Morpheus

Administrators
  • Content count

    560
  • Joined

  • Last visited

Everything posted by Morpheus

  1. Windows Intrusion Detection System - Companion Add-On Tutorial Updating the Windows Intrusion Detection Systems (WinIDS) Snort Intrusion Detection Engine Written by: Michael E. Steele Get Community Support! Introduction During my research, and development I've found a lot of tutorials, and blogs describing the installation process for the UNIX environment. Yet, none of them specifically detailed setting this up in a Windows environment. I've been working on, and updating these tutorials for the past 12 plus years, and managed to get through the complete process in the Windows environment. These tutorials gives all the basic instructions on how to either update major components, or add-on components to the Windows Intrusion Detection System (WinIDS). Copyright Notice This document is Copyright © 2002-2019 Michael Steele. All rights reserved. Permission to distribute this document is hereby granted providing that distribution is electronic, in it's original form, no money is involved, and this copyright notice is maintained. Other requests for distribution will be considered. Use the information in this document at your own risk. Michael Steele disavows any potential liability of this document. Use of the concepts, examples, and/or other content of this document are entirely at your own risk. This tutorial is written in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. All copyrights are owned by their owners, unless specifically noted otherwise. Third party trademarks or brand names are the property of their owners. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements. Support Questions and Help All support questions related to this specific tutorial MUST be directed to the specific forum for which this Windows Intrusion Detection System (WinIDS) tutorial resides! By request, there is a premium fee service available for one on one support. If you have not acquired this tutorial directly from the winsnort.com website, then you most likely do not have the latest revision of this tutorial! This is a basic update to the Intrusion Detection Engine (Snort) This tutorial will cover the updating of the Windows Intrusion Detection Systems (WinIDS) Intrusion Detection Engine (Snort). There are three required downloads. Snort, the heart of the Windows Intrusion Detection System (WinIDS). Rules, the lifeblood of the Windows Intrusion Detection System (WinIDS). Signatures, the event information used to display in the Windows Intrusion Detection Systems (WinIDS) security console. Prepping for updating the Windows Intrusion Detection System (WinIDS) Intrusion Detection Engine (Snort) Tutorial Downloading The required software For this tutorial the original files from the 'WinIDS - xxbit Core Software Support Pack' must be located in its original folder (d:\temp). The following procedure will require the installer to be a registered user, and logged into the snort.org web site. From a browser log into the snort.org web site, and sign-in. If any of the next three downloads asks to overwrite, make SURE to overwrite the file. At the main screen left-click the 'Downloads' button, scroll down to the 'Snort' section, under the 'Binaries' column left-click 'Snort_x_x_x_x_Installer.exe', and save to the 'd:\temp' folder. Scroll down to the 'Rules' section, in the 'Community' column under 'Documentation' left-click 'opensource.tar.gz', and save to the 'd:\temp' folder. In the 'Rules' category in the 'registered' column under 'Snort vx.x' left-click the latest version of the 'snortrules-snapshot-xxxx.tar.gz' file (usually at the bottom), and save to the 'd:\temp' folder. In some instances the version of Snort might not match the version of the latest available rules. Just make sure both Snort and the rules are the latest versions available. At this point all three files listed below should have been downloaded into the 'd:\temp' folder. Snort_x_x_x_x_Installer.exe snortrules-snapshot-xxx.tar.gz opensource.tar.gz Updating the Windows Intrusion Detection Systems (WinIDS) Intrusion Detection Engine (Snort) During this process the Windows Intrusion Detection System (WinIDS) will NOT be detecting events. As a precaution cutting all incoming live feeds should be severed until the updating process has been completed and verified. Backing up the current Snort Installation At the CMD prompt type 'xcopy /E /I d:\winids\snort