids\snort\rules\ > d:\winids\snort\etc\sid-msg.map' (less the outside quotes), and tap the 'Enter' key. Configuring Snort, the Heart of the Windows Intrusion Detection System (WinIDS) At the CMD prompt type 'type NUL > d:\winids\snort\rules\white_list.rules' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'type NUL > d:\winids\snort\rules\black_list.rules' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'notepad2 d:\winids\snort\etc\snort.conf' (less the outside quotes), and tap the 'Enter' key. Use the Find option in Notepad2 to locate and change the variables below. Original Line(s): ipvar HOME_NET any Change to: ipvar HOME_NET 192.168.1.0/24 In the above HOME_NET example (192.168.1.0/24), using a CIDR of 24 the Windows Intrusion Detection System (WinIDS) will monitor addresses 192.168.1.1 - 192.168.1.254. It is important to specify the correct internal IP segment of the Windows Intrusion Detection System (WinIDS) network that needs monitoring, and to set the correct CIDR. Original Line(s): var RULE_PATH ../rules Change to: var RULE_PATH d:\winids\snort\rules Original Line(s): var SO_RULE_PATH ../so_rules Change to: # var SO_RULE_PATH ../so_rules Original Line(s): var PREPROC_RULE_PATH ../preproc_rules Change to: var PREPROC_RULE_PATH d:\winids\snort\preproc_rules Original Line(s): var WHITE_LIST_PATH ../rules Change to: var WHITE_LIST_PATH d:\winids\snort\rules Original Line(s): var BLACK_LIST_PATH ../rules Change to: var BLACK_LIST_PATH d:\winids\snort\rules Original Line(s): dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ Change to: dynamicpreprocessor directory d:\winids\snort\lib\snort_dynamicpreprocessor Original Line(s): dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so Change to: dynamicengine d:\winids\snort\lib\snort_dynamicengine\sf_engine.dll Original Line(s): decompress_swf { deflate lzma } \ Change to: decompress_swf { deflate } \ Original Line(s): # preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } Change to: preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } logfile { portscan.log } Original Line(s): # output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types Change to: output unified2: filename merged.log, limit 128 Original Line(s): # include $PREPROC_RULE_PATH/preprocessor.rules # include $PREPROC_RULE_PATH/decoder.rules # include $PREPROC_RULE_PATH/sensitive-data.rules Change to: include $PREPROC_RULE_PATH/preprocessor.rules include $PREPROC_RULE_PATH/decoder.rules include $PREPROC_RULE_PATH/sensitive-data.rules Save the file, and eXit Notepad2. Testing the Snort configuration file At the CMD prompt type 'd:\winids\snort\bin\snort -W' (less the outside quotes), and tap the 'Enter' key. The following is a partial example of what might be listed as valid Network Interface Cards. Index Physical Address IP Address ----- ---------------- ---------- 1 00:0C:29:25:B4:96 0000:0000:fe80:0000:0000:0000:ad63:31cf There may be several Network Interface Cards listed, and it will be up to the installer to determine the correct Network Interface Card (Index number) that will be monitoring the Windows Intrusion Detection System (WinIDS). The switch for the Network Interface Card will always be '-ix' (less the outside quotes), and the 'x' (less the outside quotes) will always represent the 'Index' number of Network Interface Card that will be monitoring the Windows Intrusion Detection System (WinIDS). At the CMD prompt type 'd:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix -T' (less the outside quotes), and tap the 'Enter' key. The above run line will require the 'Index' number of the monitoring Network Interface Card added to the 'x' above. This will start Snort in self-test mode for configuration and rule file testing, and depending on the resources used, and/or available, it could take several minutes to run the self-test mode. If all the tests are passed, the following is a confirmation that the Snort configuration file and rules have tested good. Snort successfully validated the configuration! Snort exiting Do not proceed until 'Snort successfully validated the configuration!' Configuring PHP At the CMD prompt type 'copy d:\winids\php\php.ini-production d:\winids\php\php.ini' (less the outside quotes), and tap the 'Enter' key. Should display '1 file(s) copied.', and return to the CMD prompt. At the CMD prompt type 'notepad2 d:\winids\php\php.ini' (less the outside quotes), and tap the 'Enter' key. Use the Find option in Notepad2 to locate and change the variables below. Original Line(s): max_execution_time = 30 Change to: max_execution_time = 60 Original Line(s): error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT Change to: ; error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT Original Line(s): ;include_path = ".;c:\php\includes" Change to: include_path = "d:\winids\php;d:\winids\php\pear" Original Line(s): ; extension_dir = "ext" Change to: extension_dir = "d:\winids\php\ext" Original Line(s): ;extension=php_gd2.dll Change to: extension=php_gd2.dll Original Line(s): ;extension=php_pgsql.dll Change to: extension=php_pgsql.dll Original Line(s): ;date.timezone = Change to: date.timezone = America/New_York In the above date.timezone setting, America/New_York is only the default. Inserting the correct Timezone setting where the Windows Intrusion Detection System (WinIDS) will be located is essential. Check out the PHP website for the List of Supported Timezones. Original Line(s): ;session.save_path = "/tmp" Change to: session.save_path = "c:\windows\temp" Save the file, and eXit Notepad2. Configuring the Apache2 Web-Server At the CMD prompt type 'notepad2 d:\winids\apache24\conf\httpd.conf' (less the outside quotes), and tap the 'Enter' key. Use the Find option in Notepad2 to locate and change the variables below. Original Line(s): Define SRVROOT "c:/Apache24" Change to: Define SRVROOT "d:\winids\apache24" Original Line(s): Listen 80 Change to: Listen winids:80 Just below the line '#LoadModule xml2enc_module modules/mod_xml2enc.so', add the next line. LoadModule fcgid_module modules/mod_fcgid.so Original Line(s): #ServerName www.example.com:80 Change to: ServerName winids:80 Original Line(s): DocumentRoot "${SRVROOT}/htdocs" Change to: DocumentRoot "${SRVROOT}\htdocs\base" Original Line(s): <Directory "${SRVROOT}/htdocs> Change to: <Directory "${SRVROOT}\htdocs\base"> Original Line(s): Options Indexes FollowSymLinks Change to: Options -Indexes Original Line(s): DirectoryIndex index.html Change to: DirectoryIndex base_main.php Scroll all the way to the bottom of the file and insert the next 27 lines of code: LoadFile "d:\winids\postgresql\bin\libpq.dll" <IfModule fcgid_module> FcgidInitialEnv PHPRC "d:\winids\php" FcgidInitialEnv PATH "d:\winids\php;c:\Windows\system32;c:\Windows;c:Windows\System32\Wbem;" FcgidInitialEnv SystemRoot "c:\Windows" FcgidInitialEnv SystemDrive "c:" FcgidInitialEnv TEMP "c:\Windows\Temp" FcgidInitialEnv TMP "c:\Windows\Temp" FcgidInitialEnv windir "c:\Windows" FcgidIOTimeout 40 FcgidConnectTimeout 10 FcgidMaxProcesses 8 FcgidOutputBufferSize 64 ProcessLifeTime 0 FcgidMaxRequestsPerProcess 0 FcgidMinProcessesPerClass 0 FcgidMaxProcesses 50 FcgidFixPathinfo 0 FcgidZombieScanInterval 20 FcgidMaxRequestLen 536870912 FcgidIOTimeout 120 <Files ~ "\.php$"> Options Indexes FollowSymLinks ExecCGI AddHandler fcgid-script .php FcgidWrapper "d:/winids/php/php-cgi.exe" .php </Files> </IfModule> Save the file, and eXit Notepad2. Adding Apache2 to the Windows Services Database At the CMD prompt type 'd:\winids\apache24\bin\httpd.exe -k install' (less the outside quotes), and tap the 'Enter' key. The 'User Alert Security' dialog box may appear requesting permission to allow the 'Apache HTTP Server' to communicate with the private internal network, and left-click 'Allow access'. You should see the following as a confirmation that the Apache service has been successfully installed, and the Apache configuration file has been tested. Installing the Apache2.4 service The Apache2.4 service is successfully installed. Testing httpd.conf.... Errors reported here must be corrected before the service can be started. Do not proceed until the Apache2.4 has been successfully installed, and all errors reported above have been corrected. At the CMD prompt type 'net start apache2.4' (less the outside quotes), and tap the 'Enter' key. Testing Apache2, and the PHP installation At the CMD prompt type 'copy d:\temp\test.php d:\winids\apache24\htdocs\base' (less the outside quotes), and tap the 'Enter' key. Should display '1 file(s) copied.', and return to the CMD prompt. Open a web-browser and type 'http://winids/test.php' (less the outside quotes) into the URL Address box, and tap the 'Enter' key. Note: There is a possibility Edge may require additional privileges to open, and Internet Explore should be used if this happens. Several sections of information concerning the status and install of PHP should be displayed. In the first section of information make SURE that the item labeled 'Loaded Configuration File' is pointing to 'd:\winids\php\php.ini' (less the outside quotes). In the section labeled 'Configuration - PHP Core' (less the outside quotes) make SURE that the item labeled 'extension_dir' is pointing to 'd:\winids\php\ext' (less the outside quotes) in columns 'Local Values' (less the outside quotes), and 'Master Values' (less the outside quotes). In the section labeled 'Configuration - PHP Core' (less the outside quotes) make SURE that the item labeled 'include_path' is pointing to 'd:\winids\php;d:\winids\php\pear' (less the outside quotes) in columns 'Local Values' (less the outside quotes), and 'Master Values' (less the outside quotes). In the section labeled 'session' (less the outside quotes) make SURE that the item labeled 'session.save_path' is pointing to 'c:\windows\temp' (less the outside quotes) in columns 'Local Values' (less the outside quotes), and 'Master Values' (less the outside quotes). Do not proceed until all the above paths are correct! eXit the web-browser. At the CMD prompt type 'del d:\winids\apache24\htdocs\base\test.php' (less the outside quotes), and tap the 'Enter' key. Adding Snort to the Windows Services Database At the CMD prompt type 'cd /d d:\winids\snort\bin' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'd:\winids\snort\bin\snort -W' (less the outside quotes), and tap the 'Enter' key. The following is a partial example of what might be listed as valid Network Interface Cards. Index Physical Address IP Address ----- ---------------- ---------- 1 00:0C:29:25:B4:96 0000:0000:fe80:0000:0000:0000:ad63:31cf There may be several Network Interface Cards listed, and it will be up to the installer to determine the correct Network Interface Card (Index number) that will be monitoring the Windows Intrusion Detection System (WinIDS). The switch for the Network Interface Card will always be '-ix' (less the outside quotes), and the 'x' (less the outside quotes) will always represent the 'Index' number of Network Interface Card that will be monitoring the Windows Intrusion Detection System (WinIDS). At the CMD prompt type 'snort /SERVICE /INSTALL -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix' (less the outside quotes), and tap the 'Enter' key. The above run line will require the 'Index' number of the monitoring Network Interface Card added to the 'x' above. This will install Snort into the Windows Services Database. The following is a confirmation that the Snort service was successfully added to the Windows Services Database. [SNORT_SERVICE] Attempting to install the Snort service. [SNORT_SERVICE] The full path to the Snort binary appears to be: D:\winids\snort\bin\snort /SERVICE [SNORT_SERVICE] Successfully added registry keys to: \HKEY_LOCAL_MACHINE\SOFTWARE\Snort\ [SNORT_SERVICE] Successfully added the Snort service to the Windows Services Database. Do not proceed until the Snort service has been successfully added to the Windows Services Database. At the CMD prompt type 'sc config snortsvc start= auto' (less the outside quotes), and tap the 'Enter' key. The following is a confirmation that the Snort auto-start service has been successfully activated. [SC] ChangeServiceConfig SUCCESS Do not proceed until the Snort auto-start service has been SUCCESSfully activated. Configuring the PostgreSQL Database Server At the CMD prompt type 'd:\winids\postgresql\bin\psql -U postgres' (less the outside quotes), and tap the 'Enter' key. At the 'Password for user postgres: " prompt type 'd1ngd0ng' (less the outside quotes), and tap the 'Enter' key. Key presses will not echo the characters! Creating the Windows Intrusion Detection System Databases At the 'postgres=#' prompt type 'create database archive;' (less the outside quotes), and tap the 'Enter' key. At the 'postgres=#' prompt type 'create database snort;' (less the outside quotes), and tap the 'Enter' key. Creating the Windows Intrusion Detection System Authenticated Users At the 'postgres=#' prompt type 'create user snort with password 'l0gg3r';' (less the outside quotes), and tap the 'Enter' key. At the 'postgres=#' prompt type 'create user base with password 'an@l1st';' (less the outside quotes), and tap the 'Enter' key. Creating the Windows Intrusion Detection System Database Tables At the 'postgres=#' prompt type '\connect archive;' (less the outside quotes), and tap the 'Enter' key. At the 'archive=#' prompt type '\i d:/winids/barnyard2/schemas/create_postgresql;' (less the outside quotes), and tap the 'Enter' key. At the 'archive=#' prompt type '\i d:/winids/apache24/htdocs/base/sql/create_base_tbls_pgsql.sql;' (less the outside quotes), and tap the 'Enter' key. At the 'archive=#' prompt type '\i d:/winids/apache24/htdocs/base/sql/create_base_tbls_pgsql_extra.sql;' (less the outside quotes), and tap the 'Enter' key. At the 'archive=#' prompt type 'GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO base;' (less the outside quotes), and tap the 'Enter' key. At the 'archive=#' prompt type 'GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO base;' (less the outside quotes), and tap the 'Enter' key. At the 'archive=#' prompt type '\connect snort;' (less the outside quotes), and tap the 'Enter' key. At the 'snort=#' prompt type '\i d:/winids/barnyard2/schemas/create_postgresql;' (less the outside quotes), and tap the 'Enter' key. At the 'snort=#' prompt type '\i d:/winids/apache24/htdocs/base/sql/create_base_tbls_pgsql.sql;' (less the outside quotes), and tap the 'Enter' key. At the 'snort=#' prompt type '\i d:/winids/apache24/htdocs/base/sql/create_base_tbls_pgsql_extra.sql;' (less the outside quotes), and tap the 'Enter' key. At the 'snort=#' prompt type 'GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO base;' (less the outside quotes), and tap the 'Enter' key. At the 'snort=#' prompt type 'GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO base;' (less the outside quotes), and tap the 'Enter' key. At the 'snort=#' prompt type 'GRANT INSERT, SELECT, UPDATE ON ALL TABLES IN SCHEMA public TO snort;' (less the outside quotes), and tap the 'Enter' key. At the 'snort=#' prompt type 'GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO snort;' (less the outside quotes), and tap the 'Enter' key. At the 'snort=#' prompt type '\q' (less the outside quotes), and tap the 'Enter' key. Confirming PostgreSQL and Snort are operational At the CMD prompt type 'd:\winids\postgresql\bin\pg_ctl restart -w -t 10 -D d:\winids\postgresql\data\ -m f' (less the outside quotes), and tap the 'Enter' key. A 'Windows Security Alert' warning dialog box may appear stating 'Windows firewall may have blocked some features of this program', left-click 'Cancel'. At the CMD prompt type 'net start snort' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'taskmgr.exe' (less the outside quotes), and tap the 'Enter' key. The 'Windows Task Manager' starts, in the bottom left-click and check 'Show processes from all users', left-click the 'Processes' tab, in the 'Image name' category 'snort.exe', and several instances of 'postgres.exe' should be listed as a process. Do not proceed until the processes above are running! eXit the 'Task Manager'. Configuring the Windows Intrusion Detection Systems (WinIDS) Security Console At the CMD prompt type 'copy d:\winids\apache24\htdocs\base\base_conf.php.dist d:\winids\apache24\htdocs\base\base_conf.php' (less the outside quotes), and tap the 'Enter' key. Should display '1 file(s) copied.', and return to the CMD prompt. At the CMD prompt type 'rename d:\temp\opensource.gz opensource.tar.gz' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'tartool d:\temp\opensource.tar.gz d:\winids\apache24\htdocs\base\signatures' (less the outside quotes), and tap the 'Enter' key. The above command may take a few minutes to complete as its moving twenty thousand plus files. At the CMD prompt type 'notepad2 d:\winids\apache24\htdocs\base\base_conf.php' (less the outside quotes), and tap the 'Enter' key. Use the Find option in Notepad2 to locate and change the variables below. Original Line(s): $BASE_urlpath = ''; Change to: $BASE_urlpath = 'http://winids'; Original Line(s): $DBlib_path = ''; Change to: $DBlib_path = 'd:\winids\adodb5'; Original Line(s): $DBtype = '?????'; Change to: $DBtype = 'postgres'; Original Line(s): $alert_dbname = 'snort_log'; $alert_host = 'localhost'; $alert_port = ''; $alert_user = 'snort'; $alert_password = 'mypassword'; Change to: $alert_dbname = 'snort'; $alert_host = 'winids'; $alert_port = ''; $alert_user = 'base'; $alert_password = 'an@l1st'; Original Line(s): $archive_exists = 0; # Set this to 1 if you have an archive DB $archive_dbname = 'snort_archive'; $archive_host = 'localhost'; $archive_port = ''; $archive_user = 'snort'; $archive_password = 'mypassword'; Change to: $archive_exists = 1; # Set this to 1 if you have an archive DB $archive_dbname = 'archive'; $archive_host = 'winids'; $archive_port = ''; $archive_user = 'base'; $archive_password = 'an@l1st'; Original Line(s): $use_referential_integrity = 0; Change to: $use_referential_integrity = 1; Original Line(s): $show_rows = 48; Change to: $show_rows = 90; Original Line(s): $show_expanded_query = 0; Change to: $show_expanded_query = 1; Original Line(s): $portscan_file = ''; Change to: $portscan_file = 'd:\winids\snort\log\portscan.log'; Original Line(s): $colored_alerts = 0; Change to: $colored_alerts = 1; Original Line(s): $priority_colors = array ('FF0000','FFFF00','FF9900','999999','FFFFFF','006600'); Change to: $priority_colors = array('000000','FF0000','FF9900','FFFF00','999999'); Original Line(s): //$Geo_IPfree_file_ascii = "/var/www/html/ips-ascii.txt"; Change to: $Geo_IPfree_file_ascii = "d:\winids\apache24\htdocs\base\ips-ascii.txt"; Save the file, and eXit Notepad2. Installing The PHP Extension and Application Repository (PEAR) At the CMD prompt type 'copy d:\temp\go-pear.phar d:\winids\php' (less the outside quotes), and tap the 'Enter' key. Should display '1 file(s) copied.', and return to the CMD prompt. At the CMD prompt type 'cd /d d:\winids\php' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'php go-pear.phar' (less the outside quotes), and tap the 'Enter' key. At the next prompt tap the 'Enter' key to install 'System-Wide' PEAR. At the next prompt tap the 'Enter' key. At the 'Press any key to continue . . .', press any key to exit back to the CMD prompt. Configuring Graphing for the Windows Intrusion Detection Systems (WinIDS) Security Console At the CMD prompt type 'unzip -oqq d:\temp\graphing.zip -d d:\winids\php\tmp' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'pear install -O d:\winids\php\tmp\Auth_SASL-1.1.0.tgz' (less the outside quotes), and tap the 'Enter' key. Should display 'install ok: channel://pear.php.net/Auth_SASL-1.1.0', and return to the CMD prompt. At the CMD prompt type 'pear install -O d:\winids\php\tmp\Math_BigInteger-1.0.3.tgz' (less the outside quotes), and tap the 'Enter' key. Should display 'install ok: channel://pear.php.net/Math_BigInteger-1.0.3', and return to the CMD prompt. At the CMD prompt type 'pear install -O d:\winids\php\tmp\Net_Socket-1.2.2.tgz' (less the outside quotes), and tap the 'Enter' key. Should display 'install ok: channel://pear.php.net/Net_Socket-1.2.2', and return to the CMD prompt. At the CMD prompt type 'pear install -O d:\winids\php\tmp\Net_SMTP-1.8.1.tgz' (less the outside quotes), and tap the 'Enter' key. Should display 'install ok: channel://pear.php.net/Net_SMTP-1.8.1', and return to the CMD prompt. At the CMD prompt type 'pear install -O d:\winids\php\tmp\Mail-1.4.1.tgz' (less the outside quotes), and tap the 'Enter' key. Should display 'install ok: channel://pear.php.net/Mail-1.4.1', and return to the CMD prompt. At the CMD prompt type 'pear install -O d:\winids\php\tmp\Mail_Mime-1.10.2.tgz' (less the outside quotes), and tap the 'Enter' key. Should display 'install ok: channel://pear.php.net/Mail_Mime-1.10.2', and return to the CMD prompt. At the CMD prompt type 'pear install -O d:\winids\php\tmp\Numbers_Words-0.18.2.tgz' (less the outside quotes), and tap the 'Enter' key. Should display 'install ok: channel://pear.php.net/Numbers_Words-0.18.2', and return to the CMD prompt. At the CMD prompt type 'pear install -O d:\winids\php\tmp\Numbers_Roman-1.0.2.tgz' (less the outside quotes), and tap the 'Enter' key. Should display 'install ok: channel://pear.php.net/Numbers_Roman-1.0.2', and return to the CMD prompt. At the CMD prompt type 'pear install -O d:\winids\php\tmp\Image_Color-1.0.4.tgz' (less the outside quotes), and tap the 'Enter' key. Should display 'install ok: channel://pear.php.net/Image_Color-1.0.4', and return to the CMD prompt. At the CMD prompt type 'pear install -O d:\winids\php\tmp\Image_Canvas-0.3.5.tgz' (less the outside quotes), and tap the 'Enter' key. Should display 'install ok: channel://pear.php.net/Image_Canvas-0.3.5', and return to the CMD prompt. At the CMD prompt type 'pear install -O d:\winids\php\tmp\Image_Graph-0.8.0.tgz' (less the outside quotes), and tap the 'Enter' key. Should display 'install ok: channel://pear.php.net/Image_Graph-0.8.0', and return to the CMD prompt. At the CMD prompt type 'pear list -a' (less the outside quotes), and tap the 'Enter' key. The above command line will list all the installed pear packages that are required for the graphing capabilities of BASE, the Windows Intrusion Detection Systems (WinIDS) web based GUI security console. INSTALLED PACKAGES, CHANNEL PEAR.PHP.NET: ========================================= PACKAGE VERSION STATE Archive_Tar 1.4.3 stable Auth_SASL 1.1.0 stable Console_Getopt 1.4.1 stable Image_Canvas 0.3.5 alpha Image_Color 1.0.4 stable Image_Graph 0.8.0 alpha Mail 1.4.1 stable Mail_Mime 1.10.2 stable Math_BigInteger 1.0.3 stable Net_SMTP 1.8.1 stable Net_Socket 1.2.2 stable Numbers_Roman 1.0.2 stable Numbers_Words 0.18.2 beta PEAR 1.10.5 stable Structures_Graph 1.1.1 stable XML_Util 1.4.2 stable Do not proceed until all the hilighted PEAR packages above has been successfully installed. At the CMD prompt type 'copy d:\winids\apache24\htdocs\base\world_map6.