Morpheus

Barnyard2 has to op[en the database to test, and then it closes.   I guess it could be more descriptive, like > database: Opening connection to database "snort"

The section labeled 'Configuring Internet Information Services for PHP' will address that issue.

I find that most of these incidents with Windows 7, 8, 2008, and 2012 using Internet Information Services (IIS), the PHP configuration fails to save.   Return to the section labeled 'Configuring Internet Information Services for PHP', and complete.   Try running the test.php again, and see if it displays. The test.php needs to be copied to the d:winidsinetpubwwwrootbase folder, and accessed from the URL http://winids/test.php

Ok, so I checked my winsnort.rules files. The winids.rules file does contains all three rule sets:  preprocessor.rules decoder.rules sensitive-data.rules   Open the winids.rules file in a text editor (notepad+) and all the rules are categorized.   preprocessor.rules -> # ----- Begin VRT-preprocessor Rules Category ----- #   decoder.rules -> # ----- Begin VRT-decoder Rules Category ----- #   sensitive-data.rules -> # ----- Begin VRT-sensitive-data Rules Category ----- #   As an example open the preprocessor.rules file and there are 500 rules listed (fictional count). Out of those 500 rules there may be 50 disabled (# is disabled). After PulledPork processes, open the winids.rules file and search for the category labeled # ----- Begin VRT-preprocessor Rules Category ----- #. Under that category, all 500 (fictional count) rules should be listed and match exactly what rules are found in the preprocessor.rules file.   Out of the 500 rules (fictional count) listed under the # ----- Begin VRT-preprocessor Rules Category ----- # there may be 480 of those rules (fictional count) disabled, and not just 50 that was disabled in the default preprocessor.rules file. PulledPork will adjust the enabled / disabled status of each rule when compiling a new winids.rules file based on the 'ips_policy=' setting in the pulledpork.conf.   This is the main reason why your preprocessor rule events have dropped after adding the PulledPork add-on.   Note: NEVER, and I repeat NEVER manually alter the winids.rules file. Use the four configuration files listed below to make ALL rule changes.   enablesid=d:winidspulledporketcenablesid.conf dropsid=d:winidspulledporketcdropsid.conf disablesid=d:winidspulledporketcdisablesid.conf modifysid=d:winidspulledporketcmodifysid.conf   As an example; lets say there was a previous rule that was being triggered prior to updating to PulledPork. To enable that rule, add that rules SID to the enablesid.conf file.   As an example; lets say there is a specific event being triggered regarding Internet Information Services. Your enterprise site does not run Internet Information Services, and you don't want to see that event in the Windows Intrusion Detection Systems security console. To disable that rule, add that rules SID to the disablesid.conf file.   By adding the rules sid to the enablesid.conf file, or the disablesid.conf file, the rule will continue to be enabled, or disabled in the winids.rules file. However, when Snort starts it first reads in the original winids.rules file. It then reads in the enablesid.conf file, the disabledsid.conf , and then enables or disables rules based on what Snort finds in each of those .conf files.   PulledPork compiles a basic winids.rules file. The four configuration files listed above are used for rule customizing. Never touch the winids.rules file.   Winsnort gives the basic starting point, but for more advanced help, the PulledPork users group is the next step.  

Here is the original Windows Intrusion Detection Systems configuration for the 'PREPROC' rules.   Original Line(s): # include $PREPROC_RULE_PATH/preprocessor.rules # include $PREPROC_RULE_PATH/decoder.rules # include $PREPROC_RULE_PATH/sensitive-data.rules Change to: include $PREPROC_RULE_PATH/preprocessor.rules include $PREPROC_RULE_PATH/decoder.rules include $PREPROC_RULE_PATH/sensitive-data.rules     Here are the changes for the PulledPork add-on   Original Line(s): include $PREPROC_RULE_PATH/preprocessor.rules include $PREPROC_RULE_PATH/decoder.rules include $PREPROC_RULE_PATH/sensitive-data.rules Change to: # include $PREPROC_RULE_PATH/preprocessor.rules # include $PREPROC_RULE_PATH/decoder.rules # include $PREPROC_RULE_PATH/sensitive-data.rules   After you made the changes are the three rule sets listed below actually located in the 'd:winidssnortrules' folder? preprocessor.rules decoder.rules sensitive-data.rules   As far as I know all the rules are supposed to be processed into the single .rules file (winids.rules). Something may have changed, or I'm not fully understanding how PulledPork works.   Let me query the group on this. I've never seen this problem before.