d:\winids\snort-old' (less the outside quotes), and tap the 'Enter' key. The above procedure will preserve any custom files that can be manually copied back, if needed. Killing the Snort service Open a CMD window and type 'net stop snort' (less the outside quotes), and tap the 'Enter' key to stop the services. Prepping and Installing Snort, the Traffic Detection and Inspection Engine At the CMD prompt type 'rd d:\winids\snort /S /Q' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'd:\temp\Snort_x_x_x_x_Installer.exe' (less the outside quotes), and tap the 'Enter' key. In the above 'd:\temp\Snort_x_x_x_x_Installer.exe' the exact filename will be required for the version of snort that were downloaded. The Snort installation wizard appears, left-click the 'I Agree' button, left-click 'Next', left-click 'Next', in the 'Destination Folder' dialog box, type 'd:\winids\snort' (less the outside quotes), left-click 'Next' allowing Snort to install, left-click the 'Close' button, left-click 'OK'. Prepping and Installing the Latest Rule Set At the CMD prompt type 'tartool d:\temp\snortrules-snapshot-xxxx.tar.gz d:\winids\snort' (less the outside quotes), and tap the 'Enter' key. In the above 'd:\temp\snortrules-snapshot-xxxx.tar.gz' the exact filename will be required for the version of snort rules that were downloaded. At the CMD prompt type 'xcopy d:\winids\snort-old\rules\*_list.* d:\winids\snort\rules /Q /Y' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'xcopy d:\winids\snort-old\rules\local.* d:\winids\snort\rules /Q /Y' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'xcopy d:\winids\snort-old\rules\experimental.* d:\winids\snort\rules /Q /Y' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'rd d:\winids\snort\so_rules /S /Q' (less the outside quotes), and tap the 'Enter' key. Installing the Latest Signatures Apache2 Installs: At the CMD prompt type 'rd d:\winids\Apache24\htdocs\base\signatures /S /Q' (less the outside quotes), and tap the 'Enter' key. Apache2 Installs: At the CMD prompt type 'tartool d:\temp\opensource.tar.gz d:\winids\apache24\htdocs\base\signatures' (less the outside quotes), and tap the 'Enter' key. IIS Installs: At the CMD prompt type 'rd d:\winids\inetpub\wwwroot\base\signatures /S /Q' (less the outside quotes), and tap the 'Enter' key. IIS Installs: At the CMD prompt type 'tartool d:\temp\opensource.tar.gz d:\winids\inetpub\wwwroot\base\signatures' (less the outside quotes), and tap the 'Enter' key. The above command may take a few minutes to complete as its moving twenty thousand plus files. Updating the 'sid-msg.map' file At the CMD prompt type 'd:\winids\create-sidmap\create-sidmap.pl d:\winids\snort\rules\ > d:\winids\snort\etc\sid-msg.map' (less the outside quotes), and tap the 'Enter' key. Configuring Snort, the Heart of the Windows Intrusion Detection System (WinIDS) The updating process replaced all the configurations files with the default configuration files. It is highly suggested that the OLD snort.conf file be merged with the NEW snort.conf file manually as this will transfer any custom settings, and preserve any new additions. After merging the files the remaining part of this section can be skipped. The ORIGINAL snort.conf file is located in the d:\snort-old\etc folder of the backup, and the NEW default snort.conf file is located in the d:\snort\etc folder. By continuing this section the Windows Intrusion Detection System (WinIDS) will be configured for the default settings! At the CMD prompt type 'notepad2 d:\winids\snort\etc\snort.conf' (less the outside quotes), and tap the 'Enter' key. Use the Find option in Notepad2 to locate and change the variables below. Original Line(s): ipvar HOME_NET any Change to: ipvar HOME_NET 192.168.1.0/24 In the above HOME_NET example (192.168.1.0/24), using a CIDR of 24 the Windows Intrusion Detection System (WinIDS) will monitor addresses 192.168.1.1 - 192.168.1.254. It is important to specify the correct internal IP segment of the Windows Intrusion Detection System (WinIDS) network that needs monitoring, and to set the correct CIDR. Original Line(s): var RULE_PATH ../rules Change to: var RULE_PATH d:\winids\snort\rules Original Line(s): var SO_RULE_PATH ../so_rules Change to: # var SO_RULE_PATH ../so_rules Original Line(s): var PREPROC_RULE_PATH ../preproc_rules Change to: var PREPROC_RULE_PATH d:\winids\snort\preproc_rules Original Line(s): var WHITE_LIST_PATH ../rules Change to: var WHITE_LIST_PATH d:\winids\snort\rules Original Line(s): var