* d:\winids\php\pear\image\graph\images\maps' (less the outside quotes), and tap the 'Enter' key. Should display '2 file(s) copied.', and return to the CMD prompt. Configuring Barnyard2 At the CMD prompt type 'notepad2 d:\winids\barnyard2\etc\barnyard2.conf' (less the outside quotes), and tap the 'Enter' key. Use the Find option in Notepad2 to locate and change the variables below. Original Line(s): config reference_file: /etc/snort/reference.config config classification_file: /etc/snort/classification.config config gen_file: /etc/snort/gen-msg.map config sid_file: /etc/snort/sid-msg.map Change to: config reference_file: d:\winids\snort\etc\reference.config config classification_file: d:\winids\snort\etc\classification.config config gen_file: d:\winids\snort\etc\gen-msg.map config sid_file: d:\winids\snort\etc\sid-msg.map Original Line(s): # config event_cache_size: 4096 Change to: config event_cache_size: 32768 Original Line(s): # output database: alert, postgresql, user=snort dbname=snort Change to: output database: log, postgresql, user=snort password=l0gg3r dbname=snort host=winids sensor_name=WinIDS-Home Save the file, and eXit Notepad2. Testing the Barnyard2 configuration file At the CMD prompt type 'd:\winids\activators\by2-test' (less the outside quotes), and tap the 'Enter' key. This will start Barnyard2 in self-test mode for configuration testing, and depending on the resources used and/or available it could take up to 30 minutes to run the self-test mode. If all the tests are passed, the following is a confirmation that the Barnyard2 configuration file is good. Barnyard2 successfully loaded configuration file! Barnyard2 exiting database: Closing connection to database "snort" Do not proceed until Barnyard2 has successfully loaded the configuration file, eXited Snort, and closed the connection to database! Adding Barnyard2 to auto-run on user login At the CMD window type 'd:\temp\auto-local-barnyard2.reg' (less the outside quotes), and tap the 'Enter' key. The 'auto-barnyard.reg' file contains the run line for Barnyard2. The Registry Editor selection box opens and asks; 'Are you sure you want to add...', left-click 'Yes', and at the next input selection left-click 'OK'. At the CMD prompt type 'shutdown /r /t 10' (less the outside quotes), and tap the 'Enter' key to reboot. When the system is rebooted, Barnyard2 will be running in a Minimized window located in the Windows task bar. Opening the Barnyard2 CMD window will display the events as they are being shuttled to the database. Starting the Windows Intrusion Detection Systems (WinIDS) Security Console Open a web-browser and type 'http://winids' (less the outside quotes) into the URL Address box, and tap the 'Enter' key. After the reboot it could take several minutes for events to start populating into the Windows Intrusion Detection Systems (WinIDS) Security Console. Refreshing the browser will show new events when added. If no events start to show up in a reasonable length of time, come visit the forums for help on manually generating events. In Conclusion I hope this tutorial has been helpful to you. Please feel free to provide feedback, both issues you experienced and recommendations that you might have. The goal of this tutorial was not just for you to create a Windows Intrusion Detection System (WinIDS) using the most advanced intrusion detection engine known as Snort, but to understand how all the parts work together, and get a deeper understanding of all the components, so that you can troubleshoot and modify your Windows Intrusion Detection System (WinIDS) with confidence. At this point you are done with this tutorial, events should be arriving into the database, and you should be seeing events in the local Windows Intrusion Detection Systems (WinIDS) Security Console. I encourage you to perform some post-installation tasks needed to get a fully production-ready 'Windows Intrusion Detection System (WinIDS)'. This includes: Tuning your rules and preprocessors. Tuning Snort thresholds and limit values. Adding user authentication to the Windows Intrusion Detection Systems (WinIDS) Security Console. Securing your host (Maybe changing the default database user access, disabling unneeded services, etc.). Configure a system, such as PulledPork to auto-update the Windows Intrusion Detection Systems (WinIDS) rules and signatures. Security Issues Lets review what has happens so far: All support programs, including 'Apache2' have been installed to a separate partition, which closed a multitude of security holes. The Windows Intrusion Detection Systems (WinIDS) Security Console can ONLY be accessed locally. Optional Companion Documents Be SURE to check out the available 'Companion Add-on Documents' to enhance the Windows Intrusion Detection System (WinIDS) experience. How to Install Pulledpork for rule management in an existing Windows Intrusion Detection System (WinIDS) Master/Slave sensor. This tutorial will show how to Install Pulledpork for rule management in an existing Windows Intrusion Detection System (WinIDS) Master/Slave sensor. How to add Event Logging to a local Syslog Server. This tutorial will show how to configure Snort to send events to a local Syslog Server, on an existing Windows Intrusion Detection System (WinIDS). How to add Event Logging to a remote Syslog Server. This tutorial will show how to configure Snort to send events to a remote Syslog Server from an existing Windows Intrusion Detection System (WinIDS). How to compile Barnyard2 on Windows using Cygwin for PostgreSQL database support This tutorial is a simple to understand, step-by-step tutorial for Compiling Barnyard2 on Windows using Cygwin (UNIX emulator) for PostgreSQL database support. How to build and deploy a passive Ethernet tap This tutorial will show how to build and deploy a passive Ethernet tap. Updating the Windows Intrusion Detection Systems (WinIDS) Major components How to update the Snort Intrusion Detection Engine This tutorial will show How to update the Windows Intrusion Detection Systems Snort Intrusion Detection Engine. How to update the Rules, Signatures, and sig-msg.map file This tutorial will show how to update the Windows Intrusion Detection Systems rules, signatures, and the 'sig-msg.map' file. Debugging Installation errors Check the Event Viewer as most of the support programs will throw FATAL errors into the Windows Application log. General tutorial issues For general problem issues that pertain to this specific tutorial, left-click the get community support button at the top of this tutorial, or manually navigate to the correct community support forum pertaining to this specific tutorial. Feedback I would love to get feedback from you about this tutorial. Any recommendations, or ideas, please leave feedback HERE. Michael E. Steele | Microsoft Certified System Engineer (MCSE) Email Support: support@winsnort.com Snort: Open Source Network IDS - www.snort.org
  18. How to Install a Windows Intrusion Detection System (WinIDS) Running Apache2, and logging events to a local MySQL Database Windows 7 / 8.x / 10 / 2008 R2 SE / 2012 R2 SE / 2016 SE / 2019 SE Written by: Michael E. Steele Get Community Support! Introduction During my research, and development I've found a lot of tutorials, and blogs describing the installation process for the UNIX environment. Yet, none of them specifically detailed setting this up in a Windows environment. I've been working on, and updating these tutorials for the past 12 plus years, and managed to get through the complete process in the Windows environment. These tutorials gives all the basic instructions on how to create a complete, and functioning stand alone Windows Intrusion Detection System (WinIDS). This is all made possible by simply wrapping Snort, a very powerful Intrusion Detection Engine into a multitude of free open source programs. Best of all, other than the cost of the Windows operating system, it's completely free. These tutorials are the basic of what is needed, and the starting point for installing any functioning Windows Intrusion Detection System (WinIDS). Advanced problems not related to the basic install should not be posted to the forum where the tutorial resides, and where general help is available for problems during the initial tutorial set-up. If there are any doubts which tutorial that should be used, there is a posted topic HERE that will provide the basics so an informed decision can be made based on which combination of software packages are best suited for the installation. Copyright Notice This document is Copyright © 2002-2019 Michael Steele. All rights reserved. Permission to distribute this document is hereby granted providing that distribution is electronic, in it's original form, no money is involved, and this copyright notice is maintained. Other requests for distribution will be considered. Use the information in this document at your own risk. Michael Steele disavows any potential liability of this document. Use of the concepts, examples, and/or other content of this document are entirely at your own risk. This tutorial is written in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. All copyrights are owned by their owners, unless specifically noted otherwise. Third party trademarks or brand names are the property of their owners. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements. Support Questions and Help All support questions related to this specific tutorial MUST be directed to the specific forum for which this Windows Intrusion Detection System (WinIDS) tutorial resides! By request, there is a premium fee service available for one on one support. If you have not acquired this tutorial directly from the winsnort.com website, then you most likely do not have the latest revision of this tutorial! This is a basic Windows Intrusion Detection System (WinIDS) deployment Microsoft's Windows operating systems are used exclusively for these tutorials. It is highly recommended to start with a fresh install of one of the supported 32bit or 64bit Windows operating systems listed below. Windows 7 Professional Windows 8.x Professional Windows 10 Professional Windows Server 2008 R2 Standard Edition Windows Server 2012 R2 Standard Edition Windows Server 2016 Standard Edition Windows Server 2019 Standard Edition All the operating systems listed above have been tested using both the 32bit, and 64bit architecture for this tutorial. However, any another Windows operating system listed above, under the same framework will most likely work. Major support programs used in this install Npcap allows 3rd party applications such as Snort to capture and transmit network packets bypassing the protocol stack. Snort performs real-time traffic analysis and network packet logging on Internet Protocol (IP) networks data streams. Barnyard2 is a dedicated spooler for Snort's unified2 binary output format, and on-forwarding to a MySQL database. Strawberry Perl is everything needed to run perl scripts (.pl), and applications such as PulledPork. MySQL-driven database stores processed events from Barnyard2 for analysis. Apache2 will drive the web based Windows Intrusion Detection Systems (WinIDS) GUI security console. BASE serves as the Windows Intrusion Detection Systems (WinIDS) web based GUI security console. How this Hardware and Software was prepped for this Windows Intrusion Detection System (WinIDS) tutorial A fresh install of any 32/64bit Version of Windows listed above in will do. All available Service Packs and updates MUST be applied from the Microsoft Download Center. For these tutorials there are two partitions: C: (System) with 300GB, and D: (WinIDS) with 1TB. Installed memory should be no less than 4GB (more is always better). The Windows Intrusion Detection System (WinIDS) will fail if the default installation path is not Implemented correctly! The default installation path noted above is hard coded into this tutorial, and is also hard coded into some of the install scripts. Installers will need to make the appropriate changes in both places if the default installation path is anything other then 'd:\winids', or the support files are located anywhere other than the 'd:\temp' folder. The Windows Intrusion Detection System (WinIDS) will fail if the default installation path is not Implemented correctly! Prepping for the Windows Intrusion Detection System (WinIDS) Tutorial Downloading and extracting the core 'Windows Intrusion Detection Systems (WinIDS)' Software Support Pack It is imperative to only use the files included in the 'WinIDS - (32/64bit) Software Support Packs' below. These files have been thoroughly tested and compatible with this particular Windows Intrusion Detection Systems (WinIDS) tutorial. Depending on the processors architecture, download the appropriate support file below! 32bit Windows All: Download and save the 'WinIDS - 32bit Core Software Support Pack' to a temporary location. Open File Explore and navigate to the location of the 'winids-cssp-x32.zip' file, right-click the 'winids-cssp-x32.zip' file, highlight and left-click 'Extract all...', in the 'Files will be extracted to this folder:' dialog box type 'd:\temp' (less the outside quotes), left-click and uncheck the 'Show extracted files when complete' radio box, left-click extract, in the 'Password:' dialog box type 'w1nsn03t.c0m' (less the outside quotes), left-click 'OK', and eXit File Explorer.. 64bit Windows All: Download and save the 'WinIDS - 64bit Core Software Support Pack' to a temporary location. Open File Explore and navigate to the location of the 'winids-cssp-x64.zip' file, right-click the 'winids-cssp-x64.zip' file, highlight and left-click 'Extract all...', in the 'Files will be extracted to this folder:' dialog box type 'd:\temp' (less the outside quotes), left-click and uncheck the 'Show extracted files when complete' radio box, left-click extract, in the 'Password:' dialog box type 'w1nsn03t.c0m' (less the outside quotes), left-click 'OK', and eXit File Explorer.. Downloading additional, and required support files for all supported Windows operating systems It is imperative to only use the files downloaded from the URL links below. All the files have been verified as compatible with this particular Windows Intrusion Detection Systems (WinIDS) tutorial. All the files below will need to be downloaded into the folder (d:\temp) that was created when the files from the above 'WinIDS - (32/64bit) Software Support Pack' were extracted. npcap-0.996: Download and save the file to the d:\temp folder. In some instances after downloading the Snort executable below, the '.exe' extension might be missing. After downloading, navigate to the location of the Snort executable, and if the '.exe' extension is missing, add '.exe' (less the outside quotes) to the end of the filename. Snort 2_9_15: Download and save the file to the d:\temp folder. The next download requires the installer to be a registered user on the snort.org website, and logged in. Navigate to the snort.org website and either login or create a new account. While still being logged into the snort.org web site return to the Windows Intrusion Detection Systems (WinIDS) tutorial, and initiate the next download. Note: If the installer is not logged into the snort.org website prior to initiating the next download, the installer will be re-directed to the snort.org website. At that point either create a new account or login. While still being logged into the snort.org website return to the Windows Intrusion Detection Systems (WinIDS) tutorial, and initiate the next download. snortrules-snapshot-29150: Download and save the file to the d:\temp folder. Rule Documentation (opensource.gz): Download and save the file to the d:\temp folder. Downloading additional support files based on a specific Operating Systems Hardware Architecture There are several additional files listed under two groups below. Download only, and all the files listed under the appropriate processors architecture group that the Windows Intrusion Detection System (WinIDS) will be installed on. 32bit Windows All: Required additional downloads for the 32bit architecture install! Strawberry Perl 5.30.0.1: Download and save the file to the d:\temp folder. Apache2 2.4.41 (VS16): Download and save the file to the d:\temp folder. Apache2 FastCGI module 2.3.10 (VS16): Download and save the file to the d:\temp folder. MySQL Database 8.0.17.0: Download and save the file to the d:\temp folder. PHP 5.6.40 TS (VC11): Download and save the file to the d:\temp folder. 64bit Windows All: Required additional downloads for the 64bit architecture install! Strawberry Perl 5.30.0.1: Download and save the file to the d:\temp folder. Apache2 2.4.41 (VS16): Download and save the file to the d:\temp folder. Apache2 FastCGI module 2.3.10 (VS16): Download and save the file to the d:\temp folder. MySQL Database 8.0.17.0: Download and save the file to the d:\temp folder. PHP 5.6.40 TS (VC11): Download and save the file to the d:\temp folder. Installing the core support files, and making basic configuration changes It is important when asked to 'Open a CMD window with Administrator privileges' it is done, or the install will fail. It is also important when asked to 'Close a CMD window' it is done, or the install will fail. Note: The user installing this tutorial MUST be a member of the Administrators group. Note: If the User Account Control dialog box appears at ANY time during this install ALWAYS left-click 'Yes' to continue, or the install will fail. Instructions on starting a command prompt as an Administrator In the Windows Search box, type cmd, and then press CTRL+SHIFT+ENTER. Windows 8.x / 10 / 2012 R2 SE / 2016 SE: The original Windows install media (DVD/USB/ISO) is now required to be inserted or mounted.. Windows 8.x / 10 / 2012 R2 SE / 2016 SE: Open a CMD window with Administrator privileges and type 'dism.exe /online /enable-feature /all /featurename:NetFX3 /Source:x:\sources\sxs' (less the outside quotes), and tap the 'Enter' key. The correct source drive letter where the Windows install media is located must be inserted into the 'x' position above. The following is a confirmation that the '.NET Framework 3.5 Features' were installed successfully. Deployment Image Servicing and Management tool Version: (redacted) Image Version: (redacted) Enabling feature(s) [==========================100.0%==========================] The operation completed successfully. Do not proceed until 'The operation completed successfully.', and the original Windows install media has been removed, or unmounted. Windows All: Open a CMD window with Administrator privileges if one is not opened and type 'd:\temp\modder.vbs' (less the outside quotes), and tap the 'Enter' key. Allow the script to automatically reboot the system! DO NOT INTERVENE! This background process could take several minutes to complete. The modder.vbs file preforms several tasks: Installs Microsoft Visual C++ 2012/2013/2017 Installs 'Notepad2' to Windows\System32 Installs 'unzip' to Windows\System32 Installs 'tartool' to Windows\System32 Installs the DejaVuSans font for BASE graphing Inserts 'winids' hostname into hosts file Inserts 'IGMP and SCTP' into the protocol file for Snort rules Inserts 'Nodosfilewarning' into User ENV to suppress CYGWIN warning message when starting Barnyard2 Sets 'Show File Extensions' as on in registry Reboots system After the reboot it is strongly advise that the Microsoft Baseline Security Analyzer (MBSA) be used to identify and correct common security miss configurations. Each issue should be resolved prior to starting this tutorial. Installing the Windows Intrusion Detection System (WinIDS) Installing Npcap Open a CMD window with Administrator privileges and type 'd:\temp\npcap-0.996.exe' (less the outside quotes), and tap the 'Enter' key. The 'License Agreement' window opens, left-click 'I Agree'. The 'Installation Options' window opens, uncheck everything, and then check 'Install Npcap in WinPcap API-compatible Mode', left-click 'Install'. The 'Installing' window opens, allow the install to complete. The 'Installation Complete' window opens, left-click 'Next'. The 'Finished' window opens, left-click 'Finish'. Installing Snort, the Traffic Detection and Inspection Engine At the CMD prompt type 'd:\temp\Snort_2_9_15_Installer.exe' (less the outside quotes), and tap the 'Enter' key. The 'License Agreement' window opens, left-click 'I Agree'. The 'Choose Components' window opens, left-click 'Next'. The 'Choose Install Location' window opens, in the 'Destination Folder' dialog box, type 'd:\winids\snort' (less the outside quotes), left-click 'Next' allowing the install to complete. The 'Snort has been successfully installed' window opens, left-click 'OK'. Testing the Windows Intrusion Detection System (WinIDS) for network traffic At the CMD prompt type 'd:\winids\snort\bin\snort -W' (less the outside quotes), and tap the 'Enter' key. The following is a partial example of what might be listed as valid Network Interface Cards. Index Physical Address IP Address ----- ---------------- ---------- 1 00:0C:29:25:B4:96 0000:0000:fe80:0000:0000:0000:ad63:31cf There may be several Network Interface Cards listed, and it will be up to the installer to determine the correct Network Interface Card (Index number) that will be monitoring the Windows Intrusion Detection System (WinIDS). The switch for the Network Interface Card will always be '-ix' (less the outside quotes), and the 'x' (less the outside quotes) will always represent the 'Index' number of Network Interface Card that will be monitoring the Windows Intrusion Detection System (WinIDS). At the CMD prompt type 'd:\winids\snort\bin\snort -v -ix' (less the outside quotes), and tap the 'Enter' key. The above run line will require the 'Index' number of the monitoring Network Interface Card inserted in the place of the 'x' position above. This will start Snort in verbose mode, verifying there is network traffic on interface 'x'. Open any web-browser and generate some traffic. There should now be multiple packets passing through the CMD window, and something similar to the following output is a confirmation indicating that everything is ready to proceed. 10/08-12:12:32.131826 10.0.0.29:1068 -> 65.55.121.241:80 TCP TTL:128 TOS:0x0 ID:1586 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x7430B82E Ack: 0x1850214F Win: 0xFAF0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Note: If no traffic is passing through the CMD window, try another 'Index' number. After verifying active network traffic, eXit the web-browser, activate the CMD window, and press the 'CTRL/C' keys to stop the Snort process. Do not proceed until network traffic is being displayed in the CMD window. Installing the Latest Rule Set At the CMD prompt type 'tartool d:\temp\snortrules-snapshot-29150.tar.gz d:\winids\snort' (less the outside quotes), and tap the 'Enter' key. Installing Strawberry Perl Depending on the processors architecture, install the appropriate support file below! 32bit Windows All: At the CMD prompt type 'd:\temp\strawberry-perl-5.30.0.1-32bit.msi' (less the outside quotes), and tap the 'Enter' key. 64bit Windows All: At the CMD prompt type 'd:\temp\strawberry-perl-5.30.0.1-64bit.msi' (less the outside quotes), and tap the 'Enter' key. The 'Welcome to the Setup Wizard for Strawberry Perl...' window opens, left-click 'Next'. The 'End-User License Agreement' window opens, left-click checking the 'I accept the terms...' radio button, and left-click 'Next'. The 'Destination Folder' window opens, in the 'Install Strawberry Perl to:' dialog box type 'd:\winids\strawberry\' (less the outside quotes), and left-click 'Next'. The 'Ready to install Strawberry Perl..' window opens, left-click 'Install'. The 'Install Strawberry Perl..' window opens, allow the install to complete, and left-click 'Next'. The 'Completed the Strawberry Perl...' window opens, uncheck the 'Read README file.' radio box, and left-click 'Finish'. At the CMD prompt type 'exit' (less the outside quotes), and tap the 'Enter' key. Installing the Apache2 Web-Server Depending on the processors architecture, install the appropriate support file below! 32bit Windows All: Open a CMD window with Administrator privileges and type 'unzip -oqq d:\temp\httpd-2.4.41-win32-VS16.zip -d d:\winids' (less the outside quotes), and tap the 'Enter' key. 64bit Windows All: Open a CMD window with Administrator privileges and type 'unzip -oqq d:\temp\httpd-2.4.41-win64-VS16.zip -d d:\winids' (less the outside quotes), and tap the 'Enter' key. Installing the FastCGI ASF support module for Apache2 Depending on the processors architecture, install the appropriate support file below! 32bit Windows All: At the CMD prompt type 'unzip -joqq d:\temp\mod_fcgid-2.3.10-win32-VS16.zip "mod_fcgid-2.3.10\*.so" -d d:\winids\Apache24\modules' (less the outside quotes), and tap the 'Enter' key. 64bit Windows All: At the CMD prompt type 'unzip -joqq d:\temp\mod_fcgid-2.3.10-win64-VS16.zip "mod_fcgid-2.3.10\*.so" -d d:\winids\Apache24\modules' (less the outside quotes), and tap the 'Enter' key. Installing BASE, the Windows Intrusion Detection Systems (WinIDS) Security Console At the CMD prompt type 'unzip -oqq d:\temp\base-1.4.5.zip -d d:\winids\apache24\htdocs\base' (less the outside quotes), and tap the 'Enter' key. Installing Barnyard2 Depending on the processors architecture, install the appropriate support file below! 