BLACK_LIST_PATH ../rules Change to: var BLACK_LIST_PATH d:\winids\snort\rules Original Line(s): dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ Change to: dynamicpreprocessor directory d:\winids\snort\lib\snort_dynamicpreprocessor Original Line(s): dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so Change to: dynamicengine d:\winids\snort\lib\snort_dynamicengine\sf_engine.dll Original Line(s): decompress_swf { deflate lzma } \ Change to: decompress_swf { deflate } \ Original Line(s): # preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } Change to: preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } logfile { portscan.log } Original Line(s): # output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types Change to: output unified2: filename merged.log, limit 128 Original Line(s): # include $PREPROC_RULE_PATH/preprocessor.rules # include $PREPROC_RULE_PATH/decoder.rules # include $PREPROC_RULE_PATH/sensitive-data.rules Change to: include $PREPROC_RULE_PATH/preprocessor.rules include $PREPROC_RULE_PATH/decoder.rules include $PREPROC_RULE_PATH/sensitive-data.rules Save the file, and eXit Notepad2. Testing the Snort configuration file At the CMD prompt type 'd:\winids\snort\bin\snort -W' (less the outside quotes), and tap the 'Enter' key. The following is a partial example of what might be listed as valid Network Interface Cards. Index Physical Address IP Address ----- ---------------- ---------- 1 00:0C:29:25:B4:96 0000:0000:fe80:0000:0000:0000:ad63:31cf In the above list, the 'Index' number is important, and will need to be remembered for later use in this tutorial. There may be several Network Interface Cards listed, and it will be up to the installer to determine the correct Network Interface Card (Index number) that will be monitoring the Windows Intrusion Detection System (WinIDS). The switch for the Network Interface Card will always be '-ix' (less the outside quotes), and the 'x' (less the outside quotes) will always represent the 'Index' number of Network Interface Card that will be monitoring the Windows Intrusion Detection System (WinIDS). At the CMD prompt type 'd:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix -T' (less the outside quotes), and tap the 'Enter' key. The above run line will require the 'Index' number of the monitoring Network Interface Card added to the 'x' above. This will start Snort in self-test mode for configuration and rule file testing, and depending on the resources used, and/or available, it could take several minutes to run the self-test mode. If all the tests are passed, the following is a confirmation that the Snort configuration file and rules have tested good. Snort successfully validated the configuration! Snort exiting Do not proceed until 'Snort successfully validated the configuration!' At the CMD prompt type 'net start snort' (less the outside quotes), and tap the 'Enter' key to restart the services. At the CMD prompt type 'exit' (less the outside quotes), and tap the 'Enter' key. Starting the Windows Intrusion Detection Systems (WinIDS) Security Console After restarting Snort it could take Barnyard2 several minutes to reconnect and start populating triggered events into the Windows Intrusion Detection Systems (WinIDS) Security Console. If no triggered events start to show up in a reasonable length of time, come visit the forums for help on manually generating events. Open a web-browser and type 'http://winids' (less the outside quotes) into the URL Address box, and tap the 'Enter' key. Cleaning up the Snort updating process An emergency backup was mirrored to 'd:\winids\snort-old'. If this add-on was a complete failure all that is needed to revert back to the original Snort installation is to delete the new 'd:\winids\snort' folder, rename the 'd:\winids\snort-old' to 'd:\winids\snort', return to the section labeled 'Testing the Snort configuration file', and complete. If the updating process has been successful and the backup is no longer needed the below process will scrub the backup folder Open a CMD window and type 'rd d:\winids\snort-old /S /Q' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'exit' (less the outside quotes), and tap the 'Enter' key. In Conclusion Congratulations, you have just completed updating the Windows Intrusion Detection Systems (WinIDS) Intrusion Detection Engine know as Snort. It is highly encouraged to perform some post-installation tasks if still needed to get a fully production-ready Windows Intrusion Detection System (WinIDS). This includes: Tuning your rules and preprocessors. Tuning Snort thresholds and limit values. Securing your host (Maybe changing the default database user access, disabling unneeded services, etc.). Adding user authentication to the Windows Intrusion Detection Systems (WinIDS) Security Console. Configure a system, such as Pulledpork to auto-update the Windows Intrusion Detection Systems (WinIDS) rules and signatures. Optional Companion Documents Be SURE to check out the available 'Companion Add-on Documents' to enhance the Windows Intrusion Detection System (WinIDS) experience. How to Install Pulledpork for rule management in an existing Windows Intrusion Detection System (WinIDS) Master/Slave sensor. This tutorial will show how to Install Pulledpork for rule management in an existing Windows Intrusion Detection System (WinIDS) Master/Slave sensor. How to add Event Logging to a local Syslog Server. This tutorial will show how to configure Snort to send events to a local Syslog Server, on an existing Windows Intrusion Detection System (WinIDS). How to add Event Logging to a remote Syslog Server. This tutorial will show how to configure Snort to send events to a remote Syslog Server from an existing Windows Intrusion Detection System (WinIDS). How to compile Barnyard2 on Windows using Cygwin for PostgreSQL database support This tutorial is a simple to understand, step-by-step tutorial for Compiling Barnyard2 on Windows using Cygwin (UNIX emulator) for PostgreSQL database support. How to build and deploy a passive Ethernet tap This tutorial will show how to build and deploy a passive Ethernet tap. Updating the Windows Intrusion Detection Systems (WinIDS) Major components How to update the Snort Intrusion Detection Engine This tutorial will show How to update the Windows Intrusion Detection Systems Snort Intrusion Detection Engine. How to update the Rules, Signatures, and sig-msg.map file This tutorial will show how to update the Windows Intrusion Detection Systems rules, signatures, and the 'sig-msg.map' file. Debugging Installation errors Check the Event Viewer as most of the support programs will throw FATAL errors into the Windows Application log. General tutorial issues For general problem issues that pertain to this specific tutorial, left-click the get community support button at the top of this tutorial, or manually navigate to the correct community support forum pertaining to this specific tutorial. Feedback I would love to get feedback from you about this tutorial. Any recommendations, or ideas, please leave feedback HERE. Michael E. Steele | Microsoft Certified System Engineer (MCSE) Email Support: support@winsnort.com Snort: Open Source Network IDS - www.snort.org
  2. Windows Intrusion Detection System - Companion Add-On Tutorial Updating the Windows Intrusion Detection Systems (WinIDS) Rules, Signatures, and sid.msg.map file Written by: Michael E. Steele Get Community Support! Introduction During my research, and development I've found a lot of tutorials, and blogs describing the installation process for the UNIX environment. Yet, none of them specifically detailed setting this up in a Windows environment. I've been working on, and updating these tutorials for the past 12 plus years, and managed to get through the complete process in the Windows environment. These tutorials gives all the basic instructions on how to either update major components, or add-on components to the Windows Intrusion Detection System (WinIDS). Copyright Notice This document is Copyright © 2002-2019 Michael Steele. All rights reserved. Permission to distribute this document is hereby granted providing that distribution is electronic, in it's original form, no money is involved, and this copyright notice is maintained. Other requests for distribution will be considered. Use the information in this document at your own risk. Michael Steele disavows any potential liability of this document. Use of the concepts, examples, and/or other content of this document are entirely at your own risk. This tutorial is written in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. All copyrights are owned by their owners, unless specifically noted otherwise. Third party trademarks or brand names are the property of their owners. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements. Support Questions and Help All support questions related to this specific tutorial MUST be directed to the specific forum for which this Windows Intrusion Detection System (WinIDS) tutorial resides! By request, there is a premium fee service available for one on one support. If you have not acquired this tutorial directly from the winsnort.com website, then you most likely do not have the latest revision of this tutorial! This is a basic rules update to the Windows Intrusion Detection System (WinIDS) This tutorial will cover the updating of the Windows Intrusion Detection Systems (WinIDS) rules, signatures, and the sid-msg.map file. There are two required downloads. Rules, the lifeblood of the Windows Intrusion Detection System (WinIDS). Signatures, the event information used to display in the Windows Intrusion Detection Systems (WinIDS) security console. Prepping for updating the Windows Intrusion Detection System (WinIDS) Rules, Signatures, and sid-msg.map' file Tutorial Downloading The required software For this tutorial the original files from the 'WinIDS - xxbit Core Software Support Pack' must be located in its original folder (d:\temp). The following procedure will require the installer to be a registered user, and logged into the snort.org web site. From a browser log into the snort.org web site, and sign-in. If any of the next two downloads asks to overwrite, make SURE to overwrite the file. At the main screen left-click the 'Downloads' button, Scroll down to the 'Rules' section, under 'Community, under 'Documentation' left-click 'opensource.tar.gz', and save to the 'd:\temp' folder. In the 'Rules' category under 'registered', under 'Snort vx.x' left-click the latest version of the 'snortrules-snapshot-xxx.tar.gz' file (usually at the top), and save to the 'd:\temp' folder. At this point all the files listed below should be located in the 'd:\temp' folder. snortrules-snapshot-xxx.tar.gz opensource.tar.gz Updating the Windows Intrusion Detection Systems (WinIDS) Rules, Signatures, and sid-msg.map file During this procedure the Windows Intrusion Detection System should continue to process triggered events. Snort will be running with the current set of rules in cached memory. Backing up the current Snort Installation Open a CMD window and type 'xcopy /E /I d:\winids\snort d:\winids\snort-old' (less the outside quotes), and tap the 'Enter' key. The above procedure will preserve any custom files that can be manually copied back, if needed. Prepping and Installing the Latest Rule Set At the CMD prompt type 'rd d:\winids\snort\etc /S /Q' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'rd d:\winids\snort\rules /S /Q' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'rd d:\winids\snort\preproc_rules /S /Q' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'tartool d:\temp\snortrules-snapshot-xxxx.tar.gz d:\winids\snort' (less the outside quotes), and tap the 'Enter' key. In the above 'd:\temp\snortrules-snapshot-xxxx.tar.gz' the exact filename will be required for the version of snort rules that were downloaded. At the CMD prompt type 'xcopy d:\winids\snort-old\rules\*_list.* d:\winids\snort\rules /Q /Y' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'xcopy d:\winids\snort-old\rules\local.* d:\winids\snort\rules /Q /Y' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'xcopy d:\winids\snort-old\rules\experimental.* d:\winids\snort\rules /Q /Y' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'rd d:\winids\snort\so_rules /S /Q' (less the outside quotes), and tap the 'Enter' key. Installing the Latest Signatures Apache2 Installs: At the CMD prompt type 'rd d:\winids\Apache24\htdocs\base\signatures /S /Q' (less the outside quotes), and tap the 'Enter' key. Apache2 Installs: At the CMD prompt type 'tartool d:\temp\opensource.tar.gz d:\winids\apache24\htdocs\base\signatures' (less the outside quotes), and tap the 'Enter' key. IIS Installs: At the CMD prompt type 'rd d:\winids\inetpub\wwwroot\base\signatures /S /Q' (less the outside quotes), and tap the 'Enter' key. IIS Installs: At the CMD prompt type 'tartool d:\temp\opensource.tar.gz d:\winids\inetpub\wwwroot\base\signatures' (less the outside quotes), and tap the 'Enter' key. The above command may take a few minutes to complete as its moving twenty thousand plus files. Updating the 'sid-msg.map' file WARNING: The following procedure MUST be preformed EVERY time the rules have been changed or edited! By omitting this procedure the Windows Intrusion Detection Systems security console will not be accurate! At the CMD prompt type 'd:\winids\create-sidmap\create-sidmap.pl d:\winids\snort\rules\ > d:\winids\snort\etc\sid-msg.map' (less