32bit Windows All: At the CMD prompt type 'unzip -oqq d:\temp\barnyard2-x86-2.1.14-build337.zip -d d:\winids\barnyard2' (less the outside quotes), and tap the 'Enter' key. 64bit Windows All: At the CMD prompt type 'unzip -oqq d:\temp\barnyard2-x64-2.1.14-build337.zip -d d:\winids\barnyard2' (less the outside quotes), and tap the 'Enter' key. Installing the MySQL Database Server At the CMD prompt type 'd:\temp\mysql-installer-community-8.0.17.0.msi' (less the outside quotes), and tap the 'Enter' key. The MySQL installer 'License Agreement' window opens. Left-click checking the 'I accept the license terms' radio box, and left-click 'Next'. The MySQL installer 'Choosing a Setup Type' window opens. Left-click selecting the 'Custom' radio button, and left-click 'Next'. The MySQL installer 'Select Products and Features' window opens. Under 'Available Products:' left-click expanding 'MySQL Servers', left-click expanding 'MySQL Server', and left-click expanding 'MySQL Servers 8.'. Depending on the processors architecture, make the appropriate selection below! 32bit Windows All: Left-click highlighting 'MySQL Server 8.0.xx - X86'. 64bit Windows All: Left-click highlighting 'MySQL Server 8.0.xx - X64'. Left click the arrow pointing to the right moving the 'MySql Server 8.0.xx - Xxx' to the 'Products/Features To Be Installed:' section. Under 'Products/Features To Be Installed:' left-click highlighting 'MySql Server 8.0.xx - Xxx'. Just above the 'Cancel' button left-click 'Advanced Options', and the 'Advanced Options for MySQL Server 8.0.xx' opens. In the 'Install Directory:' dialog box type 'd:\winids\mysql' (less the outside quotes). In the 'Data Directory:' dialog box type 'd:\winids\mysql' (less the outside quotes), left-click 'OK', and left-click 'Next'. The MySQL installer 'Installation' window opens. Left-click 'Execute' allowing the MySQL server to 'Complete' the install, and left-click 'Next'. The MySQL installer 'Product Configuration' window opens, and left-click 'Next'. The MySQL installer 'Group Replication' window opens. Verify the radio button to the left of 'Standalone MySQL Server / Classic MySQL Replication' is selected, left-click 'Next'. The MySQL installer 'Type and Networking' window opens. Under 'Server Configuration Type', to the left of the 'Config Type:' selection box left-click the down arrow, left-click selecting 'Server Computer' ('Server Computer' should now populate the 'Config Type:' selection box), and left-click 'Next'. The MySQL installer 'Authentication Method' window opens. To the left of 'Use Legacy Authentication Method...' left-click the radio button, left-click 'Next'. The MySQL installer 'Accounts and Roles' window opens. In the 'MySQL Root Password:' dialog box type 'd1ngd0ng' (less the outside quotes). In the 'Repeat Password:' dialog box type 'd1ngd0ng' (less the outside quotes), and left-click 'Next'. The MySQL installer 'Windows Service' window opens. In the 'Windows Service Name:' dialog box type 'MySQL' (less the outside quotes), and left-click 'Next'. The MySQL installer 'Plugins and Extensions' window opens, and left-click 'Next'. The MySQL installer 'Apply Configuration' window opens. Left-click 'Execute' allowing the configuration for MySQL Server to succeed, and left-click 'Finish'. The MySQL installer 'Product Configuration' window opens. Left-click 'Next'. The MySQL installer 'Installation Complete' window opens. Left-click 'Finish' to complete the MySQL Database installation. At the CMD prompt type 'copy d:\winids\mysql\lib\libmysql.dll c:\windows\system32' (less the outside quotes), and tap the 'Enter' key. Should display '1 file(s) copied.', and return to the command prompt. Installing ADODB At the CMD prompt type 'unzip -oqq d:\temp\adodb-5.20.14.zip -d d:\winids' (less the outside quotes), and tap the 'Enter' key. Installing PHP Depending on the processors architecture, install the appropriate support file below! 32bit Windows All: At the CMD prompt type 'unzip -oqq d:\temp\php-5.6.40-Win32-VC11-x86.zip -d d:\winids\php' (less the outside quotes), and tap the 'Enter' key. 64bit Windows All: At the CMD prompt type 'unzip -oqq d:\temp\php-5.6.40-Win32-VC11-x64.zip -d d:\winids\php' (less the outside quotes), and tap the 'Enter' key. Updating the 'sid-msg.map' file At the CMD prompt type 'unzip -oqq d:\temp\activators.zip -d d:\winids\activators' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'unzip -oqq d:\temp\create-sidmap.zip -d d:\winids\create-sidmap' (less the outside quotes), and tap the 'Enter' key. The 'sid-msg.map' file essentially maps the Rule MSG alert name to the sid number assigned to the rule. This really comes into play when the output method from Snort is in unified2 format, taking that output, and reading it with Barnyard2 for input into the database. Since the rule msg is not stored in the unified2 file format, it's necessary for Barnyard2 to read the sid-msg.map file to correctly input the names of the events into the database when associated with an alert by sid. Without the 'sid-msg.map' being read by barnyard2, the events in the database will show up only as gid:sid. (1:2133 for example). Also, updating the rules and not updating the 'sid-msg.map' will also show events from all new rules as gid:sid. (1:2133 for example). At the CMD prompt type 'perl d:\winids\create-sidmap\create-sidmap.pl d:\winids\snort\rules\ > d:\winids\snort\etc\sid-msg.map' (less the outside quotes), and tap the 'Enter' key. Configuring Snort, the Heart of the Windows Intrusion Detection System (WinIDS) At the CMD prompt type 'type NUL > d:\winids\snort\rules\white_list.rules' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'type NUL > d:\winids\snort\rules\black_list.rules' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'notepad2 d:\winids\snort\etc\snort.conf' (less the outside quotes), and tap the 'Enter' key. Use the Find option in Notepad2 to locate and change the variables below. Original Line(s): ipvar HOME_NET any Change to: ipvar HOME_NET 192.168.1.0/24 In the above HOME_NET example (192.168.1.0/24), using a CIDR of 24 the Windows Intrusion Detection System (WinIDS) will monitor addresses 192.168.1.1 - 192.168.1.254. It is important to specify the correct internal IP segment of the Windows Intrusion Detection System (WinIDS) network that needs monitoring, and to set the correct CIDR. Original Line(s): var RULE_PATH ../rules Change to: var RULE_PATH d:\winids\snort\rules Original Line(s): var SO_RULE_PATH ../so_rules Change to: # var SO_RULE_PATH ../so_rules Original Line(s): var PREPROC_RULE_PATH ../preproc_rules Change to: var PREPROC_RULE_PATH d:\winids\snort\preproc_rules Original Line(s): var WHITE_LIST_PATH ../rules Change to: var WHITE_LIST_PATH d:\winids\snort\rules Original Line(s): var BLACK_LIST_PATH ../rules Change to: var BLACK_LIST_PATH d:\winids\snort\rules Original Line(s): dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ Change to: dynamicpreprocessor directory d:\winids\snort\lib\snort_dynamicpreprocessor Original Line(s): dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so Change to: dynamicengine d:\winids\snort\lib\snort_dynamicengine\sf_engine.dll Original Line(s): decompress_swf { deflate lzma } \ Change to: decompress_swf { deflate } \ Original Line(s): # preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } Change to: preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } logfile { portscan.log } Original Line(s): # output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types Change to: output unified2: filename merged.log, limit 128 Original Line(s): # include $PREPROC_RULE_PATH/preprocessor.rules # include $PREPROC_RULE_PATH/decoder.rules # include $PREPROC_RULE_PATH/sensitive-data.rules Change to: include $PREPROC_RULE_PATH/preprocessor.rules include $PREPROC_RULE_PATH/decoder.rules include $PREPROC_RULE_PATH/sensitive-data.rules Save the file, and eXit Notepad2. Testing the Snort configuration file At the CMD prompt type 'd:\winids\snort\bin\snort -W' (less the outside quotes), and tap the 'Enter' key. The following is a partial example of what might be listed as valid Network Interface Cards. Index Physical Address IP Address ----- ---------------- ---------- 1 00:0C:29:25:B4:96 0000:0000:fe80:0000:0000:0000:ad63:31cf There may be several Network Interface Cards listed, and it will be up to the installer to determine the correct Network Interface Card (Index number) that will be monitoring the Windows Intrusion Detection System (WinIDS). The switch for the Network Interface Card will always be '-ix' (less the outside quotes), and the 'x' (less the outside quotes) will always represent the 'Index' number of Network Interface Card that will be monitoring the Windows Intrusion Detection System (WinIDS). At the CMD prompt type 'd:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix -T' (less the outside quotes), and tap the 'Enter' key. The above run line will require the 'Index' number of the monitoring Network Interface Card added to the 'x' above. This will start Snort in self-test mode for configuration and rule file testing, and depending on the resources used, and/or available, it could take several minutes to run the self-test mode. If all the tests are passed, the following is a confirmation that the Snort configuration file and rules have tested good. Snort successfully validated the configuration! Snort exiting Do not proceed until 'Snort successfully validated the configuration!' Configuring PHP At the CMD prompt type 'copy d:\winids\php\php.ini-production d:\winids\php\php.ini' (less the outside quotes), and tap the 'Enter' key. Should display '1 file(s) copied.', and return to the CMD prompt. At the CMD prompt type 'notepad2 d:\winids\php\php.ini' (less the outside quotes), and tap the 'Enter' key. Use the Find option in Notepad2 to locate and change the variables below. Original Line(s): max_execution_time = 30 Change to: max_execution_time = 60 Original Line(s): error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT Change to: ; error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT Original Line(s): ;include_path = ".;c:\php\includes" Change to: include_path = "d:\winids\php;d:\winids\php\pear" Original Line(s): ; extension_dir = "ext" Change to: extension_dir = "d:\winids\php\ext" Original Line(s): ;extension=php_gd2.dll Change to: extension=php_gd2.dll Original Line(s): ; extension=php_mysql.dll Change to: extension=php_mysql.dll Original Line(s): ;date.timezone = Change to: date.timezone = America/New_York In the above date.timezone setting, America/New_York is only the default. Inserting the correct Timezone setting where the Windows Intrusion Detection System will be located is essential. Check out the PHP website for the List of Supported Timezones. Original Line(s): ;session.save_path = "/tmp" Change to: session.save_path = "c:\windows\temp" Save the file, and eXit Notepad2. Configuring the Apache2 Web-Server At the CMD prompt type 'notepad2 d:\winids\apache24\conf\httpd.conf' (less the outside quotes), and tap the 'Enter' key. Use the Find option in Notepad2 to locate and change the variables below. Original Line(s): Define SRVROOT "c:/Apache24" Change to: Define SRVROOT "d:\winids\apache24" Original Line(s): Listen 80 Change to: Listen winids:80 Just below the line '#LoadModule xml2enc_module modules/mod_xml2enc.so', add the next line. LoadModule fcgid_module modules/mod_fcgid.so Original Line(s): #ServerName www.example.com:80 Change to: ServerName winids:80 Original Line(s): DocumentRoot "${SRVROOT}/htdocs" Change to: DocumentRoot "${SRVROOT}\htdocs\base" Original Line(s): <Directory "${SRVROOT}/htdocs> Change to: <Directory "${SRVROOT}\htdocs\base"> Original Line(s): Options Indexes FollowSymLinks Change to: Options -Indexes Original Line(s): DirectoryIndex index.html Change to: DirectoryIndex base_main.php Scroll all the way to the bottom of the file and insert the next 26 lines of code: <IfModule fcgid_module> FcgidInitialEnv PHPRC "d:\winids\php" FcgidInitialEnv PATH "d:\winids\php;c:\Windows\system32;c:\Windows;c:Windows\System32\Wbem;" FcgidInitialEnv SystemRoot "c:\Windows" FcgidInitialEnv SystemDrive "c:" FcgidInitialEnv TEMP "c:\Windows\Temp" FcgidInitialEnv TMP "c:\Windows\Temp" FcgidInitialEnv windir "c:\Windows" FcgidIOTimeout 40 FcgidConnectTimeout 10 FcgidMaxProcesses 8 FcgidOutputBufferSize 64 ProcessLifeTime 0 FcgidMaxRequestsPerProcess 0 FcgidMinProcessesPerClass 0 FcgidMaxProcesses 50 FcgidFixPathinfo 0 FcgidZombieScanInterval 20 FcgidMaxRequestLen 536870912 FcgidIOTimeout 120 <Files ~ "\.php$"> Options Indexes FollowSymLinks ExecCGI AddHandler fcgid-script .php FcgidWrapper "d:/winids/php/php-cgi.exe" .php </Files> </IfModule> Save the file, and eXit Notepad2. Adding Apache2 to the Windows Services Database At the CMD prompt type 'd:\winids\apache24\bin\httpd.exe -k install' (less the outside quotes), and tap the 'Enter' key. The 'User Alert Security' dialog box may appear requesting permission to allow the 'Apache HTTP Server' to communicate with the private internal network, and left-click 'Allow access'. You should see the following as a confirmation that the Apache service has been successfully installed, and the Apache configuration file has been tested. Installing the Apache2.4 service The Apache2.4 service is successfully installed. Testing httpd.conf.... Errors reported here must be corrected before the service can be started. Do not proceed until the Apache2.4 has been successfully installed, and all errors reported above have been corrected. At the CMD prompt type 'net start apache2.4' (less the outside quotes), and tap the 'Enter' key. Testing Apache2, and the PHP installation At the CMD prompt type 'copy d:\temp\test.php d:\winids\apache24\htdocs\base' (less the outside quotes), and tap the 'Enter' key. Should display '1 file(s) copied.', and return to the CMD prompt. Open a web-browser and type 'http://winids/test.php' (less the outside quotes) into the URL Address box, and tap the 'Enter' key. Note: There is a possibility Edge may require additional privileges to open, and Internet Explore should be used if this happens. Several sections of information concerning the status and install of PHP should be displayed. In the first section of information make SURE that the item labeled 'Loaded Configuration File' is pointing to 'd:\winids\php\php.ini' (less the outside quotes). In the section labeled 'Configuration - PHP Core' (less the outside quotes) make SURE that the item labeled 'extension_dir' is pointing to 'd:\winids\php\ext' (less the outside quotes) in columns 'Local Values' (less the outside quotes), and 'Master Values' (less the outside quotes). In the section labeled 'Configuration - PHP Core' (less the outside quotes) make SURE that the item labeled 'include_path' is pointing to 'd:\winids\php;d:\winids\php\pear' (less the outside quotes) in columns 'Local Values' (less the outside quotes), and 'Master Values' (less the outside quotes). In the section labeled 'session' (less the outside quotes) make SURE that the item labeled 'session.save_path' is pointing to 'c:\windows\temp' (less the outside quotes) in columns 'Local Values' (less the outside quotes), and 'Master Values' (less the outside quotes). Do not proceed until all the above paths are correct! eXit the web-browser. At the CMD prompt type 'del d:\winids\apache24\htdocs\base\test.php' (less the outside quotes), and tap the 'Enter' key. Adding Snort to the Windows Services Database At the CMD prompt type 'cd /d d:\winids\snort\bin' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'd:\winids\snort\bin\snort -W' (less the outside quotes), and tap the 'Enter' key. The following is a partial example of what might be listed as valid Network Interface Cards. Index Physical Address IP Address ----- ---------------- ---------- 1 00:0C:29:25:B4:96 0000:0000:fe80:0000:0000:0000:ad63:31cf There may be several Network Interface Cards listed, and it will be up to the installer to determine the correct Network Interface Card (Index number) that will be monitoring the Windows Intrusion Detection System (WinIDS). The switch for the Network Interface Card will always be '-ix' (less the outside quotes), and the 'x' (less the outside quotes) will always represent the 'Index' number of Network Interface Card that will be monitoring the Windows Intrusion Detection System (WinIDS). At the CMD prompt type 'snort /SERVICE /INSTALL -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix' (less the outside quotes), and tap the 'Enter' key. The above run line will require the 'Index' number of the monitoring Network Interface Card added to the 'x' above. This will install Snort into the Windows Services Database. The following is a confirmation that the Snort service was successfully added to the Windows Services Database. [SNORT_SERVICE] Attempting to install the Snort service. [SNORT_SERVICE] The full path to the Snort binary appears to be: D:\winids\snort\bin\snort /SERVICE [SNORT_SERVICE] Successfully added registry keys to: \HKEY_LOCAL_MACHINE\SOFTWARE\Snort\ [SNORT_SERVICE] Successfully added the Snort service to the Windows Services Database. Do not proceed until the Snort service has been successfully added to the Windows Services Database. At the CMD prompt type 'sc config snortsvc start= auto' (less the outside quotes), and tap the 'Enter' key. The following is a confirmation that the Snort auto-start service has been successfully activated. [SC] ChangeServiceConfig SUCCESS Do not proceed until the Snort auto-start service has been SUCCESSfully activated. Configuring the MySQL Database Server Open a CMD window and type 'notepad2 d:\winids\mysql\my.ini' (less the outside quotes), and tap the 'Enter' key. Use the find and locate the line '[mysqld]' (less the outside quotes), and just below add the next two lines. character-set-server=utf8 bind-address=127.0.0.1 Save the file, and eXit Notepad2. Creating the Windows Intrusion Detection System Databases At the CMD prompt type 'mysql -u root -pd1ngd0ng' (less the outside quotes), and tap the 'Enter' key. You will be dropped into the MySQL administration console CMD prompt. At the mysql CMD prompt type 'create database snort;' (less the outside quotes), and tap the 'Enter' key. It will display 'Query OK...' and drop back to the mysql prompt. At the mysql CMD prompt type 'create database archive;' (less the outside quotes), and tap the 'Enter' key. It will display 'Query OK...' and drop back to the mysql prompt. At the mysql CMD prompt type 'show databases;' (less the outside quotes), and tap the 'Enter' key. There should be several databases listed, 'information_schema', 'archive', 'mysql', and 'snort'. Creating the Windows Intrusion Detection System Database Tables At the mysql CMD prompt type 'connect snort;' (less the outside quotes), and tap the 'Enter' key. It will display 'Current database: snort' and drop back to the mysql prompt. At the mysql CMD prompt type 'source d:\winids\barnyard2\schemas\create_mysql' (less the outside quotes), and tap the 'Enter' key. It will display multiple 'Query OK, 1 rows affected (0.0? sec)' entries and drop back to the mysql prompt. At the mysql CMD prompt type 'source d:\winids\apache24\htdocs\base\sql\create_base_tbls_mysql.sql' (less the outside quotes), and tap the 'Enter' key. The last entry to the screen should show 'Records: 4 Duplicates: 0 Warnings: 0' (less the outside quotes), and drop back to the mysql prompt. At the mysql CMD prompt type 'show tables;' (less the outside quotes), and tap the 'Enter' key. The last entry to the screen should show '22 rows in set (0.00 sec)' (less the outside quotes), and drop back to the mysql prompt. At the mysql CMD prompt type 'connect archive;' (less the outside quotes), and tap the 'Enter' key. It will display 'Current database: archive' and drop back to the mysql prompt. At the mysql CMD prompt type 'source d:\winids\barnyard2\schemas\create_mysql' (less the outside quotes), and tap the 'Enter' key. It will display multiple 'Query OK, 1 rows affected (0.0? sec)' entries and drop back to the mysql prompt. At the mysql CMD prompt type 'source d:\winids\apache24\htdocs\base\sql\create_base_tbls_mysql.sql' (less the outside quotes), and tap the 'Enter' key. The last entry to the screen should show 'Records: 4 Duplicates: 0 Warnings: 0' (less the outside quotes), and drop back to the mysql prompt. At the mysql CMD prompt type 'show tables;' (less the outside quotes), and tap the 'Enter' key. The last entry to the screen should show '22 rows in set (0.00 sec)' (less the outside quotes), and drop back to the mysql prompt. Creating the Windows Intrusion Detection System Database Access, and Authenticated Users At the mysql CMD prompt type 'CREATE USER 'snort' IDENTIFIED BY 'l0gg3r';' (less the outside quotes), and tap the 'Enter' key. It will display 'Query OK' and drop back to the mysql prompt. At the mysql CMD prompt type 'GRANT INSERT,SELECT,UPDATE ON snort.* TO 'snort';' (less the outside quotes), and tap the 'Enter' key. It will display 'Query OK' and drop back to the mysql prompt. At the mysql CMD prompt type 'CREATE USER 'base' IDENTIFIED BY 'an@l1st';' (less the outside quotes), and tap the 'Enter' key. It will display 'Query OK' and drop back to the mysql prompt. At the mysql CMD prompt type 'GRANT INSERT,SELECT,UPDATE,DELETE,CREATE ON snort.* TO 'base';' (less the outside quotes), and tap the 'Enter' key. It will display 'Query OK' and drop back to the mysql prompt. At the mysql CMD prompt type 'GRANT INSERT,SELECT,UPDATE,DELETE,CREATE ON archive.* TO 'base';' (less the outside quotes), and tap the 'Enter' key. It will display 'Query OK' and drop back to the mysql prompt. At the mysql CMD prompt type 'use mysql;' (less the outside quotes), and tap the 'Enter' key. At the mysql CMD prompt type 'select user from user;' (less the outside quotes), and tap the 'Enter' key. There should be several users listed, including base, and snort At the mysql CMD prompt type 'quit;' (less the outside quotes), and tap the 'Enter' key. Confirming MySQL and Snort are operational At the CMD prompt type 'net stop mysql & net start mysql' (less the outside quotes), and tap the 'Enter'. At the CMD prompt type 'net start snort' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'taskmgr.exe' (less the outside quotes), and tap the 'Enter' key. The 'Windows Task Manager' starts, in the bottom left-click and check 'Show processes from all users', left-click the 'Processes' tab, in the 'Image name' category 'snort.exe', and 'mysqld.exe' should be listed as a process. Do not proceed until the processes above are running! eXit the 'Task Manager'. Configuring the Windows Intrusion Detection Systems (WinIDS) Security Console At the CMD prompt type 'copy d:\winids\apache24\htdocs\base\base_conf.php.dist d:\winids\apache24\htdocs\base\base_conf.php' (less the outside quotes), and tap the 'Enter' key. Should display '1 file(s) copied.', and return to the CMD prompt. At the CMD prompt type 'rename d:\temp\opensource.gz opensource.tar.gz' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'tartool d:\temp\opensource.tar.gz d:\winids\apache24\htdocs\base\signatures' (less the outside quotes), and tap the 'Enter' key. The above command may take a few minutes to complete as its moving twenty thousand plus files. At the CMD prompt type 'notepad2 d:\winids\apache24\htdocs\base\base_conf.php' (less the outside quotes), and tap the 'Enter' key. Use the Find option in Notepad2 to locate and change the variables below. Original Line(s): $BASE_urlpath = ''; Change to: $BASE_urlpath = 'http://winids'; Original Line(s): $DBlib_path = ''; Change to: $DBlib_path = 'd:\winids\adodb5'; Original Line(s): $DBtype = '?????'; Change to: $DBtype = 'mysql'; Original Line(s): $alert_dbname = 'snort_log'; $alert_host = 'localhost'; $alert_port = ''; $alert_user = 'snort'; $alert_password = 'mypassword'; Change to: $alert_dbname = 'snort'; $alert_host = 'winids'; $alert_port = ''; $alert_user = 'base'; $alert_password = 'an@l1st'; Original Line(s): $archive_exists = 0; # Set this to 1 if you have an archive DB $archive_dbname = 'snort_archive'; $archive_host = 'localhost'; $archive_port = ''; $archive_user = 'snort'; $archive_password = 'mypassword'; Change to: $archive_exists = 1; # Set this to 1 if you have an archive DB $archive_dbname = 'archive'; $archive_host = 'winids'; $archive_port = ''; $archive_user = 'base'; $archive_password = 'an@l1st'; Original Line(s): $show_rows = 48; Change to: $show_rows = 90; Original Line(s): $show_expanded_query = 0; Change to: $show_expanded_query = 1; Original Line(s): $portscan_file = ''; Change to: $portscan_file = 'd:\winids\snort\log\portscan.log'; Original Line(s): $colored_alerts = 0; Change to: $colored_alerts = 1; Original Line(s): $priority_colors = array ('FF0000','FFFF00','FF9900','999999','FFFFFF','006600'); Change to: $priority_colors = array('000000','FF0000','FF9900','FFFF00','999999'); Original Line(s): //$Geo_IPfree_file_ascii = "/var/www/html/ips-ascii.txt"; Change to: $Geo_IPfree_file_ascii = "d:\winids\apache24\htdocs\base\ips-ascii.txt"; Save the file, and eXit Notepad2. Installing The PHP Extension and Application Repository (PEAR) At the CMD prompt type 'copy d:\temp\go-pear.phar d:\winids\php' (less the outside quotes), and tap the 'Enter' key. Should display '1 file(s) copied.', and return to the CMD prompt. At the CMD prompt type 'cd /d d:\winids\php' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'php go-pear.phar' (less the outside quotes), and tap the 'Enter' key. At the next prompt tap the 'Enter' key to install 'System-Wide' PEAR. At the next prompt tap the 'Enter' key. At the 'Press any key to continue . . .', press any key to exit back to the CMD prompt. Configuring Graphing for the Windows Intrusion Detection Systems (WinIDS) Security Console At the CMD prompt type 'unzip -oqq d:\temp\graphing.zip -d d:\winids\php\tmp' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'pear install -O d:\winids\php\tmp\Auth_SASL-1.1.0.tgz' (less the outside quotes), and tap the 'Enter' key. Should display 'install ok: channel://pear.php.net/Auth_SASL-1.1.0', and return to the CMD prompt. At the CMD prompt type 'pear install -O d:\winids\php\tmp\Math_BigInteger-1.0.3.tgz' (less the outside quotes), and tap the 'Enter' key. Should display 'install ok: channel://pear.php.net/Math_BigInteger-1.0.3', and return to the CMD prompt. At the CMD prompt type 'pear install -O d:\winids\php\tmp\Net_Socket-1.2.2.tgz' (less the outside quotes), and tap the 'Enter' key. Should display 'install ok: channel://pear.php.net/Net_Socket-1.2.2', and return to the CMD prompt. At the CMD prompt type 'pear install -O d:\winids\php\tmp\Net_SMTP-1.8.1.tgz' (less the outside quotes), and tap the 'Enter' key. Should display 'install ok: channel://pear.php.net/Net_SMTP-1.8.1', and return to the CMD prompt. At the CMD prompt type 'pear install -O d:\winids\php\tmp\Mail-1.4.1.tgz' (less the outside quotes), and tap the 'Enter' key. Should display 'install ok: channel://pear.php.net/Mail-1.4.1', and return to the CMD prompt. At the CMD prompt type 'pear install -O d:\winids\php\tmp\Mail_Mime-1.10.2.tgz' (less the outside quotes), and tap the 'Enter' key. Should display 'install ok: channel://pear.php.net/Mail_Mime-1.10.2', and return to the CMD prompt. At the CMD prompt type 'pear install -O d:\winids\php\tmp\Numbers_Words-0.18.2.tgz' (less the outside quotes), and tap the 'Enter' key. Should display 'install ok: channel://pear.php.net/Numbers_Words-0.18.2', and return to the CMD prompt. At the CMD prompt type 'pear install -O d:\winids\php\tmp\Numbers_Roman-1.0.2.tgz' (less the outside quotes), and tap the 'Enter' key. Should display 'install ok: channel://pear.php.net/Numbers_Roman-1.0.2', and return to the CMD prompt. At the CMD prompt type 'pear install -O d:\winids\php\tmp\Image_Color-1.0.4.tgz' (less the outside quotes), and tap the 'Enter' key. Should display 'install ok: channel://pear.php.net/Image_Color-1.0.4', and return to the CMD prompt. At the CMD prompt type 'pear install -O d:\winids\php\tmp\Image_Canvas-0.3.5.tgz' (less the outside quotes), and tap the 'Enter' key. Should display 'install ok: channel://pear.php.net/Image_Canvas-0.3.5', and return to the CMD prompt. At the CMD prompt type 'pear install -O d:\winids\php\tmp\Image_Graph-0.8.0.tgz' (less the outside quotes), and tap the 'Enter' key. Should display 'install ok: channel://pear.php.net/Image_Graph-0.8.0', and return to the CMD prompt. At the CMD prompt type 'pear list -a' (less the outside quotes), and tap the 'Enter' key. The above command line will list all the installed pear packages that are required for the graphing capabilities of BASE, the Windows Intrusion Detection Systems (WinIDS) web based GUI security console. INSTALLED PACKAGES, CHANNEL PEAR.PHP.NET: ========================================= PACKAGE VERSION STATE Archive_Tar 1.4.3 stable Auth_SASL 1.1.0 stable Console_Getopt 1.4.1 stable Image_Canvas 0.3.5 alpha Image_Color 1.0.4 stable Image_Graph 0.8.0 alpha Mail 1.4.1 stable Mail_Mime 1.10.2 stable Math_BigInteger 1.0.3 stable Net_SMTP 1.8.1 stable Net_Socket 1.2.2 stable Numbers_Roman 1.0.2 stable Numbers_Words 0.18.2 beta PEAR 1.10.5 stable Structures_Graph 1.1.1 stable XML_Util 1.4.2 stable Do not proceed until all the hilighted PEAR packages above has been successfully installed. At the CMD prompt type 'copy d:\winids\apache24\htdocs\base\world_map6.* d:\winids\php\pear\image\graph\images\maps' (less the outside quotes), and tap the 'Enter' key. Should display '2 file(s) copied.', and return to the CMD prompt. Configuring Barnyard2 At the CMD prompt type 'notepad2 d:\winids\barnyard2\etc\barnyard2.conf' (less the outside quotes), and tap the 'Enter' key. Use the Find option in Notepad2 to locate and change the variables below. Original Line(s): config reference_file: /etc/snort/reference.config config classification_file: /etc/snort/classification.config config gen_file: /etc/snort/gen-msg.map config sid_file: /etc/snort/sid-msg.map Change to: config reference_file: d:\winids\snort\etc\reference.config config classification_file: d:\winids\snort\etc\classification.config config gen_file: d:\winids\snort\etc\gen-msg.map config sid_file: d:\winids\snort\etc\sid-msg.map Original Line(s): # config event_cache_size: 4096 Change to: config event_cache_size: 32768 Original Line(s): #output database: log, mysql, user=root password=test dbname=db host=localhost Change to: output database: log, mysql, user=snort password=l0gg3r dbname=snort host=winids sensor_name=WinIDS-Home Save the file, and eXit Notepad2. Testing the Barnyard2 configuration file At the CMD prompt type 'd:\winids\activators\by2-test' (less the outside quotes), and tap the 'Enter' key. This will start Barnyard2 in self-test mode for configuration testing, and depending on the resources used and/or available it could take up to 30 minutes to run the self-test mode. If all the tests are passed, the following is a confirmation that the Barnyard2 configuration file is good. Barnyard2 successfully loaded configuration file! Barnyard2 exiting database: Closing connection to database "snort" Do not proceed until Barnyard2 has successfully loaded the configuration file, eXited Snort, and closed the connection to database! Adding Barnyard2 to auto-run on user login At the CMD window type 'd:\temp\auto-local-barnyard2.reg' (less the outside quotes), and tap the 'Enter' key. The 'auto-barnyard.reg' file contains the run line for Barnyard2. The Registry Editor selection box opens and asks; 'Are you sure you want to add...', left-click 'Yes', and at the next input selection left-click 'OK'. At the CMD prompt type 'shutdown /r /t 10' (less the outside quotes), and tap the 'Enter' key to reboot. When the system is rebooted, Barnyard2 will be running in a Minimized window located in the Windows task bar. Opening the Barnyard2 CMD window will display the events as they are being shuttled to the database. Starting the Windows Intrusion Detection Systems (WinIDS) Security Console Open a web-browser and type 'http://winids' (less the outside quotes) into the URL Address box, and tap the 'Enter' key. After the reboot it could take several minutes for events to start populating into the Windows Intrusion Detection Systems (WinIDS) Security Console. Refreshing the browser will show new events when added. If no events start to show up in a reasonable length of time, come visit the forums for help on manually generating events. In Conclusion I hope this tutorial has been helpful to you. Please feel free to provide feedback, both issues you experienced and recommendations that you might have. The goal of this tutorial was not just for you to create a Windows Intrusion Detection System (WinIDS) using the most advanced intrusion detection engine known as Snort, but to understand how all the parts work together, and get a deeper understanding of all the components, so that you can troubleshoot and modify your Windows Intrusion Detection System (WinIDS) with confidence. At this point you are done with this tutorial, events should be arriving into the database, and you should be seeing events in the local Windows Intrusion Detection Systems (WinIDS) Security Console. I encourage you to perform some post-installation tasks needed to get a fully production-ready 'Windows Intrusion Detection System (WinIDS)'. This includes: Tuning your rules and preprocessors. Tuning Snort thresholds and limit values. Adding user authentication to the Windows Intrusion Detection Systems (WinIDS) Security Console. Securing your host (Maybe changing the default database user access, disabling unneeded services, etc.). Configure a system, such as PulledPork to auto-update the Windows Intrusion Detection Systems (WinIDS) rules and signatures. Security Issues Lets review what has happens so far: All support programs, including 'Apache2' have been installed to a separate partition, which closed a multitude of security holes. The Windows Intrusion Detection Systems (WinIDS) Security Console can ONLY be accessed locally. Optional Companion Documents Be SURE to check out the available 'Companion Add-on Documents' to enhance the Windows Intrusion Detection System (WinIDS) experience. How to Install Pulledpork for rule management in an existing Windows Intrusion Detection System (WinIDS) Master/Slave sensor. This tutorial will show how to Install Pulledpork for rule management in an existing Windows Intrusion Detection System (WinIDS) Master/Slave sensor. How to add Event Logging to a local Syslog Server. This tutorial will show how to configure Snort to send events to a local Syslog Server, on an existing Windows Intrusion Detection System (WinIDS). How to add Event Logging to a remote Syslog Server. This tutorial will show how to configure Snort to send events to a remote Syslog Server from an existing Windows Intrusion Detection System (WinIDS). How to compile Barnyard2 on Windows using Cygwin for PostgreSQL database support This tutorial is a simple to understand, step-by-step tutorial for Compiling Barnyard2 on Windows using Cygwin (UNIX emulator) for PostgreSQL database support. How to build and deploy a passive Ethernet tap This tutorial will show how to build and deploy a passive Ethernet tap. Updating the Windows Intrusion Detection Systems (WinIDS) Major components How to update the Snort Intrusion Detection Engine This tutorial will show How to update the Windows Intrusion Detection Systems Snort Intrusion Detection Engine. How to update the Rules, Signatures, and sig-msg.map file This tutorial will show how to update the Windows Intrusion Detection Systems rules, signatures, and the 'sig-msg.map' file. Debugging Installation errors Check the Event Viewer as most of the support programs will throw FATAL errors into the Windows Application log. General tutorial issues For general problem issues that pertain to this specific tutorial, left-click the get community support button at the top of this tutorial, or manually navigate to the correct community support forum pertaining to this specific tutorial. Feedback I would love to get feedback from you about this tutorial. Any recommendations, or ideas, please leave feedback HERE. Michael E. Steele | Microsoft Certified System Engineer (MCSE) Email Support: support@winsnort.com Snort: Open Source Network IDS - www.snort.org
  19. How to Install a Windows Intrusion Detection System (WinIDS) Installing a Slave Sensor Logging to an existing Master PostgreSQL Sensor Windows 7 / 8.x / 10 / 2008 R2 SE / 2012 R2 SE / 2016 SE / 2019 SE Written by: Michael E. Steele Get Community Support! Introduction During my research, and development I've found a lot of tutorials, and blogs describing the installation process for the UNIX environment. Yet, none of them specifically detailed setting this up in a Windows environment. I've been working on, and updating these tutorials for the past 12 plus years, and managed to get through the complete process in the Windows environment. For this tutorial one of the two stand alone Windows Intrusion Detection Systems (WinIDS) listed below MUST already be installed. Installing an Apache2 Web Server logging events to a PostgreSQL Database Installing an IIS Web Server logging events to a PostgreSQL Database This tutorial gives all the basic instructions on how to create a functioning Windows Intrusion Detection System (WinIDS) SLAVE Sensor. It will also be converting an existing stand alone Windows Intrusion Detection System (WinIDS) into a MASTER Windows Intrusion Detection System (WinIDS). Advanced problems not related to the basic install should not be posted to the forum where the tutorial resides, and where general help is available for problems during the initial tutorial set-up. If there are any doubts which tutorial that should be used, there is a posted topic HERE that will provide the basics so an informed decision can be made based on which combination of software packages are best suited for the installation. Copyright Notice This document is Copyright © 2002-2019 Michael Steele. All rights reserved. Permission to distribute this document is hereby granted providing that distribution is electronic, in it's original form, no money is involved, and this copyright notice is maintained. Other requests for distribution will be considered. Use the information in this document at your own risk. Michael Steele disavows any potential liability of this document. Use of the concepts, examples, and/or other content of this document are entirely at your own risk. This tutorial is written in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. All copyrights are owned by their owners, unless specifically noted otherwise. Third party trademarks or brand names are the property of their owners. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements. Support Questions and Help All support questions related to this specific tutorial MUST be directed to the specific forum for which this Windows Intrusion Detection System (WinIDS) tutorial resides! By request, there is a premium fee service available for one on one support. If you have not acquired this tutorial directly from the winsnort.com website, then you most likely do not have the latest revision of this tutorial! This is a basic Windows Intrusion Detection System (WinIDS) deployment for a SLAVE Sensor Microsoft's Windows operating systems are used exclusively for these tutorials. It is highly recommended to start with a fresh install of one of the supported 32bit or 64bit Windows operating systems listed below. Windows 7 Professional Windows 8.x Professional Windows 10 Professional Windows Server 2008 R2 Standard Edition Windows Server 2012 R2 Standard Edition Windows Server 2016 Standard Edition Windows Server 2019 Standard Edition All the operating systems listed above have been tested using both the 32bit, and 64bit architecture for this tutorial. However, any another Windows operating system listed above, under the same framework will most likely work. Major support programs used in this install Npcap allows 3rd party applications such as Snort to capture and transmit network packets bypassing the protocol stack. Snort performs real-time traffic analysis and network packet logging on Internet Protocol (IP) networks data streams. Barnyard2 is a dedicated spooler for Snort's unified2 binary output format, and on-forwarding to a MASTER PostgreSQL database. Strawberry Perl is everything needed to run perl scripts (.pl), and applications such as PulledPork. How this Hardware and Software was prepped for this Windows Intrusion Detection System (WinIDS) tutorial A fresh install of any 32/64bit Version of Windows listed above in will do. All available Service Packs and updates MUST be applied from the Microsoft Download Center. For these tutorials there are two partitions: C: (System) with 300GB, and D: (WinIDS) with 1TB. Installed memory should be no less than 4GB (more is always better). The Windows Intrusion Detection System (WinIDS) will fail if the default installation path is not Implemented correctly! The default installation path noted above is hard coded into this tutorial, and is also hard coded into some of the install scripts. Installers will need to make the appropriate changes in both places if the default installation path is anything other then 'd:\winids', or the support files are located anywhere other than the 'd:\temp' folder. The Windows Intrusion Detection System (WinIDS) will fail if the default installation path is not Implemented correctly! Prepping for the Windows Intrusion Detection System (WinIDS) SLAVE Sensor Tutorial Downloading and extracting the core 'Windows Intrusion Detection Systems (WinIDS)' Software Support Pack It is imperative to only use the files included in the 'WinIDS - (32/64bit) Software Support Packs' below. These files have been thoroughly tested and compatible with this particular Windows Intrusion Detection Systems (WinIDS) tutorial. Depending on the processors architecture, download the appropriate support file below! 32bit Windows All: Download and save the 'WinIDS - 32bit Core Software Support Pack' to a temporary location. Open File Explore and navigate to the location of the 'winids-cssp-x32.zip' file, right-click the 'winids-cssp-x32.zip' file, highlight and left-click 'Extract all...', in the 'Files will be extracted to this folder:' dialog box type 'd:\temp' (less the outside quotes), left-click and uncheck the 'Show extracted files when complete' radio box, left-click extract, in the 'Password:' dialog box type 'w1nsn03t.c0m' (less the outside quotes), left-click 'OK', and eXit File Explorer.. 64bit Windows All: Download and save the 'WinIDS - 64bit Core Software Support Pack' to a temporary location. Open File Explore and navigate to the location of the 'winids-cssp-x64.zip' file, right-click the 'winids-cssp-x64.zip' file, highlight and left-click 'Extract all...', in the 'Files will be extracted to this folder:' dialog box type 'd:\temp' (less the outside quotes), left-click and uncheck the 'Show extracted files when complete' radio box, left-click extract, in the 'Password:' dialog box type 'w1nsn03t.c0m' (less the outside quotes), left-click 'OK', and eXit File Explorer.. Downloading additional, and required support files for all supported Windows operating systems It is imperative to only use the files downloaded from the URL links below. All the files have been verified as compatible with this particular Windows Intrusion Detection Systems (WinIDS) tutorial. All the files below will need to be downloaded into the folder (d:\temp) that was created when the files from the above 'WinIDS - (32/64bit) Software Support Pack' were extracted. npcap-0.996: Download and save the file to the d:\temp folder. In some instances after downloading the Snort executable below, the '.exe' extension might be missing. After downloading, navigate to the location of the Snort executable, and if the '.exe' extension is missing, add '.exe' (less the outside quotes) to the end of the filename. Snort 2_9_15: Download and save the file to the d:\temp folder. The next download requires the installer to be a registered user on the snort.org website, and logged in. Navigate to the snort.org website and either login or create a new account. While still being logged into the snort.org web site return to the Windows Intrusion Detection Systems (WinIDS) tutorial, and initiate the next download. Note: If the installer is not logged into the snort.org website prior to initiating the next download, the installer will be re-directed to the snort.org website. At that point either create a new account or login. While still being logged into the snort.org website return to the Windows Intrusion Detection Systems (WinIDS) tutorial, and initiate the next download. snortrules-snapshot-29150: Download and save the file to the d:\temp folder. Downloading additional support files based on a specific Operating Systems Hardware Architecture There are several additional files listed under two groups below. Download only, and all the files listed under the appropriate processors architecture group that the Windows Intrusion Detection System (WinIDS) will be installed on. 32bit Windows All: Required additional downloads for the 32bit architecture install! Strawberry Perl 5.30.0.1: Download and save the file to the d:\temp folder. 