the outside quotes), and tap the 'Enter' key. Configuring Snort, the Heart of the Windows Intrusion Detection System (WinIDS) The updating process replaced all the configurations files with the default configuration files. It is highly suggested that the OLD snort.conf file be merged with the NEW snort.conf file manually as this will transfer any custom settings, and preserve any new additions. After merging the files the remaining part of this section can be skipped. The ORIGINAL snort.conf file is located in the d:\snort-old\etc folder of the backup, and the NEW default snort.conf file is located in the d:\snort\etc folder. By continuing this section the Windows Intrusion Detection System (WinIDS) will be configured fore default settings! At the CMD prompt type 'notepad2 d:\winids\snort\etc\snort.conf' (less the outside quotes), and tap the 'Enter' key. Use the Find option in Notepad2 to locate and change the variables below. Original Line(s): ipvar HOME_NET any Change to: ipvar HOME_NET 192.168.1.0/24 In the above HOME_NET example (192.168.1.0/24), using a CIDR of 24 the Windows Intrusion Detection System (WinIDS) will monitor addresses 192.168.1.1 - 192.168.1.254. It is important to specify the correct internal IP segment of the Windows Intrusion Detection System (WinIDS) network that needs monitoring, and to set the correct CIDR. Original Line(s): var RULE_PATH ../rules Change to: var RULE_PATH d:\winids\snort\rules Original Line(s): var SO_RULE_PATH ../so_rules Change to: # var SO_RULE_PATH ../so_rules Original Line(s): var PREPROC_RULE_PATH ../preproc_rules Change to: var PREPROC_RULE_PATH d:\winids\snort\preproc_rules Original Line(s): var WHITE_LIST_PATH ../rules Change to: var WHITE_LIST_PATH d:\winids\snort\rules Original Line(s): var BLACK_LIST_PATH ../rules Change to: var BLACK_LIST_PATH d:\winids\snort\rules Original Line(s): dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ Change to: dynamicpreprocessor directory d:\winids\snort\lib\snort_dynamicpreprocessor Original Line(s): dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so Change to: dynamicengine d:\winids\snort\lib\snort_dynamicengine\sf_engine.dll Original Line(s): decompress_swf { deflate lzma } \ Change to: decompress_swf { deflate } \ Original Line(s): # preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } Change to: preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } logfile { portscan.log } Original Line(s): # output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types Change to: output unified2: filename merged.log, limit 128 Original Line(s): # include $PREPROC_RULE_PATH/preprocessor.rules # include $PREPROC_RULE_PATH/decoder.rules # include $PREPROC_RULE_PATH/sensitive-data.rules Change to: include $PREPROC_RULE_PATH/preprocessor.rules include $PREPROC_RULE_PATH/decoder.rules include $PREPROC_RULE_PATH/sensitive-data.rules Save the file, and eXit Notepad2. Testing the Snort configuration file At the CMD prompt type 'd:\winids\snort\bin\snort -W' (less the outside quotes), and tap the 'Enter' key. The following is a partial example of what might be listed as valid Network Interface Cards. Index Physical Address IP Address ----- ---------------- ---------- 1 00:0C:29:25:B4:96 0000:0000:fe80:0000:0000:0000:ad63:31cf In the above list, the 'Index' number is important, and will need to be remembered for later use in this tutorial. There may be several Network Interface Cards listed, and it will be up to the installer to determine the correct Network Interface Card (Index number) that will be monitoring the Windows Intrusion Detection System (WinIDS). The switch for the Network Interface Card will always be '-ix' (less the outside quotes), and the 'x' (less the outside quotes) will always represent the 'Index' number of Network Interface Card that will be monitoring the Windows Intrusion Detection System (WinIDS). At the CMD prompt type 'd:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix -T' (less the outside quotes), and tap the 'Enter' key. The above run line will require the 'Index' number of the monitoring Network Interface Card added to the 'x' above. This will start Snort in self-test mode for configuration and rule file testing, and depending on the resources used, and/or available, it could take several minutes to run the self-test mode. If all the tests are passed, the following is a confirmation that the Snort configuration file and rules have tested good. Snort successfully validated the