64bit Windows All: Required additional downloads for the 64bit architecture install! Strawberry Perl 5.30.0.1: Download and save the file to the d:\temp folder. Installing the core support files, and making basic configuration changes It is important when asked to 'Open a CMD window with Administrator privileges' it is done, or the install will fail. It is also important when asked to 'Close a CMD window' it is done, or the install will fail. Note: The user installing this tutorial MUST be a member of the Administrators group. Note: If the User Account Control dialog box appears at ANY time during this install ALWAYS left-click 'Yes' to continue, or the install will fail. Instructions on starting a command prompt as an Administrator In the Windows Search box, type cmd, and then press CTRL+SHIFT+ENTER. Open a CMD window with Administrator privileges and type 'd:\temp\modder.vbs' (less the outside quotes), and tap the 'Enter' key. Allow the script to automatically reboot the system! DO NOT INTERVENE! This background process could take several minutes to complete. The modder.vbs file preforms several tasks: Installs Microsoft Visual C++ 2012/2013/2017 Installs 'Notepad2' to Windows\System32 Installs 'unzip' to Windows\System32 Installs 'tartool' to Windows\System32 Inserts 'winids' hostname into hosts file Inserts 'IGMP and SCTP' into the protocol file for Snort rules Inserts 'Nodosfilewarning' into User ENV to suppress CYGWIN warning message when starting Barnyard2 Sets 'Show File Extensions' as on in registry Reboots system After the reboot it is strongly advise that the Microsoft Baseline Security Analyzer (MBSA) be used to identify and correct common security miss configurations. Each issue should be resolved prior to starting this tutorial. Configuring remote access to the MASTER PostgreSQL Database server For this section of the tutorial the installer MUST be logged into the existing MASTER Windows Intrusion Detection Server (WinIDS) sensor with Administrative privileges. Open a CMD window with Administrator privileges and type 'notepad2 d:\winids\postgresql\data\pg_hba.conf' (less the outside quotes), and tap the 'Enter' key. Add Line(s): host all all x.x.x.x/32 trust In the above, replace the 'x.x.x.x' With the IP address of the SLAVE Sensor. Save the file, and eXit Notepad2. At the CMD prompt type 'shutdown /r /t 10' (less the outside quotes), and tap the 'Enter' key to reboot. Do not proceed until the Windows Intrusion Detection System (WinIDS) has completely restarted. Verifying there is an open PostgreSQL port between the SLAVE and MASTER sensor For the remaining tutorial the installer MUST be logged back into the SLAVE sensor with Administrative privileges. There MUST be an open PostgreSQL database listening port on the MASTER Sensor, and the SLAVE Sensor MUST be able to connect. Open a CMD window with Administrator privileges and type 'd:\temp\portqry.exe -n x.x.x.x -e pppp' (less the outside quotes), and tap the 'Enter' key. x.x.x.x is the MASTER PostgreSQL Database Servers IP address. pppp is the MASTER PostgreSQL Database Servers listening port (default = 5432). The following is a confirmation that the port is listening. TCP port (redacted) (unknown service): LISTENING Do not proceed until the port status shows LISTENING Installing the Windows Intrusion Detection System (WinIDS) SLAVE Sensor Installing Npcap At the CMD prompt type 'd:\temp\npcap-0.996.exe' (less the outside quotes), and tap the 'Enter' key. The 'License Agreement' window opens, left-click 'I Agree'. The 'Installation Options' window opens, uncheck everything, and then check 'Install Npcap in WinPcap API-compatible Mode', left-click 'Install'. The 'Installing' window opens, allow the install to complete. The 'Installation Complete' window opens, left-click 'Next'. The 'Finished' window opens, left-click 'Finish'. Installing Snort, the Traffic Detection and Inspection Engine At the CMD prompt type 'd:\temp\Snort_2_9_15_Installer.exe' (less the outside quotes), and tap the 'Enter' key. The 'License Agreement' window opens, left-click 'I Agree'. The 'Choose Components' window opens, left-click 'Next'. The 'Choose Install Location' window opens, in the 'Destination Folder' dialog box, type 'd:\winids\snort' (less the outside quotes), left-click 'Next' allowing the install to complete. The 'Snort has been successfully installed' window opens, left-click 'OK'. Testing the Windows Intrusion Detection System (WinIDS) for network traffic At the CMD prompt type 'd:\winids\snort\bin\snort -W' (less the outside quotes), and tap the 'Enter' key. The following is a partial example of what might be listed as valid Network Interface Cards. Index Physical Address IP Address ----- ---------------- ---------- 1 00:0C:29:25:B4:96 0000:0000:fe80:0000:0000:0000:ad63:31cf There may be several Network Interface Cards listed, and it will be up to the installer to determine the correct Network Interface Card (Index number) that will be monitoring the Windows Intrusion Detection System (WinIDS). The switch for the Network Interface Card will always be '-ix' (less the outside quotes), and the 'x' (less the outside quotes) will always represent the 'Index' number of Network Interface Card that will be monitoring the Windows Intrusion Detection System (WinIDS). At the CMD prompt type 'd:\winids\snort\bin\snort -v -ix' (less the outside quotes), and tap the 'Enter' key. The above run line will require the 'Index' number of the monitoring Network Interface Card inserted in the place of the 'x' position above. This will start Snort in verbose mode, verifying there is network traffic on interface 'x'. Open any web-browser and generate some traffic. There should now be multiple packets passing through the CMD window, and something similar to the following output is a confirmation indicating that everything is ready to proceed. 10/08-12:12:32.131826 10.0.0.29:1068 -> 65.55.121.241:80 TCP TTL:128 TOS:0x0 ID:1586 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x7430B82E Ack: 0x1850214F Win: 0xFAF0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Note: If no traffic is passing through the CMD window, try another 'Index' number. After verifying active network traffic, eXit the web-browser, activate the CMD window, and press the 'CTRL/C' keys to stop the Snort process. Do not proceed until network traffic is being displayed in the CMD window. Installing the Latest Rule Set At the CMD prompt type 'tartool d:\temp\snortrules-snapshot-29150.tar.gz d:\winids\snort' (less the outside quotes), and tap the 'Enter' key. Installing Strawberry Perl Depending on the processors architecture, install the appropriate support file below! 32bit Windows All: At the CMD prompt type 'd:\temp\strawberry-perl-5.30.0.1-32bit.msi' (less the outside quotes), and tap the 'Enter' key. 64bit Windows All: At the CMD prompt type 'd:\temp\strawberry-perl-5.30.0.1-64bit.msi' (less the outside quotes), and tap the 'Enter' key. The 'Welcome to the Setup Wizard for Strawberry Perl...' window opens, left-click 'Next'. The 'End-User License Agreement' window opens, left-click checking the 'I accept the terms...' radio button, and left-click 'Next'. The 'Destination Folder' window opens, in the 'Install Strawberry Perl to:' dialog box type 'd:\winids\strawberry\' (less the outside quotes), and left-click 'Next'. The 'Ready to install Strawberry Perl..' window opens, left-click 'Install'. The 'Install Strawberry Perl..' window opens, allow the install to complete, and left-click 'Next'. The 'Completed the Strawberry Perl...' window opens, uncheck the 'Read README file.' radio box, and left-click 'Finish'. At the CMD prompt type 'exit' (less the outside quotes), and tap the 'Enter' key. Installing Barnyard2 Depending on the processors architecture, install the appropriate support file below! 32bit Windows All: At the CMD prompt type 'unzip -oqq d:\temp\barnyard2-x86-2.1.14-build337.zip -d d:\winids\barnyard2' (less the outside quotes), and tap the 'Enter' key. 64bit Windows All: At the CMD prompt type 'unzip -oqq d:\temp\barnyard2-x64-2.1.14-build337.zip -d d:\winids\barnyard2' (less the outside quotes), and tap the 'Enter' key. Updating the 'sid-msg.map' file At the CMD prompt type 'unzip -oqq d:\temp\activators.zip -d d:\winids\activators' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'unzip -oqq d:\temp\create-sidmap.zip -d d:\winids\create-sidmap' (less the outside quotes), and tap the 'Enter' key. The 'sid-msg.map' file essentially maps the Rule MSG alert name to the sid number assigned to the rule. This really comes into play when the output method from Snort is in unified2 format, taking that output, and reading it with Barnyard2 for input into the database. Since the rule msg is not stored in the unified2 file format, it's necessary for Barnyard2 to read the sid-msg.map file to correctly input the names of the events into the database when associated with an alert by sid. Without the 'sid-msg.map' being read by barnyard2, the events in the database will show up only as gid:sid. (1:2133 for example). Also, updating the rules and not updating the 'sid-msg.map' will also show events from all new rules as gid:sid. (1:2133 for example). At the CMD prompt type 'perl d:\winids\create-sidmap\create-sidmap.pl d:\winids\snort\rules\ > d:\winids\snort\etc\sid-msg.map' (less the outside quotes), and tap the 'Enter' key. Configuring Snort, the Heart of the Windows Intrusion Detection System (WinIDS) At the CMD prompt type 'type NUL > d:\winids\snort\rules\white_list.rules' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'type NUL > d:\winids\snort\rules\black_list.rules' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'notepad2 d:\winids\snort\etc\snort.conf' (less the outside quotes), and tap the 'Enter' key. Use the Find option in Notepad2 to locate and change the variables below. Original Line(s): ipvar HOME_NET any Change to: ipvar HOME_NET 192.168.1.0/24 In the above HOME_NET example (192.168.1.0/24), using a CIDR of 24 the Windows Intrusion Detection System (WinIDS) will monitor addresses 192.168.1.1 - 192.168.1.254. It is important to specify the correct internal IP segment of the Windows Intrusion Detection System (WinIDS) network that needs monitoring, and to set the correct CIDR. Original Line(s): var RULE_PATH ../rules Change to: var RULE_PATH d:\winids\snort\rules Original Line(s): var SO_RULE_PATH ../so_rules Change to: # var SO_RULE_PATH ../so_rules Original Line(s): var PREPROC_RULE_PATH ../preproc_rules Change to: var PREPROC_RULE_PATH d:\winids\snort\preproc_rules Original Line(s): var WHITE_LIST_PATH ../rules Change to: var WHITE_LIST_PATH d:\winids\snort\rules Original Line(s): var BLACK_LIST_PATH ../rules Change to: var BLACK_LIST_PATH d:\winids\snort\rules Original Line(s): dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ Change to: dynamicpreprocessor directory d:\winids\snort\lib\snort_dynamicpreprocessor Original Line(s): dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so Change to: dynamicengine d:\winids\snort\lib\snort_dynamicengine\sf_engine.dll Original Line(s): decompress_swf { deflate lzma } \ Change to: decompress_swf { deflate } \ Original Line(s): # preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } Change to: preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } Original Line(s): # output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types Change to: output unified2: filename merged.log, limit 128 Original Line(s): # include $PREPROC_RULE_PATH/preprocessor.rules # include $PREPROC_RULE_PATH/decoder.rules # include $PREPROC_RULE_PATH/sensitive-data.rules Change to: include $PREPROC_RULE_PATH/preprocessor.rules include $PREPROC_RULE_PATH/decoder.rules include $PREPROC_RULE_PATH/sensitive-data.rules Save the file, and eXit Notepad2. Testing the Snort configuration file At the CMD prompt type 'd:\winids\snort\bin\snort -W' (less the outside quotes), and tap the 'Enter' key. The following is a partial example of what might be listed as valid Network Interface Cards. Index Physical Address IP Address ----- ---------------- ---------- 1 00:0C:29:25:B4:96 0000:0000:fe80:0000:0000:0000:ad63:31cf There may be several Network Interface Cards listed, and it will be up to the installer to determine the correct Network Interface Card (Index number) that will be monitoring the Windows Intrusion Detection System (WinIDS). The switch for the Network Interface Card will always be '-ix' (less the outside quotes), and the 'x' (less the outside quotes) will always represent the 'Index' number of Network Interface Card that will be monitoring the Windows Intrusion Detection System (WinIDS). At the CMD prompt type 'd:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix -T' (less the outside quotes), and tap the 'Enter' key. The above run line will require the 'Index' number of the monitoring Network Interface Card added to the 'x' above. This will start Snort in self-test mode for configuration and rule file testing, and depending on the resources used, and/or available, it could take several minutes to run the self-test mode. If all the tests are passed, the following is a confirmation that the Snort configuration file and rules have tested good. Snort successfully validated the configuration! Snort exiting Do not proceed until 'Snort successfully validated the configuration!' Adding Snort to the Windows Services Database At the CMD prompt type 'cd /d d:\winids\snort\bin' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'd:\winids\snort\bin\snort -W' (less the outside quotes), and tap the 'Enter' key. The following is a partial example of what might be listed as valid Network Interface Cards. Index Physical Address IP Address ----- ---------------- ---------- 1 00:0C:29:25:B4:96 0000:0000:fe80:0000:0000:0000:ad63:31cf There may be several Network Interface Cards listed, and it will be up to the installer to determine the correct Network Interface Card (Index number) that will be monitoring the Windows Intrusion Detection System (WinIDS). The switch for the Network Interface Card will always be '-ix' (less the outside quotes), and the 'x' (less the outside quotes) will always represent the 'Index' number of Network Interface Card that will be monitoring the Windows Intrusion Detection System (WinIDS). At the CMD prompt type 'snort /SERVICE /INSTALL -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix' (less the outside quotes), and tap the 'Enter' key. The above run line will require the 'Index' number of the monitoring Network Interface Card added to the 'x' above. This will install Snort into the Windows Services Database. The following is a confirmation that the Snort service was successfully added to the Windows Services Database. [SNORT_SERVICE] Attempting to install the Snort service. [SNORT_SERVICE] The full path to the Snort binary appears to be: D:\winids\snort\bin\snort /SERVICE [SNORT_SERVICE] Successfully added registry keys to: \HKEY_LOCAL_MACHINE\SOFTWARE\Snort\ [SNORT_SERVICE] Successfully added the Snort service to the Windows Services Database. Do not proceed until the Snort service has been successfully added to the Windows Services Database. At the CMD prompt type 'sc config snortsvc start= auto' (less the outside quotes), and tap the 'Enter' key. The following is a confirmation that the Snort auto-start service has been successfully activated. [SC] ChangeServiceConfig SUCCESS Do not proceed until the Snort auto-start service has been SUCCESSfully activated. Configuring Barnyard2 At the CMD prompt type 'notepad2 d:\winids\barnyard2\etc\barnyard2.conf' (less the outside quotes), and tap the 'Enter' key. Use the Find option in Notepad2 to locate and change the variables below. Original Line(s): config reference_file: /etc/snort/reference.config config classification_file: /etc/snort/classification.config config gen_file: /etc/snort/gen-msg.map config sid_file: /etc/snort/sid-msg.map Change to: config reference_file: d:\winids\snort\etc\reference.config config classification_file: d:\winids\snort\etc\classification.config config gen_file: d:\winids\snort\etc\gen-msg.map config sid_file: d:\winids\snort\etc\sid-msg.map Original Line(s): # config event_cache_size: 4096 Change to: config event_cache_size: 32768 Original Line(s): #output database: alert, postgresql, user=snort dbname=snort Change to: output database: log, postgresql, user=snort password=l0gg3r dbname=snort host=x.x.x.x port=yyyy sensor_name=WinIDS-Madrid 'user=snort' snort is the user name that will be used to access the MASTER PostgreSQL database. The 'password=l0gg3r' l0gg3r is the password associated with the 'user=snort' that is accessing the MASTER Windows Intrusion Detection Systems (WinIDS) PostgreSQL database. The 'dbname=snort' snort will be the name of the MASTER PostgreSQL database where all the events will be shuttled to. The 'host=x.x.x.x' x.x.x.x will be the IP Address of the MASTER Windows Intrusion Detection System sensor. The 'port=yyyy' yyyy will be the listening port of the MASTER PostgreSQL database server. The 'sensor_name=WinIDS-Madrid' WinIDS-Madrid will be displayed in the Windows Intrusion Detection Security Console along with the alert generated from that particular SLAVE Sensor. WinIDS-Madrid is only an example. The SLAVE could be anywhere in the world, so make the appropriate change as needed. This is important because if there are several SLAVE sensors reporting to the same database, this is the only way to tell where the alert was generated from. Save the file, and eXit Notepad2. Testing the Barnyard2 configuration file At the CMD prompt type 'd:\winids\activators\by2-test' (less the outside quotes), and tap the 'Enter' key. This will start Barnyard2 in self-test mode for configuration testing, and depending on the resources used and/or available it could take up to 30 minutes to run the self-test mode. If all the tests are passed, the following is a confirmation that the Barnyard2 configuration file is good. Barnyard2 successfully loaded configuration file! Barnyard2 exiting database: Closing connection to database "snort" Do not proceed until Barnyard2 has successfully loaded the configuration file, eXited Snort, and closed the connection to database! Adding Barnyard2 to the Windows Services Database At the CMD prompt type 'unzip -oqq d:\temp\service_files.zip -d c:\windows' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'cd /d c:\windows' (less the outside quotes), and tap the enter key. At the CMD prompt type 'instsrv srvany c:\windows\srvany.exe' (less the outside quotes), and tap the enter key. The following is a confirmation that 'srvany' was successfully added to the Windows Services Database. The service was successfully added! Do not proceed until the srvany service has been successfully added! At the CMD prompt type 'instsrv Barnyard2 c:\windows\srvany.exe' (less the outside quotes), and tap the enter key. The following is a confirmation that Barnyard2 was successfully added to the Windows Services Database. The service was successfully added! Do not proceed until the Barnyard2 service has been successfully added! At the CMD window type 'd:\temp\auto-remote-barnyard2.reg' (less the outside quotes), and tap the 'Enter' key. The Registry Editor selection box opens and asks; 'Are you sure you want to continue?', left-click 'Yes', and at the next input selection left-click 'OK'. At the CMD prompt type 'sc config Barnyard2 start= delayed-auto' (less the outside quotes), and tap the 'Enter' key. The following is a confirmation that the Barnyard2 auto-start service has been successfully activated. [SC] ChangeServiceConfig SUCCESS Do not proceed until the Barnyard2 auto-start service has been successfully activated. At the CMD prompt type 'shutdown /r /t 10' (less the outside quotes), and tap the 'Enter' key to reboot. Verifying Barnyard2, and Snort is running as a process after rebooting It could take several minutes for the Barnyard2 process to display after rebooting as it is on a delayed start. After the reboot open a CMD window and type 'taskmgr.exe' (less the outside quotes), and tap the 'Enter' key. The 'Windows Task Manager' starts, in the bottom left-click and check 'Show processes from all users' or left click 'More Details', left-click the 'Details' tab, in the 'Status' column 'Barnyard2.exe', and 'Snort.exe' should be listed as running. Do not proceed until both processes shows to be running! eXit the 'Task Manager'. At the CMD prompt type 'exit' (less the outside quotes), and tap the 'Enter' key. In Conclusion I hope this tutorial has been helpful to you. Please feel free to provide feedback, both issues you experienced and recommendations that you might have. The goal of this tutorial was not just for you to create a Windows Intrusion Detection System (WinIDS) SLAVE sensor using the most advanced intrusion detection engine known as Snort, but to understand how all the parts work together, and get a deeper understanding of all the components, so that you can troubleshoot and modify your Windows Intrusion Detection System (WinIDS) with confidence. At this point you are done with this tutorial. Events should be arriving into the MASTER Windows Intrusion Detection Systems PostgreSQL Database server, and the Windows Intrusion Detection Systems Security Console should be showing events as they arrive. Each event will reflect the unique sensor name from where the event originated. I encourage you to perform some post-installation tasks needed to get a fully production-ready 'Windows Intrusion Detection System (WinIDS)'. This includes: Tuning your rules and preprocessors. Tuning Snort thresholds and limit values. Adding user authentication to the Windows Intrusion Detection Systems (WinIDS) Security Console. Securing your host (Maybe changing the default database user access, disabling unneeded services, etc.). Configure a system, such as PulledPork to auto-update the Windows Intrusion Detection Systems (WinIDS) rules and signatures. Optional Companion Documents Be SURE to check out the available 'Companion Add-on Documents' to enhance the Windows Intrusion Detection System (WinIDS) experience. How to Install Pulledpork for rule management in an existing Windows Intrusion Detection System (WinIDS) Master/Slave sensor. This tutorial will show how to Install Pulledpork for rule management in an existing Windows Intrusion Detection System (WinIDS) Master/Slave sensor. How to add Event Logging to a local Syslog Server. This tutorial will show how to configure Snort to send events to a local Syslog Server, on an existing Windows Intrusion Detection System (WinIDS). How to add Event Logging to a remote Syslog Server. This tutorial will show how to configure Snort to send events to a remote Syslog Server from an existing Windows Intrusion Detection System (WinIDS). How to compile Barnyard2 on Windows using Cygwin for PostgreSQL database support This tutorial is a simple to understand, step-by-step tutorial for Compiling Barnyard2 on Windows using Cygwin (UNIX emulator) for PostgreSQL database support. How to build and deploy a passive Ethernet tap This tutorial will show how to build and deploy a passive Ethernet tap. Updating the Windows Intrusion Detection Systems (WinIDS) Major components How to update the Snort Intrusion Detection Engine This tutorial will show How to update the Windows Intrusion Detection Systems Snort Intrusion Detection Engine. How to update the Rules, Signatures, and sig-msg.map file This tutorial will show how to update the Windows Intrusion Detection Systems rules, signatures, and the 'sig-msg.map' file. Debugging Installation errors Check the Event Viewer as most of the support programs will throw FATAL errors into the Windows Application log. General tutorial issues For general problem issues that pertain to this specific tutorial, left-click the get community support button at the top of this tutorial, or manually navigate to the correct community support forum pertaining to this specific tutorial. Feedback I would love to get feedback from you about this tutorial. Any recommendations, or ideas, please leave feedback HERE. Michael E. Steele | Microsoft Certified System Engineer (MCSE) Email Support: support@winsnort.com Snort: Open Source Network IDS - www.snort.org
  20. How to Install a Windows Intrusion Detection System (WinIDS) Installing a Slave Sensor Logging to an existing Master MySQL Sensor Windows 7 / 8.x / 10 / 2008 R2 SE / 2012 R2 SE / 2016 SE / 2019 SE Written by: Michael E. Steele Get Community Support! Introduction During my research, and development I've found a lot of tutorials, and blogs describing the installation process for the UNIX environment. Yet, none of them specifically detailed setting this up in a Windows environment. I've been working on, and updating these tutorials for the past 12 plus years, and managed to get through the complete process in the Windows environment. For this tutorial one of the two stand alone Windows Intrusion Detection Systems (WinIDS) listed below MUST already be installed. Installing an Apache2 Web Server logging events to a MySQL Database Installing an IIS Web Server logging events to a MySQL Database This tutorial gives all the basic instructions on how to create a functioning Windows Intrusion Detection System (WinIDS) SLAVE Sensor. It will also be converting an existing stand alone Windows Intrusion Detection System (WinIDS) into a MASTER Windows Intrusion Detection System (WinIDS). Advanced problems not related to the basic install should not be posted to the forum where the tutorial resides, and where general help is available for problems during the initial tutorial set-up. If there are any doubts which tutorial that should be used, there is a posted topic HERE that will provide the basics so an informed decision can be made based on which combination of software packages are best suited for the installation. Copyright Notice This document is Copyright © 2002-2019 Michael Steele. All rights reserved. Permission to distribute this document is hereby granted providing that distribution is electronic, in it's original form, no money is involved, and this copyright notice is maintained. Other requests for distribution will be considered. Use the information in this document at your own risk. Michael Steele disavows any potential liability of this document. Use of the concepts, examples, and/or other content of this document are entirely at your own risk. This tutorial is written in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. All copyrights are owned by their owners, unless specifically noted otherwise. Third party trademarks or brand names are the property of their owners. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements. Support Questions and Help All support questions related to this specific tutorial MUST be directed to the specific forum for which this Windows Intrusion Detection System (WinIDS) tutorial resides! By request, there is a premium fee service available for one on one support. If you have not acquired this tutorial directly from the winsnort.com website, then you most likely do not have the latest revision of this tutorial! This is a basic Windows Intrusion Detection System (WinIDS) deployment for a SLAVE Sensor Microsoft's Windows operating systems are used exclusively for these tutorials. It is highly recommended to start with a fresh install of one of the supported 32bit or 64bit Windows operating systems listed below. Windows 7 Professional Windows 8.x Professional Windows 10 Professional Windows Server 2008 R2 Standard Edition Windows Server 2012 R2 Standard Edition Windows Server 2016 Standard Edition Windows Server 2019 Standard Edition All the operating systems listed above have been tested using both the 32bit, and 64bit architecture for this tutorial. However, any another Windows operating system listed above, under the same framework will most likely work. Major support programs used in this install Npcap allows 3rd party applications such as Snort to capture and transmit network packets bypassing the protocol stack. Snort performs real-time traffic analysis and network packet logging on Internet Protocol (IP) networks data streams. Barnyard2 is a dedicated spooler for Snort's unified2 binary output format, and on-forwarding to a MASTER MySQL database. Strawberry Perl is everything needed to run perl scripts (.pl), and applications such as PulledPork. How this Hardware and Software was prepped for this Windows Intrusion Detection System (WinIDS) tutorial A fresh install of any 32/64bit Version of Windows listed above in will do. All available Service Packs and updates MUST be applied from the Microsoft Download Center. For these tutorials there are two partitions: C: (System) with 300GB, and D: (WinIDS) with 1TB. Installed memory should be no less than 4GB (more is always better). The Windows Intrusion Detection System (WinIDS) will fail if the default installation path is not Implemented correctly! The default installation path noted above is hard coded into this tutorial, and is also hard coded into some of the install scripts. Installers will need to make the appropriate changes in both places if the default installation path is anything other then 'd:\winids', or the support files are located anywhere other than the 'd:\temp' folder. The Windows Intrusion Detection System (WinIDS) will fail if the default installation path is not Implemented correctly! Prepping for the Windows Intrusion Detection System (WinIDS) SLAVE Sensor Tutorial Downloading and extracting the core 'Windows Intrusion Detection Systems (WinIDS)' Software Support Pack It is imperative to only use the files included in the 'WinIDS - (32/64bit) Software Support Packs' below. These files have been thoroughly tested and compatible with this particular Windows Intrusion Detection Systems (WinIDS) tutorial. Depending on the processors architecture, download the appropriate support file below! 32bit Windows All: Download and save the 'WinIDS - 32bit Core Software Support Pack' to a temporary location. Open File Explore and navigate to the location of the 'winids-cssp-x32.zip' file, right-click the 'winids-cssp-x32.zip' file, highlight and left-click 'Extract all...', in the 'Files will be extracted to this folder:' dialog box type 'd:\temp' (less the outside quotes), left-click and uncheck the 'Show extracted files when complete' radio box, left-click extract, in the 'Password:' dialog box type 'w1nsn03t.c0m' (less the outside quotes), left-click 'OK', and eXit File Explorer.. 64bit Windows All: Download and save the 'WinIDS - 64bit Core Software Support Pack' to a temporary location. Open File Explore and navigate to the location of the 'winids-cssp-x64.zip' file, right-click the 'winids-cssp-x64.zip' file, highlight and left-click 'Extract all...', in the 'Files will be extracted to this folder:' dialog box type 'd:\temp' (less the outside quotes), left-click and uncheck the 'Show extracted files when complete' radio box, left-click extract, in the 'Password:' dialog box type 'w1nsn03t.c0m' (less the outside quotes), left-click 'OK', and eXit File Explorer.. Downloading additional, and required support files for all supported Windows operating systems It is imperative to only use the files downloaded from the URL links below. All the files have been verified as compatible with this particular Windows Intrusion Detection Systems (WinIDS) tutorial. All the files below will need to be downloaded into the folder (d:\temp) that was created when the files from the above 'WinIDS - (32/64bit) Software Support Pack' were extracted. npcap-0.996: Download and save the file to the d:\temp folder. In some instances after downloading the Snort executable below, the '.exe' extension might be missing. After downloading, navigate to the location of the Snort executable, and if the '.exe' extension is missing, add '.exe' (less the outside quotes) to the end of the filename. Snort 2_9_15: Download and save the file to the d:\temp folder. The next download requires the installer to be a registered user on the snort.org website, and logged in. Navigate to the snort.org website and either login or create a new account. While still being logged into the snort.org web site return to the Windows Intrusion Detection Systems (WinIDS) tutorial, and initiate the next download. Note: If the installer is not logged into the snort.org website prior to initiating the next download, the installer will be re-directed to the snort.org website. At that point either create a new account or login. While still being logged into the snort.org website return to the Windows Intrusion Detection Systems (WinIDS) tutorial, and initiate the next download. snortrules-snapshot-29150: Download and save the file to the d:\temp folder. Downloading additional support files based on a specific Operating Systems Hardware Architecture There are several additional files listed under two groups below. Download only, and all the files listed under the appropriate processors architecture group that the Windows Intrusion Detection System (WinIDS) will be installed on. 32bit Windows All: Required additional downloads for the 32bit architecture install! Strawberry Perl 5.30.0.1: Download and save the file to the d:\temp folder. 64bit Windows All: Required additional downloads for the 64bit architecture install! Strawberry Perl 5.30.0.1: Download and save the file to the d:\temp folder. Installing the core support files, and making basic configuration changes It is important when asked to 'Open a CMD window with Administrator privileges' it is done, or the install will fail. It is also important when asked to 'Close a CMD window' it is done, or the install will fail. Note: The user installing this tutorial MUST be a member of the Administrators group. Note: If the User Account Control dialog box appears at ANY time during this install ALWAYS left-click 'Yes' to continue, or the install will fail. Instructions on starting a command prompt as an Administrator In the Windows Search box, type cmd, and then press CTRL+SHIFT+ENTER. Open a CMD window with Administrator privileges and type 'd:\temp\modder.vbs' (less the outside quotes), and tap the 'Enter' key. Allow the script to automatically reboot the system! DO NOT INTERVENE! This background process could take several minutes to complete. The modder.vbs file preforms several tasks: Installs Microsoft Visual C++ 2012/2013/2017 Installs 'Notepad2' to Windows\System32 Installs 'unzip' to Windows\System32 Installs 'tartool' to Windows\System32 Inserts 'winids' hostname into hosts file Inserts 'IGMP and SCTP' into the protocol file for Snort rules Inserts 'Nodosfilewarning' into User ENV to suppress CYGWIN warning message when starting Barnyard2 Sets 'Show File Extensions' as on in registry Reboots system After the reboot it is strongly advise that the Microsoft Baseline Security Analyzer (MBSA) be used to identify and correct common security miss configurations. Each issue should be resolved prior to starting this tutorial. Configuring remote access to the MASTER MySQL Database server For this section of the tutorial the installer MUST be logged into the existing MASTER Windows Intrusion Detection Server (WinIDS) sensor with Administrative privileges. Open a CMD window with Administrator privileges and type 'notepad2 d:\winids\mysql\my.ini' (less the outside quotes), and tap the 'Enter' key. Use the find and locate the line '[mysqld]' (less the outside quotes), and just below remove the next line. bind-address=127.0.0.1 Save the file, and eXit Notepad2. At the CMD prompt type 'mysql -u root -pd1ngd0ng' (less the outside quotes), and tap the 'Enter' key. You will be dropped into the MySQL administration console CMD prompt. At the mysql CMD prompt type 'grant INSERT,SELECT,UPDATE on snort.* to snort@x.x.x.x identified by "l0gg3r";' (less the outside quotes), and tap the 'Enter' key. Make SURE the x.x.x.x reflects the IP address of the SLAVE sensor. At the mysql CMD prompt type 'quit;' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'shutdown /r /t 10' (less the outside quotes), and tap the 'Enter' key to reboot. Do not proceed until the Windows Intrusion Detection System (WinIDS) has completely restarted. Verifying there is an open MySQL port between the SLAVE and MASTER sensor For the remaining tutorial the installer MUST be logged back into the SLAVE sensor with Administrative privileges. There MUST be an open MySQL database listening port on the MASTER Sensor, and the SLAVE Sensor MUST be able to connect. Open a CMD window with Administrator privileges and type 'd:\temp\portqry.exe -n x.x.x.x -e pppp' (less the outside quotes), and tap the 'Enter' key. x.x.x.x is the MASTER MySQL Database Servers IP address. pppp is the MASTER MySQL Database Servers listening port (default = 3306). The following is a confirmation that the port is listening. TCP port (redacted) (unknown service): LISTENING Do not proceed until the port status shows LISTENING Installing the Windows Intrusion Detection System (WinIDS) SLAVE Sensor Installing Npcap At the CMD prompt type 'd:\temp\npcap-0.996.exe' (less the outside quotes), and tap the 'Enter' key. The 'License Agreement' window opens, left-click 'I Agree'. The 'Installation Options' window opens, uncheck everything, and then check 'Install Npcap in WinPcap API-compatible Mode', left-click 'Install'. The 'Installing' window opens, allow the install to complete. The 'Installation Complete' window opens, left-click 'Next'. The 'Finished' window opens, left-click 'Finish'. Installing Snort, the Traffic Detection and Inspection Engine At the CMD prompt type 'd:\temp\Snort_2_9_15_Installer.exe' (less the outside quotes), and tap the 'Enter' key. The 'License Agreement' window opens, left-click 'I Agree'. The 'Choose Components' window opens, left-click 'Next'. The 'Choose Install Location' window opens, in the 'Destination Folder' dialog box, type 'd:\winids\snort' (less the outside quotes), left-click 'Next' allowing the install to complete. The 'Snort has been successfully installed' window opens, left-click 'OK'. Testing the Windows Intrusion Detection System (WinIDS) for network traffic At the CMD prompt type 'd:\winids\snort\bin\snort -W' (less the outside quotes), and tap the 'Enter' key. The following is a partial example of what might be listed as valid Network Interface Cards. Index Physical Address IP Address ----- ---------------- ---------- 1 00:0C:29:25:B4:96 0000:0000:fe80:0000:0000:0000:ad63:31cf There may be several Network Interface Cards listed, and it will be up to the installer to determine the correct Network Interface Card (Index number) that will be monitoring the Windows Intrusion Detection System (WinIDS). The switch for the Network Interface Card will always be '-ix' (less the outside quotes), and the 'x' (less the outside quotes) will always represent the 'Index' number of Network Interface Card that will be monitoring the Windows Intrusion Detection System (WinIDS). At the CMD prompt type 'd:\winids\snort\bin\snort -v -ix' (less the outside quotes), and tap the 'Enter' key. The above run line will require the 'Index' number of the monitoring Network Interface Card inserted in the place of the 'x' position above. This will start Snort in verbose mode, verifying there is network traffic on interface 'x'. Open any web-browser and generate some traffic. There should now be multiple packets passing through the CMD window, and something similar to the following output is a confirmation indicating that everything is ready to proceed. 10/08-12:12:32.131826 10.0.0.29:1068 -> 65.55.121.241:80 TCP TTL:128 TOS:0x0 ID:1586 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x7430B82E Ack: 0x1850214F Win: 0xFAF0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Note: If no traffic is passing through the CMD window, try another 'Index' number. After verifying active network traffic, eXit the web-browser, activate the CMD window, and press the 'CTRL/C' keys to stop the Snort process. Do not proceed until network traffic is being displayed in the CMD window. Installing the Latest Rule Set At the CMD prompt type 'tartool d:\temp\snortrules-snapshot-29150.tar.gz d:\winids\snort' (less the outside quotes), and tap the 'Enter' key. Installing Strawberry Perl Depending on the processors architecture, install the appropriate support file below! 32bit Windows All: At the CMD prompt type 'd:\temp\strawberry-perl-5.30.0.1-32bit.msi' (less the outside quotes), and tap the 'Enter' key. 64bit Windows All: At the CMD prompt type 'd:\temp\strawberry-perl-5.30.0.1-64bit.msi' (less the outside quotes), and tap the 'Enter' key. The 'Welcome to the Setup Wizard for Strawberry Perl...' window opens, left-click 'Next'. The 'End-User License Agreement' window opens, left-click checking the 'I accept the terms...' radio button, and left-click 'Next'. The 'Destination Folder' window opens, in the 'Install Strawberry Perl to:' dialog box type 'd:\winids\strawberry\' (less the outside quotes), and left-click 'Next'. The 'Ready to install Strawberry Perl..' window opens, left-click 'Install'. The 'Install Strawberry Perl..' window opens, allow the install to complete, and left-click 'Next'. The 'Completed the Strawberry Perl...' window opens, uncheck the 'Read README file.' radio box, and left-click 'Finish'. At the CMD prompt type 'exit' (less the outside quotes), and tap the 'Enter' key. Installing Barnyard2 Depending on the processors architecture, install the appropriate support file below! 32bit Windows All: At the CMD prompt type 'unzip -oqq d:\temp\barnyard2-x86-2.1.14-build337.zip -d d:\winids\barnyard2' (less the outside quotes), and tap the 'Enter' key. 64bit Windows All: At the CMD prompt type 'unzip -oqq d:\temp\barnyard2-x64-2.1.14-build337.zip -d d:\winids\barnyard2' (less the outside quotes), and tap the 'Enter' key. Updating the 'sid-msg.map' file At the CMD prompt type 'unzip -oqq d:\temp\activators.zip -d d:\winids\activators' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'unzip -oqq d:\temp\create-sidmap.zip -d d:\winids\create-sidmap' (less the outside quotes), and tap the 'Enter' key. The 'sid-msg.map' file essentially maps the Rule MSG alert name to the sid number assigned to the rule. This really comes into play when the output method from Snort is in unified2 format, taking that output, and reading it with Barnyard2 for input into the database. Since the rule msg is not stored in the unified2 file format, it's necessary for Barnyard2 to read the sid-msg.map file to correctly input the names of the events into the database when associated with an alert by sid. Without the 'sid-msg.map' being read by barnyard2, the events in the database will show up only as gid:sid. (1:2133 for example). Also, updating the rules and not updating the 'sid-msg.map' will also show events from all new rules as gid:sid. (1:2133 for example). At the CMD prompt type 'perl d:\winids\create-sidmap\create-sidmap.pl d:\winids\snort\rules\ > d:\winids\snort\etc\sid-msg.map' (less the outside quotes), and tap the 'Enter' key. Configuring Snort, the Heart of the Windows Intrusion Detection System (WinIDS) At the CMD prompt type 'type NUL > d:\winids\snort\rules\white_list.rules' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'type NUL > d:\winids\snort\rules\black_list.rules' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'notepad2 d:\winids\snort\etc\snort.conf' (less the outside quotes), and tap the 'Enter' key. Use the Find option in Notepad2 to locate and change the variables below. Original Line(s): ipvar HOME_NET any Change to: ipvar HOME_NET 192.168.1.0/24 In the above HOME_NET example (192.168.1.0/24), using a CIDR of 24 the Windows Intrusion Detection System (WinIDS) will monitor addresses 192.168.1.1 - 192.168.1.254. It is important to specify the correct internal IP segment of the Windows Intrusion Detection System (WinIDS) network that needs monitoring, and to set the correct CIDR. Original Line(s): var RULE_PATH ../rules Change to: var RULE_PATH d:\winids\snort\rules Original Line(s): var SO_RULE_PATH ../so_rules Change to: # var SO_RULE_PATH ../so_rules Original Line(s): var PREPROC_RULE_PATH ../preproc_rules Change to: var PREPROC_RULE_PATH d:\winids\snort\preproc_rules Original Line(s): var WHITE_LIST_PATH ../rules Change to: var WHITE_LIST_PATH d:\winids\snort\rules Original Line(s): var BLACK_LIST_PATH ../rules Change to: var BLACK_LIST_PATH d:\winids\snort\rules Original Line(s): dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ Change to: dynamicpreprocessor directory d:\winids\snort\lib\snort_dynamicpreprocessor Original Line(s): dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so Change to: dynamicengine d:\winids\snort\lib\snort_dynamicengine\sf_engine.dll Original Line(s): decompress_swf { deflate lzma } \ Change to: decompress_swf { deflate } \ Original Line(s): # preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } Change to: preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } Original Line(s): # output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types Change to: output unified2: filename merged.log, limit 128 Original Line(s): # include $PREPROC_RULE_PATH/preprocessor.rules # include $PREPROC_RULE_PATH/decoder.rules # include $PREPROC_RULE_PATH/sensitive-data.rules Change to: include $PREPROC_RULE_PATH/preprocessor.rules include $PREPROC_RULE_PATH/decoder.rules include $PREPROC_RULE_PATH/sensitive-data.rules Save the file, and eXit Notepad2. Testing the Snort configuration file At the CMD prompt type 'd:\winids\snort\bin\snort -W' (less the outside quotes), and tap the 'Enter' key. The following is a partial example of what might be listed as valid Network Interface Cards. Index Physical Address IP Address ----- ---------------- ---------- 1 00:0C:29:25:B4:96 0000:0000:fe80:0000:0000:0000:ad63:31cf There may be several Network Interface Cards listed, and it will be up to the installer to determine the correct Network Interface Card (Index number) that will be monitoring the Windows Intrusion Detection System (WinIDS). The switch for the Network Interface Card will always be '-ix' (less the outside quotes), and the 'x' (less the outside quotes) will always represent the 'Index' number of Network Interface Card that will be monitoring the Windows Intrusion Detection System (WinIDS). At the CMD prompt type 'd:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix -T' (less the outside quotes), and tap the 'Enter' key. The above run line will require the 'Index' number of the monitoring Network Interface Card added to the 'x' above. This will start Snort in self-test mode for configuration and rule file testing, and depending on the resources used, and/or available, it could take several minutes to run the self-test mode. If all the tests are passed, the following is a confirmation that the Snort configuration file and rules have tested good. Snort successfully validated the configuration! Snort exiting Do not proceed until 'Snort successfully validated the configuration!' Adding Snort to the Windows Services Database At the CMD prompt type 'cd /d d:\winids\snort\bin' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'd:\winids\snort\bin\snort -W' (less the outside quotes), and tap the 'Enter' key. The following is a partial example of what might be listed as valid Network Interface Cards. Index Physical Address IP Address ----- ---------------- ---------- 1 00:0C:29:25:B4:96 0000:0000:fe80:0000:0000:0000:ad63:31cf There may be several Network Interface Cards listed, and it will be up to the installer to determine the correct Network Interface Card (Index number) that will be monitoring the Windows Intrusion Detection System (WinIDS). The switch for the Network Interface Card will always be '-ix' (less the outside quotes), and the 'x' (less the outside quotes) will always represent the 'Index' number of Network Interface Card that will be monitoring the Windows Intrusion Detection System (WinIDS). At the CMD prompt type 'snort /SERVICE /INSTALL -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix' (less the outside quotes), and tap the 'Enter' key. The above run line will require the 'Index' number of the monitoring Network Interface Card added to the 'x' above. This will install Snort into the Windows Services Database. The following is a confirmation that the Snort service was successfully added to the Windows Services Database. [SNORT_SERVICE] Attempting to install the Snort service. [SNORT_SERVICE] The full path to the Snort binary appears to be: D:\winids\snort\bin\snort /SERVICE [SNORT_SERVICE] Successfully added registry keys to: \HKEY_LOCAL_MACHINE\SOFTWARE\Snort\ [SNORT_SERVICE] Successfully added the Snort service to the Windows Services Database. Do not proceed until the Snort service has been successfully added to the Windows Services Database. At the CMD prompt type 'sc config snortsvc start= auto' (less the outside quotes), and tap the 'Enter' key. The following is a confirmation that the Snort auto-start service has been successfully activated. [SC] ChangeServiceConfig SUCCESS Do not proceed until the Snort auto-start service has been SUCCESSfully activated. Configuring Barnyard2 At the CMD prompt type 'notepad2 d:\winids\barnyard2\etc\barnyard2.conf' (less the outside quotes), and tap the 'Enter' key. Use the Find option in Notepad2 to locate and change the variables below. Original Line(s): config reference_file: /etc/snort/reference.config config classification_file: /etc/snort/classification.config config gen_file: /etc/snort/gen-msg.map config sid_file: /etc/snort/sid-msg.map Change to: config reference_file: d:\winids\snort\etc\reference.config config classification_file: d:\winids\snort\etc\classification.config config gen_file: d:\winids\snort\etc\gen-msg.map config sid_file: d:\winids\snort\etc\sid-msg.map Original Line(s): # config event_cache_size: 4096 Change to: config event_cache_size: 32768 Original Line(s): #output database: log, mysql, user=root password=test dbname=db host=localhost Change to: output database: log, mysql, user=snort password=l0gg3r dbname=snort host=x.x.x.x port=yyyy sensor_name=WinIDS-Madrid 'user=snort' snort is the user name that will be used to access the MASTER MySQL database. The 'password=l0gg3r' l0gg3r is the password associated with the 'user=snort' that is accessing the MASTER Windows Intrusion Detection Systems (WinIDS) MySQL database. The 'dbname=snort' snort will be the name of the MASTER MySQL database where all the events will be shuttled to. The 'host=x.x.x.x' x.x.x.x will be the IP Address of the MASTER Windows Intrusion Detection System sensor. The 'port=yyyy' yyyy will be the listening port of the MASTER MySQL database server. The 'sensor_name=WinIDS-Madrid' WinIDS-Madrid will be displayed in the Windows Intrusion Detection Security Console along with the alert generated from that particular