configuration! Snort exiting Do not proceed until 'Snort successfully validated the configuration!' At the CMD prompt type 'net stop snort & net start snort' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'exit' (less the outside quotes), and tap the 'Enter' key. Starting the Windows Intrusion Detection Systems (WinIDS) Security Console After restarting Snort it could take Barnyard2 several minutes to reconnect and start populating triggered events into the Windows Intrusion Detection Systems (WinIDS) Security Console. If no triggered events start to show up in a reasonable length of time, come visit the forums for help on manually generating events. Open a web-browser and type 'http://winids' (less the outside quotes) into the URL Address box, and tap the 'Enter' key. Cleaning up the rule updating process An emergency backup was mirrored to 'd:\winids\snort-old'. If this add-on was a complete failure all that is needed to revert back to the original Snort installation is to delete the new 'd:\winids\snort' folder, rename the 'd:\winids\snort-old' to 'd:\winids\snort', return to the section labeled 'Testing the Snort configuration file', and complete. If the updating process has been successful and the backup is no longer needed the below process will scrub the backup folder Open a CMD window and type 'rd d:\winids\snort-old /S /Q' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'exit' (less the outside quotes), and tap the 'Enter' key. In Conclusion Congratulations, you have just completed updating the Windows Intrusion Detection Systems (WinIDS) Rules, Signatures, and sid-msg.map file. It is highly encouraged to perform some post-installation tasks if still needed to get a fully production-ready Windows Intrusion Detection System (WinIDS). This includes: Tuning your rules and preprocessors. Tuning Snort thresholds and limit values. Securing your host (Maybe changing the default database user access, disabling unneeded services, etc.). Adding user authentication to the Windows Intrusion Detection Systems (WinIDS) Security Console. Configure a system, such as PulledPork to auto-update the Windows Intrusion Detection Systems (WinIDS) rules and signatures. Optional Companion Documents Be SURE to check out the available 'Companion Add-on Documents' to enhance the Windows Intrusion Detection System (WinIDS) experience. How to Install Pulledpork for rule management in an existing Windows Intrusion Detection System (WinIDS) Master/Slave sensor. This tutorial will show how to Install Pulledpork for rule management in an existing Windows Intrusion Detection System (WinIDS) Master/Slave sensor. How to add Event Logging to a local Syslog Server. This tutorial will show how to configure Snort to send events to a local Syslog Server, on an existing Windows Intrusion Detection System (WinIDS). How to add Event Logging to a remote Syslog Server. This tutorial will show how to configure Snort to send events to a remote Syslog Server from an existing Windows Intrusion Detection System (WinIDS). How to compile Barnyard2 on Windows using Cygwin for PostgreSQL database support This tutorial is a simple to understand, step-by-step tutorial for Compiling Barnyard2 on Windows using Cygwin (UNIX emulator) for PostgreSQL database support. How to build and deploy a passive Ethernet tap This tutorial will show how to build and deploy a passive Ethernet tap. Updating the Windows Intrusion Detection Systems (WinIDS) Major components How to update the Snort Intrusion Detection Engine This tutorial will show How to update the Windows Intrusion Detection Systems Snort Intrusion Detection Engine. How to update the Rules, Signatures, and sig-msg.map file This tutorial will show how to update the Windows Intrusion Detection Systems rules, signatures, and the 'sig-msg.map' file. Debugging Installation errors Check the Event Viewer as most of the support programs will throw FATAL errors into the Windows Application log. General tutorial issues For general problem issues that pertain to this specific tutorial, left-click the get community support button at the top of this tutorial, or manually navigate to the correct community support forum pertaining to this specific tutorial. Feedback I would love to get feedback from you about this tutorial. Any recommendations, or ideas, please leave feedback HERE. Michael E. Steele | Microsoft Certified System Engineer (MCSE) Email Support: support@winsnort.com Snort: Open Source Network IDS - www.snort.org
  3. Version 2.3