SLAVE Sensor. WinIDS-Madrid is only an example. The SLAVE sensor could be anywhere in the world, so make the appropriate change as needed. This is important because if there are several SLAVE sensors reporting to the same database, this is the only way to tell where the alert was generated from. Save the file, and eXit Notepad2. Testing the Barnyard2 configuration file At the CMD prompt type 'd:\winids\activators\by2-test' (less the outside quotes), and tap the 'Enter' key. This will start Barnyard2 in self-test mode for configuration testing, and depending on the resources used and/or available it could take up to 30 minutes to run the self-test mode. If all the tests are passed, the following is a confirmation that the Barnyard2 configuration file is good. Barnyard2 successfully loaded configuration file! Barnyard2 exiting database: Closing connection to database "snort" Do not proceed until Barnyard2 has successfully loaded the configuration file, eXited Snort, and closed the connection to database! Adding Barnyard2 to the Windows Services Database At the CMD prompt type 'unzip -oqq d:\temp\service_files.zip -d c:\windows' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'cd /d c:\windows' (less the outside quotes), and tap the enter key. At the CMD prompt type 'instsrv srvany c:\windows\srvany.exe' (less the outside quotes), and tap the enter key. The following is a confirmation that 'srvany' was successfully added to the Windows Services Database. The service was successfully added! Do not proceed until the srvany service has been successfully added! At the CMD prompt type 'instsrv Barnyard2 c:\windows\srvany.exe' (less the outside quotes), and tap the enter key. The following is a confirmation that Barnyard2 was successfully added to the Windows Services Database. The service was successfully added! Do not proceed until the Barnyard2 service has been successfully added! At the CMD window type 'd:\temp\auto-remote-barnyard2.reg' (less the outside quotes), and tap the 'Enter' key. The Registry Editor selection box opens and asks; 'Are you sure you want to continue?', left-click 'Yes', and at the next input selection left-click 'OK'. At the CMD prompt type 'sc config Barnyard2 start= delayed-auto' (less the outside quotes), and tap the 'Enter' key. The following is a confirmation that the Barnyard2 auto-start service has been successfully activated. [SC] ChangeServiceConfig SUCCESS Do not proceed until the Barnyard2 auto-start service has been successfully activated. At the CMD prompt type 'shutdown /r /t 10' (less the outside quotes), and tap the 'Enter' key to reboot. Verifying Barnyard2, and Snort is running as a process after rebooting It could take several minutes for the Barnyard2 process to display after rebooting as it is on a delayed start. After the reboot open a CMD window and type 'taskmgr.exe' (less the outside quotes), and tap the 'Enter' key. The 'Windows Task Manager' starts, in the bottom left-click and check 'Show processes from all users' or left click 'More Details', left-click the 'Details' tab, in the 'Status' column 'Barnyard2.exe', and 'Snort.exe' should be listed as running. Do not proceed until both processes shows to be running! eXit the 'Task Manager'. At the CMD prompt type 'exit' (less the outside quotes), and tap the 'Enter' key. In Conclusion I hope this tutorial has been helpful to you. Please feel free to provide feedback, both issues you experienced and recommendations that you might have. The goal of this tutorial was not just for you to create a Windows Intrusion Detection System (WinIDS) SLAVE sensor using the most advanced intrusion detection engine known as Snort, but to understand how all the parts work together, and get a deeper understanding of all the components, so that you can troubleshoot and modify your Windows Intrusion Detection System (WinIDS) with confidence. At this point you are done with this tutorial. Events should be arriving into the MASTER Windows Intrusion Detection Systems MySQL Database server, and the Windows Intrusion Detection Systems Security Console should be showing events as they arrive. Each event will reflect the unique sensor name from where the event originated. I encourage you to perform some post-installation tasks needed to get a fully production-ready 'Windows Intrusion Detection System (WinIDS)'. This includes: Tuning your rules and preprocessors. Tuning Snort thresholds and limit values. Adding user authentication to the Windows Intrusion Detection Systems (WinIDS) Security Console. Securing your host (Maybe changing the default database user access, disabling unneeded services, etc.). Configure a system, such as PulledPork to auto-update the Windows Intrusion Detection Systems (WinIDS) rules and signatures. Optional Companion Documents Be SURE to check out the available 'Companion Add-on Documents' to enhance the Windows Intrusion Detection System (WinIDS) experience. How to Install Pulledpork for rule management in an existing Windows Intrusion Detection System (WinIDS) Master/Slave sensor. This tutorial will show how to Install Pulledpork for rule management in an existing Windows Intrusion Detection System (WinIDS) Master/Slave sensor. How to add Event Logging to a local Syslog Server. This tutorial will show how to configure Snort to send events to a local Syslog Server, on an existing Windows Intrusion Detection System (WinIDS). How to add Event Logging to a remote Syslog Server. This tutorial will show how to configure Snort to send events to a remote Syslog Server from an existing Windows Intrusion Detection System (WinIDS). How to compile Barnyard2 on Windows using Cygwin for PostgreSQL database support This tutorial is a simple to understand, step-by-step tutorial for Compiling Barnyard2 on Windows using Cygwin (UNIX emulator) for PostgreSQL database support. How to build and deploy a passive Ethernet tap This tutorial will show how to build and deploy a passive Ethernet tap. Updating the Windows Intrusion Detection Systems (WinIDS) Major components How to update the Snort Intrusion Detection Engine This tutorial will show How to update the Windows Intrusion Detection Systems Snort Intrusion Detection Engine. How to update the Rules, Signatures, and sig-msg.map file This tutorial will show how to update the Windows Intrusion Detection Systems rules, signatures, and the 'sig-msg.map' file. Debugging Installation errors Check the Event Viewer as most of the support programs will throw FATAL errors into the Windows Application log. General tutorial issues For general problem issues that pertain to this specific tutorial, left-click the get community support button at the top of this tutorial, or manually navigate to the correct community support forum pertaining to this specific tutorial. Feedback I would love to get feedback from you about this tutorial. Any recommendations, or ideas, please leave feedback HERE. Michael E. Steele | Microsoft Certified System Engineer (MCSE) Email Support: support@winsnort.com Snort: Open Source Network IDS - www.snort.org
  21. Windows Intrusion Detection System - Companion Add-On Tutorial Installing Pulledpork for Rule Management - Master/Slave sensor Written by: Michael E. Steele Get Community Support! Introduction This tutorial is a simple to understand, step-by-step tutorial for adding automated rule management using the Pulledpork into an existing Windows Intrusion Detection System (WinIDS) Master/Slave sensor. Copyright Notice This document is Copyright © 2002-2019 Michael Steele. All rights reserved. Permission to distribute this document is hereby granted providing that distribution is electronic, in it's original form, no money is involved, and this copyright notice is maintained. Other requests for distribution will be considered. Use the information in this document at your own risk. Michael Steele disavows any potential liability of this document. Use of the concepts, examples, and/or other content of this document are entirely at your own risk. This guide is written in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. All copyrights are owned by their owners, unless specifically noted otherwise. Third party trademarks or brand names are the property of their owners. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements. Support Questions and Help All support questions related to this specific tutorial MUST be directed to the specific forum for which this Windows Intrusion Detection System (WinIDS) tutorial resides! By request, there is a premium fee service available for one on one support. If you have not acquired this tutorial directly from the winsnort.com website, then you most likely do not have the latest revision of this tutorial! Important Information about the two rule set groups There are two 'Official Snort Rule sets' available for download: Subscriber Release: There is an annual fee associated with this type of account. Paid Subscribers are privy to the very latest in new and modified rules (Zero Day). Registered User Release: There is no annual fee associated with this type of account. Registered Users are always 30 days behind to the minute in modified and new rules (no Zero Day). Updating the rules is crucial for both of the above groups to minimize exposure to inside/outside threats to your network. However, there is a definite plus to becoming a 'Subscriber' (paid user). As a 'Subscriber' (paid user) the update process can be executed once every minute. For 'Registered' (non-paid) users the update process can only be ran once every 15 minutes. Once the update session reaches the update server your session is logged, and for whatever reason the update session ends before the new rule set is downloaded 'Registered' (non-paid) users MUST wait 15 minutes before another session can be restarted. This install is based on the 'Registered User Release', and is by no means is this a lesson in rule updating. I can't state how IMPORTANT it is to read the documentation for Pulledpork, and Snort. It is also IMPORTANT to join the Snort-users list, and the Pulledpork-users list. The rules are the life blood of the Windows Intrusion Detection System (WinIDS). Operating System and Configuration Setup All existing Windows Intrusion Detection Systems (WinIDS) are supported. This is how I've setup and tested Pulledpork into my Windows Intrusion Detection System (WinIDS). Make sure that all the necessary changes are made if you configuration is different. Failure to make the appropriate changes will most likely cause a failure. Internet access to the outside. Install into any existing Windows Intrusion Detection System (WinIDS) Master/Slave sensor. I'm installing the Pulledpork rule management solution logged on as user 'Operator' with 'Administrator' privileges. I'm installing the Pulledpork rule management solution into the existing 'd:\winids' folder. Note: If this in a Master/Slave environment it is highly suggested that the Master and all the Slaves be running the same version of Snort! The Windows Intrusion Detection System (WinIDS) will fail if the default installation path is not Implemented correctly! The default installation path noted above is hard coded into this tutorial, and is also hard coded into some of the install scripts. Installers will need to make the appropriate changes in both places if the default installation path is anything other then 'd:\winids', or the support files are located anywhere other than the 'd:\temp' folder. The Windows Intrusion Detection System (WinIDS) will fail if the default installation path is not Implemented correctly! Prepping for the Windows Intrusion Detection System (WinIDS) Tutorial Downloading and extracting the WinIDS Companion Software Development Pack This tutorial assumes one of the Windows Intrusion Detection System (WinIDS) tutorials were used to create the Windows Intrusion Detection System (WinIDS) that this tutorial is being implemented into. The files from the original Windows Intrusion Detection System (WinIDS) tutorial may be required for this tutorial. It is imperative to only use the files included in the 'WinIDS Companion Software Development Pack' below. These files have been thoroughly tested, and found compatible with all the supported Windows Intrusion Detection Systems (WinIDS) tutorials. Windows All: Download and save the 'WinIDS Companion Software Development Pack' to a temporary location. Open File Explore and navigate to the location of the 'winids-csdp.zip' file, right-click the 'winids-csdp.zip' file, highlight and left-click 'Extract all...', in the 'Files will be extracted to this folder:' dialog box type 'd:\temp' (less the outside quotes), left-click and uncheck the 'Show extracted files when complete' radio box, left-click extract, in the 'Password:' dialog box type 'w1nsn03t.c0m' (less the outside quotes), left-click 'OK', and eXit File Explorer.. It is important when asked to 'Open a CMD window with Administrator privileges' it is done, or the install will fail. It is also important when asked to 'Close a CMD window' it is done, or the install will fail. Note: The user installing this tutorial MUST be a member of the Administrators group. Note: If the User Account Control dialog box appears at ANY time during this install ALWAYS left-click 'Yes' to continue, or the install will fail. Instructions on starting a command prompt as an Administrator In the Windows Search box, type cmd, and then press CTRL+SHIFT+ENTER. Prepping for the Pulledpork Tutorial Acquiring your unique Oinkcode In order for this tutorial to work an account on the snort.org web-site is required in order to acquire a unique Oinkcode. Once an account has been setup, 'Sign In' to the account, left-click your user login name in the top right, on the left under you username left-click 'Oinkcode', in the center under 'Oinkcode' your unique 'Oinkcode is in red. Write it down EXACTLY as it is displayed because it will be needed later on, and you can close the browser. Note: There is a Regenerate button to change your Oinkcode. The displayed Oinkcode is the ONLY Oinkcode that will work for your account. As an example as to why a NEW Oinkcode might need to be generated is that a request for Pullepork support was sent out containing the working Oinkcode. Anyone can use a current Oinkcode. This will cause issues if more than one person is trying to update Pulledpork within 15 minutes of each other. It will lock out the second user for at least 15 minutes after the first user has timed out. Backing up the current Snort Installation Open a CMD window with Administrator privileges and type 'xcopy /E /I d:\winids\snort d:\winids\snort-old' (less the outside quotes), and tap the 'Enter' key. The above procedure will create a backup of the original installation. Installing Pulledpork for Automatic Rule Updating Installing Pulledpork During this updating procedure the Windows Intrusion Detection System (WinIDS) will continue to monitor the network. At the CMD prompt type 'unzip -oq d:\temp\pulledpork-0.7.4.zip -d d:\winids\pulledpork' (less the outside quotes), and tap the 'Enter' key. Installing Perl Pre-Requisites At the CMD prompt type 'cpan install Sys::Syslog' (less the outside quotes), and tap the 'Enter' key. It could take several minutes to install the Syslog module. Configuring the existing Windows Intrusion Detection System (WinIDS) Prepping the Rules At the CMD prompt type 'del d:\winids\snort\rules\*.* /Q' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'rd d:\winids\snort\so_rules /S /Q' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'rd d:\winids\snort\preproc_rules /S /Q' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'xcopy d:\winids\snort-old\rules\*_list.* d:\winids\snort\rules /Q /Y' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'xcopy d:\winids\snort-old\rules\local.* d:\winids\snort\rules /Q /Y' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'xcopy d:\winids\snort-old\rules\experimental.* d:\winids\snort\rules /Q /Y' (less the outside quotes), and tap the 'Enter' key. Prepping the Configuration File At the CMD prompt type 'notepad2 d:\winids\snort\etc\snort.conf' (less the outside quotes), and tap the 'Enter' key. Use the Replace option in Notepad2 to Find and Replace the following sections below. Original: var PREPROC_RULE_PATH d:\winids\snort\preproc_rules Change to: # var PREPROC_RULE_PATH d:\winids\snort\preproc_rules In Step #7 replace ALL the 'include $RULE_PATH/...' lines with the next 3 lines below. include $RULE_PATH/experimental.rules include $RULE_PATH/local.rules include $RULE_PATH/winids.rules Use the Find in Notepad2 to locate and change the variables below. Original Line(s): include $PREPROC_RULE_PATH/preprocessor.rules include $PREPROC_RULE_PATH/decoder.rules include $PREPROC_RULE_PATH/sensitive-data.rules Change to: # include $PREPROC_RULE_PATH/preprocessor.rules # include $PREPROC_RULE_PATH/decoder.rules # include $PREPROC_RULE_PATH/sensitive-data.rules Save the file, and eXit Notepad2. Configuring Pulledpork At the CMD prompt type 'mkdir d:\winids\pulledpork\temp' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'notepad2 d:\winids\pulledpork\etc\pulledpork.conf' (less the outside quotes), and tap the 'Enter' key. Use the Find option in Notepad2 to locate and change the variables below. Original Line(s): rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode> Change to: rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|insert your unique oinkcode Original Line(s): rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community Change to: # rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community Slave sensor only - Original Line(s): rule_url=https://snort.org/downloads/community/|opensource.gz|Opensource Slave sensor only - Change to(s): # rule_url=https://snort.org/downloads/community/|opensource.gz|Opensource Original Line(s): temp_path=/tmp Change to: temp_path=d:\winids\pulledpork\temp Original Line(s): rule_path=/usr/local/etc/snort/rules/snort.rules Change to: rule_path=d:\winids\snort\rules\winids.rules Original Line(s): local_rules=/usr/local/etc/snort/rules/local.rules Change to: local_rules=d:\winids\snort\rules\local.rules Original Line(s): sid_msg=/usr/local/etc/snort/sid-msg.map Change to: sid_msg=d:\winids\snort\etc\sid-msg.map Original Line(s): sid_changelog=/var/log/sid_changes.log Change to: sid_changelog=d:\winids\snort\log\sid_changes.log Original Line(s): black_list=/usr/local/etc/snort/rules/iplists/default.blacklist Change to: # black_list=/usr/local/etc/snort/rules/iplists/default.blacklist Original Line(s): IPRVersion=/usr/local/etc/snort/rules/iplists Change to: # IPRVersion=/usr/local/etc/snort/rules/iplists Original Line(s): snort_control=/usr/local/bin/snort_control Change to: # snort_control=/usr/local/bin/snort_control Master sensor only - Original Line(s): # docs=/path/to/base/www Master sensor running IIS - change to: docs=d:\winids\inetpub\wwwroot\base\signatures\ Master sensor running Apache - change to: docs=d:\winids\Apache24\htdocs\base\signatures\ Original Line(s): # snort_version=2.9.0.0 Change to: snort_version=x.x.x.x In the above snort_version=x.x.x.x the x.x.x.x must reflect the version of Snort that is running on the sensor. The following procedure will display the version of Snort. Open a CMD window with Administrator privileges and type 'd:\winids\snort\bin\snort -V' (less the outside quotes), and tap the 'Enter' key. You should see the following as a confirmation of the snort Version. Based on the example below the above snort_version=x.x.x.x would be snort_version=2.9.11.1. C:\Users\Operator<d:\winids\snort\bin\snort -V ,,_ -*> Snort! <*- o" )~ Version 2.9.11.1-WIN32 GRE (Build 268) '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team Copyright (C) 2014-2017 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using PCRE version: 8.38 2015-11-23 Using ZLIB version: 1.2.3 C:\Users\Operator> Note: With every Snort update the snort_version=x.x.x.x above MUST be updated! If this is not done, outdated rules will be used! Original Line(s): # enablesid=/usr/local/etc/snort/enablesid.conf # dropsid=/usr/local/etc/snort/dropsid.conf # disablesid=/usr/local/etc/snort/disablesid.conf # modifysid=/usr/local/etc/snort/modifysid.conf Change to: enablesid=d:\winids\pulledpork\etc\enablesid.conf dropsid=d:\winids\pulledpork\etc\dropsid.conf disablesid=d:\winids\pulledpork\etc\disablesid.conf modifysid=d:\winids\pulledpork\etc\modifysid.conf Original Line(s): # ips_policy=security Change to: ips_policy=security In the above, the 'ips_policy' switch is set to 'security'. There are three pre-configured policies (connectivity, balanced, and security) that can be used. Change the above to your specific needs. Each policy has the Sourcefire recommended rules applied, and the 'ips_policy' switch is only an option. By placing a hash '#' (less the outside quotes) mark in front of the 'ips_policy' switch Pulledpork will process the stock rules as they are. Connectivity: Means "Connectivity over Security". Meaning this is a speedy policy for people that insist on blocking only the really known bad with no false positives. Balanced: Means "Balanced between Connectivity and Security". Meaning that this is a good starter policy for everyone. It's quick, has a good base coverage level, and covers the latest threats of the day. The policy contains everything that is in Connectivity. Security: Means "Security over Connectivity". Meaning that this is a stringent policy that everyone should strive to get to through tuning. It's quick, but has some policy-type rules in it. Rules that will alert on Flash contained within an Excel file and things like that. This policy contains everything that is in Connectivity, and Balanced. Save the file, and eXit Notepad2. Activating the Pulledpork process At the CMD prompt type 'perl d:\winids\pulledpork\pulledpork.pl -c d:\winids\pulledpork\etc\pulledpork.conf -T' (less the outside quotes), and tap the 'Enter' key. Slave Sensor Install: On the initial execution, Pullpork downloads and stores the current rules MD5 checksum file for future updating. Pullpork then downloads the latest rules and processes them which should take less than a minute to process depending on available resources. Master Sensor Install: On the initial execution, Pullpork downloads and stores the current rules MD5 checksum file for future updating. Pullpork then downloads the latest rules and processes them which should take less than a minute to process depending on available resources. Pullpork then downloads and stores the current signature MD5 checksum file for future updating. Pullpork then downloads the latest Signatures and processes them which could take 15-45 minutes depending on available resources. The signature file contains in excess of 24,000 files and Perl is painfully slow to process. To verify the progress, right-click the signature folder and select properties. Notice the file count in the row titled 'Contains:'. After a few seconds, preform the same procedure again. The file count should be climbing. The below is displayed in the terminal window after a successful update. Done Please review d:\winids\snort\log\sid_changes.log for additional details Fly Piggy Fly! Do not continue or intervene until 'Fly Piggy Fly!' is displayed in the terminal window. Validating the Snort configuration and rules update At the CMD prompt type 'd:\winids\snort\bin\snort /service /show' (less the outside quotes), and tap the 'Enter' key. The current Snort run line will be displayed as an example below. Snort is currently configured to run as a Windows service using the following command-line parameters: -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -i1 The above run line will need to be replaced in the procedure outlined below in red. Be SURE to use your own unique run line as the above is only an example. At the CMD prompt type 'd:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -i1 -T' (less the outside quotes), and tap the 'Enter' key. The above command will cause Snort to start up in self-test mode, checking all the supplied command line switches and rules that are passed to it and indicating that everything is ready to proceed. If all the tests are passed, the following is a confirmation that the snort configuration file is good. Snort successfully validated the configuration! Snort exiting Do not continue until 'Snort successfully validated the configuration!' At the CMD prompt type 'net stop snort & net start snort' (less the outside quotes), and tap the 'Enter' key. The above run line stops and starts the Snort Windows services. Restarting the Snort service will allow Snort to drop the old ruleset, and grab the new ruleset. Barnyard2 will detect the disconnect of the logfile after Snort restarts and will automatically reconnect after several minutes. The following is a confirmation that the Snort service were successfully stopped and started. The Snort service was stopped successfully. The Snort service was started successfully. Do not proceed until the Snort service has been successfully started. Starting the Windows Intrusion Detection Systems (WinIDS) Security Console Open a web-browser and type 'http://winids' (less the outside quotes) into the URL Address box, and tap the 'Enter' key. After restarting Snort it could take Barnyard2 several minutes to reconnect and start populating triggered events into the Windows Intrusion Detection Systems (WinIDS) Security Console. Refreshing the browser will show new events when added. Slave Sensor Install: If no events start to show up in the Windows Intrusion Detection Systems security console from the slave sensor after several minutes the master sensor may need to be rebooted first and allowed to come all the way up, and then reboot the slave. Master Sensor Install: If no events start to show up in the Windows Intrusion Detection Systems security console from the master sensor after several minutes the master sensor may need to be rebooted. If after several minutes there is still no events showing up in the Windows Intrusion Detection Systems (WinIDS) Security Console, come visit the forums for help on manually generating events. Cleaning up the Pulledpork install process An emergency backup was mirrored to 'd:\winids\snort-old'. If this add-on was a complete failure all that is needed to revert back to the original Snort installation is to delete the new 'd:\winids\snort' folder, rename the 'd:\winids\snort-old' to 'd:\winids\snort', return to the section labeled 'Testing the Snort configuration file', and complete. If the updating process has been successful and the backup is no longer needed the below process will scrub the backup folder Open a CMD window with Administrator privileges and type 'rd d:\winids\snort-old /S /Q' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'exit' (less the outside quotes), and tap the 'Enter' key. In conclusion Congratulations, you have just completed setting up your Windows Intrusion Detection System (WinIDS) to automatically update the rules, signatures, and the sid-msg.map file. I hope this tutorial has been of great assistance. Windows Intrusion Detection System (WinIDS) - Future Updating Open a CMD window with Administrator privileges and type 'xcopy /E /I d:\winids\snort d:\winids\snort-old' (less the outside quotes), and tap the 'Enter' key. The above procedure will create a backup of the original installation. Activating the Pulledpork process At the CMD prompt type 'perl d:\winids\pulledpork\pulledpork.pl -c d:\winids\pulledpork\etc\pulledpork.conf -T' (less the outside quotes), and tap the 'Enter' key. Slave sensor: On the initial execution, Pullpork downloads the MD5 file for the rules and matches the checksum value with the previously downloaded MD5 file. If the MD5 file checksum value does not match, Pullpork downloads the latest rules and processes them which should take less than a minute to process depending on available resources. Master sensor: On the initial execution, Pullpork downloads the MD5 file for the rules and matches the checksum value with the previously downloaded MD5 file. If the MD5 file checksum value does not match, Pullpork downloads the latest rules and processes them which should take less than a minute to process depending on available resources. This works the same way for the signatures. If the MD5 file checksum value does not match, Pullpork downloads the latest Signatures and processes them which could take 15-45 minutes depending on available resources. The signature file contains in excess of 24,000 files and Perl is painfully slow to process. To verify progress right-click the signature folder and select properties. Notice the file count in the row titled 'Contains:'. After a few seconds, preform the same procedure again. The file count should be climbing. The below is displayed in the terminal window after a successful update. Done Please review d:\winids\snort\log\sid_changes.log for additional details Fly Piggy Fly! Do not continue or intervene until 'Fly Piggy Fly!' is displayed in the terminal window. If there was no update the backup folder can be deleted, CMD window can be closed, and this tutorial can be exited! Validating the Snort configuration and rules update At the CMD prompt type 'd:\winids\snort\bin\snort /service /show' (less the outside quotes), and tap the 'Enter' key. The current Snort run line will be displayed as an example below. Snort is currently configured to run as a Windows service using the following command-line parameters: -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -i1 The above run line will need to be replaced in the procedure outlined below in red. Be SURE to use your own unique run line as the above is only an example. At the CMD prompt type 'd:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -i1 -T' (less the outside quotes), and tap the 'Enter' key. The above command will cause Snort to start up in self-test mode, checking all the supplied command line switches and rules that are passed to it and indicating that everything is ready to proceed. If all the tests are passed, the following is a confirmation that the snort configuration file is good. Snort successfully validated the configuration! Snort exiting Do not continue until 'Snort successfully validated the configuration!' At the CMD prompt type 'net stop snort & net start snort' (less the outside quotes), and tap the 'Enter' key. The above run line stops and starts the Snort Windows services. Restarting the Snort service will allow Snort to drop the old ruleset, and grab the new ruleset. Barnyard2 will detect the disconnect of the logfile after Snort restarts and will automatically reconnect after several minutes. The following is a confirmation that the Snort service were successfully stopped and started. The Snort service was stopped successfully. The Snort service was started successfully. Do not proceed until the Snort service has been successfully started. Starting the Windows Intrusion Detection Systems (WinIDS) Security Console Open a web-browser and type 'http://winids' (less the outside quotes) into the URL Address box, and tap the 'Enter' key. After restarting Snort it could take Barnyard2 several minutes to reconnect and start populating triggered events into the Windows Intrusion Detection Systems (WinIDS) Security Console. Refreshing the browser will show new events when added. Slave Sensor Install: If no events start to show up in the Windows Intrusion Detection Systems security console from the slave sensor after several minutes the master sensor may need to be rebooted first and allowed to come all the way up, and then reboot the slave. Master Sensor Install: If no events start to show up in the Windows Intrusion Detection Systems security console from the master sensor after several minutes the master sensor may need to be rebooted. If after several minutes there is still no events showing up in the Windows Intrusion Detection Systems (WinIDS) Security Console, come visit the forums for help on manually generating events. Cleaning up the Pulledpork rule updating process An emergency backup was mirrored to 'd:\winids\snort-old'. If this add-on was a complete failure all that is needed to revert back to the original Snort installation is to delete the new 'd:\winids\snort' folder, rename the 'd:\winids\snort-old' to 'd:\winids\snort', return to the section labeled 'Testing the Snort configuration file', and complete. If the updating process has been successful and the backup is no longer needed the below process will scrub the backup folder At the CMD prompt type 'rd d:\winids\snort-old /S /Q' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'exit' (less the outside quotes), and tap the 'Enter' key. In conclusion Congratulations, you have just completed updating your Windows Intrusion Detection Systems (WinIDS) rules, signatures, and the sid-msg.map file. I hope this tutorial has been of great assistance. Optional Companion Documents Be SURE to check out the available 'Companion Add-on Documents' to enhance the Windows Intrusion Detection System (WinIDS) experience. How to Install Pulledpork for rule management in an existing Windows Intrusion Detection System (WinIDS) Master/Slave sensor. This tutorial will show how to Install Pulledpork for rule management in an existing Windows Intrusion Detection System (WinIDS) Master/Slave sensor. How to add Event Logging to a local Syslog Server. This tutorial will show how to configure Snort to send events to a local Syslog Server, on an existing Windows Intrusion Detection System (WinIDS). How to add Event Logging to a remote Syslog Server. This tutorial will show how to configure Snort to send events to a remote Syslog Server from an existing Windows Intrusion Detection System (WinIDS). How to compile Barnyard2 on Windows using Cygwin for PostgreSQL database support This tutorial is a simple to understand, step-by-step tutorial for Compiling Barnyard2 on Windows using Cygwin (UNIX emulator) for PostgreSQL database support. How to build and deploy a passive Ethernet tap This tutorial will show how to build and deploy a passive Ethernet tap. Updating the Windows Intrusion Detection Systems (WinIDS) Major components How to update the Snort Intrusion Detection Engine This tutorial will show How to update the Windows Intrusion Detection Systems Snort Intrusion Detection Engine. How to update the Rules, Signatures, and sig-msg.map file This tutorial will show how to update the Windows Intrusion Detection Systems rules, signatures, and the 'sig-msg.map' file. Debugging Installation errors Check the Event Viewer as most of the support programs will throw FATAL errors into the Windows Application log. General tutorial issues For general problem issues that pertain to this specific tutorial, left-click the get community support button at the top of this tutorial, or manually navigate to the correct community support forum pertaining to this specific tutorial. Feedback I would love to get feedback from you about this tutorial. Any recommendations, or ideas, please leave feedback HERE. Michael E. Steele | Microsoft Certified System Engineer (MCSE) Email Support: support@winsnort.com Snort: Open Source Network IDS - www.snort.org
  22. Windows Intrusion Detection System - Companion Add-On Tutorial Logging Events to a Local Syslog Server Written by: Michael E. Steele Get Community Support! Introduction This tutorial is a simple to understand, step-by-step tutorial for logging events to a local Syslog Server running the Windows Intrusion Detection System (WinIDS). Copyright Notice This document is Copyright © 2002-2019 Michael Steele. All rights reserved. Permission to distribute this document is hereby granted providing that distribution is electronic, no money is involved, and this copyright notice is maintained. Other requests for distribution will be considered. Use the information in this document at your own risk. Michael Steele disavows any potential liability of this document. Use of the concepts, examples, and/or other content of this document are entirely at your own risk. This guide is written in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. All copyrights are owned by their owners, unless specifically noted otherwise. Third party trademarks or brand names are the property of their owners. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements. Support Questions and Help All support questions related to this specific tutorial MUST be directed to the specific forum for which this Windows Intrusion Detection System (WinIDS) tutorial resides! By request, there is a premium fee service available for one on one support. If you have not acquired this tutorial directly from the winsnort.com website, then you most likely do not have the latest revision of this tutorial! How to use this guide This installation is based on the installer being logged on with 'Administrator' privileges for the entire installation. The Windows Intrusion Detection System (WinIDS) will fail if the default installation path is not Implemented correctly! The default installation path noted above is hard coded into this tutorial, and is also hard coded into some of the install scripts. Installers will need to make the appropriate changes in both places if the default installation path is anything other then 'd:\winids', or the support files are located anywhere other than the 'd:\temp' folder. The Windows Intrusion Detection System (WinIDS) will fail if the default installation path is not Implemented correctly! An existing Windows Intrusion Detection System (WinIDS) using one of the tutorials, either a stand alone Windows Intrusion Detection System (WinIDS), or a remote Windows Intrusion Detection System (WinIDS). It is important when asked to 'Open a CMD window with Administrator privileges' it is done, or the install will fail. It is also important when asked to 'Close a CMD window' it is done, or the install will fail. Note: The user installing this tutorial MUST be a member of the Administrators group. Note: If the User Account Control dialog box appears at ANY time during this install ALWAYS left-click 'Yes' to continue, or the install will fail. Instructions on starting a command prompt as an Administrator In the Windows Search box, type cmd, and then press CTRL+SHIFT+ENTER. Prepping for the Windows Intrusion Detection System (WinIDS) Tutorial Downloading the Visual Syslog Server software on the local Windows Intrusion Detection System (WinIDS) It is imperative to only use the files downloaded from the URL links below. All the files have been verified as compatible with this particular Windows Intrusion Detection Systems (WinIDS) tutorial. All the files below will need to be downloaded into the folder (d:\temp) that was created when the files from the above 'WinIDS - (32/64bit) Software Support Pack' were extracted. Visual Syslog Server for Windows: Download and save the file to the d:\temp folder. Installing the VisualSyslog Server software on the local Windows Intrusion Detection System (WinIDS) Open a CMD window with Administrator privileges and type 'd:\temp\visualsyslog_setup.exe' (less the outside quotes), and tap 'Enter' key. The 'Welcome to the Visual Syslog Server Setup Wizard' starts, and left-click 'Next'. The 'Select Destination Location. screen opens. In the change destination location dialog box type 'd:\winids\visualsyslog' (less the outside quotes), and left-click 'Next'. The 'Select Start Menu Folder' screen appears, left-click 'Next'. The 'Select Additional Tasks' screen appears, left-click 'Next' to add an exception to the firewall opening port 514. The 'Ready to install' screen appears, left-click 'Install' allowing the install to complete. The 'Completing the Visual Syslog Server Setup Wizard' screen appears, left-click 'Finish' to complete the install. Configuring the Visual Syslog Server software on the local Windows Intrusion Detection System (WinIDS) The Visual Syslog Server application should have atomically started. In the upper left side left-click the 'Setup' icon and the 'Setup' windows appears. Left-click the 'Main' tab. In the 'UDP Syslog server' section, in the 'UDP listener interface port' left-click the pull-down and select the IP address of the local Syslog Server, and the default port should already be populated with 514. In the 'TCP Syslog server' section, in the 'TCP listener interface port' left-click the pull-down and select the IP address of the local Syslog Server, and the default port should already be populated with 514. Left-click 'OK' to close the setup configuration window, and eXit the Visual Syslog Server application. The Visual Syslog Server will continue to run in the system task bar as a Windows service. Testing for an open listening port on the local Syslog Server From the Windows Intrusion Detection System (WinIDS) go to the 'You Get Signal' website. The local IP address should already be populated in the 'Remote Address' dialog box. In the 'Port Number' dialog box type 514, and left-click 'Check'. *** If the above response is closed then do not proceed until the status is open. *** Configuring the Windows Intrusion Detection System (WinIDS) for Local Syslog logging Configuring Snort to include Syslog logging At the CMD prompt type 'notepad2 d:\winids\snort\etc\snort.conf' (less the outside quotes), and tap 'Enter' key. Use the Find in Notepad2 to locate and change the variables below. Original Line(s): # output alert_syslog: LOG_AUTH LOG_ALERT Change to: output alert_syslog: host=SYSLOG_SVR_IP_ADDR:PORT, LOG_AUTH LOG_ALERT Make SURE the SYSLOG_SVR_IP_ADDR above reflects the IP Address of the local Syslog server, and the PORT above reflects the listening port of the local Syslog Server. Now save the file and eXit Notepad2. Testing the Snort configuration file At the CMD prompt type 'd:\winids\snort\bin\snort -W' (less the outside quotes), and tap the 'Enter' key. The following is a partial example of what might be listed as valid Network Interface Cards. Index Physical Address IP Address ----- ---------------- ---------- 1 00:0C:29:25:B4:96 0000:0000:fe80:0000:0000:0000:ad63:31cf In the above list, the 'Index' number is important, and will need to be remembered for later use in this tutorial. There may be several Network Interface Cards listed, and it will be up to the installer to determine the correct Network Interface Card (Index number) that will be monitoring the Windows Intrusion Detection System (WinIDS). The switch for the Network Interface Card will always be '-ix' (less the outside quotes), and the 'x' (less the outside quotes) will always represent the 'Index' number of Network Interface Card that will be monitoring the Windows Intrusion Detection System (WinIDS). At the CMD prompt type 'd:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix -T' (less the outside quotes), and tap the 'Enter' key. The above run line will require the 'Index' number of the monitoring Network Interface Card added to the 'x' above. This will start Snort in self-test mode for configuration and rule file testing, and depending on the resources used, and/or available, it could take several minutes to run the self-test mode. If all the tests are passed, the following is a confirmation that the Snort configuration file and rules have tested good. Snort successfully validated the configuration! Snort exiting Do not proceed until 'Snort successfully validated the configuration!' Configuring the Snort service run line for the Syslog Server logging At the CMD prompt type 'net stop snort' (less the outside quotes), and tap 'Enter' key. At the CMD prompt type 'cd /d d:\winids\snort\bin' (less the outside quotes), and tap 'Enter' key. At the CMD prompt type 'snort /SERVICE /SHOW' (less the outside quotes), and tap 'Enter' key. The output display will be the full run line that Snort uses in the startup, and might look like the below: Snort is currently configured to run as a Windows service using the following command-line parameters: -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -i1 At the CMD prompt type 'snort /SERVICE /UNINSTALL' (less the outside quotes), and tap 'Enter' key. The following is a confirmation that the Snort service was successfully removed from the services database. [SNORT_SERVICE] Attempting to uninstall the Snort service. [SNORT_SERVICE] Successfully removed registry keys from: \HKEY_LOCAL_MACHINE\SOFTWARE\Snort\ [SNORT_SERVICE] Successfully removed the Snort service from the Services database. The new Snort auto start configuration line needs to be added that contains the switch to turn on the option to log all events to the Syslog Server. The Snort run line that should be entered in below should be exactly what was displayed when the snort /SERVICE /SHOW command was ran previously, except adding ' -s' (less the outside quotes) to the end. At the CMD prompt type 'snort /SERVICE /INSTALL -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -i1 -s' (less the outside quotes), and tap the 'Enter' key. The following as a confirmation that the Snort service was successfully added to the services database. [SNORT_SERVICE] Attempting to install the Snort service. [SNORT_SERVICE] The full path to the Snort binary appears to be: D:\winids\snort\bin\snort /SERVICE [SNORT_SERVICE] Successfully added registry keys to: \HKEY_LOCAL_MACHINE\SOFTWARE\Snort\ [SNORT_SERVICE] Successfully added the Snort service to the Services database. At the CMD prompt type 'sc config snortsvc start= auto' (less the outside quotes), and tap the 'Enter' key. The following as a confirmation that the Snort auto start service has been successfully activated. [SC] ChangeServiceConfig SUCCESS At the CMD prompt type 'net start snort' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'exit' (less the outside quotes), and tap the 'Enter' key. In Conclusion At this point, it could take several minutes before seeing events arriving in the local Syslog Server. Optional Companion Documents Be SURE to check out the available 'Companion Add-on Documents' to enhance the Windows Intrusion Detection System (WinIDS) experience. How to Install Pulledpork for rule management in an existing Windows Intrusion Detection System (WinIDS) Master/Slave sensor. This tutorial will show how to Install Pulledpork for rule management in an existing Windows Intrusion Detection System (WinIDS) Master/Slave sensor. How to add Event Logging to a local Syslog Server. This tutorial will show how to configure Snort to send events to a local Syslog Server, on an existing Windows Intrusion Detection System (WinIDS). How to add Event Logging to a remote Syslog Server. This tutorial will show how to configure Snort to send events to a remote Syslog Server from an existing Windows Intrusion Detection System (WinIDS). How to compile Barnyard2 on Windows using Cygwin for PostgreSQL database support This tutorial is a simple to understand, step-by-step tutorial for Compiling Barnyard2 on Windows using Cygwin (UNIX emulator) for PostgreSQL database support. How to build and deploy a passive Ethernet tap This tutorial will show how to build and deploy a passive Ethernet tap. Updating the Windows Intrusion Detection Systems (WinIDS) Major components How to update the Snort Intrusion Detection Engine This tutorial will show How to update the Windows Intrusion Detection Systems Snort Intrusion Detection Engine. How to update the Rules, Signatures, and sig-msg.map file This tutorial will show how to update the Windows Intrusion Detection Systems rules, signatures, and the 'sig-msg.map' file. Debugging Installation errors Check the Event Viewer as most of the support programs will throw FATAL errors into the Windows Application log. General tutorial issues For general problem issues that pertain to this specific tutorial, left-click the community support button at the top of this tutorial, or manually navigate to the correct community support forum pertaining to this specific tutorial. Feedback I would love to get feedback from you about this tutorial. Any recommendations, or ideas, please leave feedback HERE. Michael E. Steele | Microsoft Certified System Engineer (MCSE) Email Support: support@winsnort.com Snort: Open Source Network IDS - www.snort.org