    638 downloads

    Microsoft's Baseline Security Analyzer runs on all variants of Windows 7, Windows 8.1, Windows 10, Windows Server 2008, and Windows Server 2012. Microsoft's Baseline Security Analyzer will scan for missing security updates, rollups and service packs using Microsoft Update technologies. Microsoft's Baseline Security Analyzer will only scan for missing security updates, update rollups and service packs available from Microsoft Update. Microsoft's Baseline Security Analyzer will not scan or report missing non-security updates, tools or drivers. Kindest Regards, Winsnort.com Management
  4. Version 2.3

    162 downloads

    Microsoft's Baseline Security Analyzer runs on all variants of Windows 7, Windows 8.1, Windows 10, Windows Server 2008, and Windows Server 2012. Microsoft's Baseline Security Analyzer will scan for missing security updates, rollups and service packs using Microsoft Update technologies. Microsoft's Baseline Security Analyzer will only scan for missing security updates, update rollups and service packs available from Microsoft Update. Microsoft's Baseline Security Analyzer will not scan or report missing non-security updates, tools or drivers. Kindest Regards, Winsnort.com Management
  5. Version

    1,204 downloads

    This is the latest Windows Intrusion Detection Systems (WinIDS) software for all the Windows Intrusion Detection Systems (WinIDS) companion add-ons. Only use the Software supplied in the Windows Intrusion Detection Systems (WinIDS) Companion Software Pack. The versions of support files supplied may be old, and outdated. However, they are the last versions that has been fully tested with all the Windows Intrusion Detection Systems (WinIDS) guided installs. The Windows Intrusion Detection System (WinIDS) Companion Software Development Pack has been password protected. Wrapper Password: w1nsn03t.c0m After you have downloaded the Windows Intrusion Detection System (WinIDS) Core Software Support Pack and before you attempt to install it, you should make sure that it is intact and has not been tampered with. Use the SHA-1 Checksums below to verify the integrity. SHA-1 Hash value: B2C46B2CEF97C49D911EF3A158DF8CFC8715D8F0 What's New in Version 04.01.2018 Updates to companion software: Minor corrections to Pulledpork 0.7.4 Kindest Regards, Winsnort.com Management
  6. Version

    4,566 downloads

    This is the latest Windows Intrusion Detection System 64bit Core Software Support Pack, and is required for all the 64bit Windows Intrusion Detection Systems (WinIDS) installs. Using any other version of the core support files will, or most likely will cause the install to fail. Only update the core support files after the Windows Intrusion Detection System (WinIDS) has been fully installed and tested. The Windows Intrusion Detection System (WinIDS) Core Software Support Pack has been password protected. Wrapper Password: w1nsn03t.c0m After you have downloaded the Windows Intrusion Detection System (WinIDS) Core Software Support Pack and before you attempt to install it, you should make sure that it is intact and has not been tampered with. Use the SHA-1 Checksums below to verify the integrity. SHA-1 Hash value: 5A715D8AC43F59A93289ED0C3B9637C289FD8409 What's New in Version 8.15.2019 Updates to core software: PostgreSQL has been updated from 10.9 to 10.10 MySQL has been updated from 8.0.16 to 8.0.17 Apache 2 has been updated from 2.4.39 VC15 to 2.4.41 VS16 mod_fcgid has been updated from 2.3.9 VC15 to 2.3.10 VS16 Recompiled Barnyard2 for the new database versions above... Kindest Regards, Winsnort.com Management
  7. Version

    1,239 downloads

    This is the latest Windows Intrusion Detection System 32bit Core Software Support Pack, and is required for all the 32bit Windows Intrusion Detection Systems (WinIDS) installs. Using any other version of the core support files will, or most likely will cause the install to fail. Only update the core support files after the Windows Intrusion Detection System (WinIDS) has been fully installed and tested. The Windows Intrusion Detection System (WinIDS) Core Software Support Pack has been password protected. Wrapper Password: w1nsn03t.c0m After you have downloaded the Windows Intrusion Detection System (WinIDS) Core Software Support Pack and before you attempt to install it, you should make sure that it is intact and has not been tampered with. Use the SHA-1 Checksums below to verify the integrity. SHA-1 Hash value: 8F16FBA8B906F5A683A3C4EE058437AF9E5B4650 What's New in Version 8.15.2019 Updates to core software: PostgreSQL has been updated from 10.9 to 10.10 MySQL has been updated from 8.0.16 to 8.0.17 Apache 2 has been updated from 2.4.39 VC15 to 2.4.41 VS16 mod_fcgid has been updated from 2.3.9 VC15 to 2.3.10 VS16 Recompiled Barnyard2 for the new database versions above... Kindest Regards, Winsnort.com Management
  8. Version 1.4.5

    334 downloads

    This is the latest untouched version of the Basic Analysis and Security Engine, also known as BASE. This is the same version that is used for the Windows Intrusion Systems (WinIDS) security console, but without several minor modifications, and fixes. Kindest Regards, Winsnort.com Management