Make SURE your OS is capable of running the .vbs file. Windows 8 should do this out of the box. In lieu of running the .vbs file; manually execute each command in the .vbs file for your OS, and the architecture used. Follow the tutorial. whatever your Windows OS media drive is, will be x   Windows 8.x / 2008 / 2012: The original OS media CD/DVD is now required to be inserted into the CD/DVD-Player.   In lieu of a Windows OS CD; if you have access to an ISO, or possibly the CD/DVD; just transfer the sourcessxs folder to wherever, and point x to that location. You could also just mount the ISO and point the x to that drive letter.

It reads this registry key: HKLM > SOFTWARE > Microsoft > Windows NT > CurrentVersion Expects a value of 6.3 in the CurrentVersion value for all versions of Windows 8.x You are supposed to run the modder.vbs file from a CMD window that has Administrator privileges. Right-clicking the file, and "Run as Administrator", should also work?

Appears the section labeled 'Configuring the existing Windows Intrusion Detection System (WinIDS)' had a problem. Open a CMD window and type 'type NUL > d:winidssnortruleswhite_list.rules' (less the outside quotes), and tap the 'Enter' key. Now try the command again.

All fixed. Seems they are having a problem with file extensions, again...

It doesn't hurt to run the modder.vbs file for a second time. Not sure where the problem came from, but sounds like the modder.vbs file had a problem kicking the OS into Administrator mode prior to installing the  MS Visual C ++ redistributables.

Not sure but it's not getting the MSV C++ installed correctly Did you run the modder.vbs file? Is this a fresh install of the operating system? Have you tried installing the MS Visual C ++ redistributable as 'Run as Administrator'?

Looks like you are good to go with a sucessful configuration test.

I just noticed:   Change this: d:winidssnortbinsnort -c d:winidssnortetcsnort.conf -l d:winidssnortlog –i1 -T   To this: d:winidssnortbinsnort -c d:winidssnortetcsnort.conf -l d:winidssnortlog -i1 -T

I fixed the tutorial to be more informative for Windows 8.x. Internet Information Services installs on Windows 8.x exactly like Server 2012. 

I'm not sure what you are getting at here.   According to the log files; the Windows Intrusion Detection System (WinIDS) has had one previous run that detected and logged two events (records).   The Windows Intrusion Detection System (WinIDS) has been ran again, and has detected one event (the data after the "Waiting for new data" shows data for one event)   At that point if Barnyard2 was stopped, you should be able to go into the Windows Intrusion Detection Systems (WinIDS) security console, and there should be a total of three events.   Restarting barnyard2, or rebooting, the barnyard2 terminal window should now show:   record_idx      = 3   Everything is normal...

  1) Wonder what else didn't happen when the modder.vbs file ran?   2) Sourcefire has updated their snort.org site in the past few days and there has been issues with the rules, and opensource files?   3) I'm not sure as that has never happened here. This is most likely an issue related to item 1   I'll look into item 2 and adjust to the new name.   Update: Several of the file names were changed on the snort.org site, and all the tutorials now reflect those changes.

I'm assuming that the modder.vbs file was ran, and that there were no problems up to that point. Open a CMD window, go back to the section labled 'Configuring IIS for the Windows Intrusion Detection Security Console' in the tutorial, and complete. At the CMD prompt type 'iisreset /restart' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'exit' (less the outside quotes), and tap the 'Enter' key. Open a web-browser and type 'http://winids' (less the outside quotes) into the URL Address box, and tap the 'Enter' key. Are you able to get to the Windows Intrusion Detection Systems (WinIDS) security console?

No problem...

The error indicates that Barnyard2 is having an issue with the time stamp on the snort.log file. Log file name Example: merged.log.1377185664 If there is no time stamp on the d:/winids/log/merged.log file then check the snort.conf lines below for accuracy. Original Line(s): # output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types Change to: output unified2: filename merged.log, limit 128

The "Waiting for new data." is normal for Barnyard2. I'm assuming that events were being logged prior to installing PulledPork. I'm also assuming that you allowed the PulledPork process to complete, which could take from 30-60 minutes. If you are unsure; delete ALL the files in the pulledporktemp folder and try the process again. Note: The rules are monitored, and there is a 15 minute delay between rules downloads. If the rule downloads starts, and then exits 30 seconds later (for whatever reason), there is a 15 minute wait. Make SURE Snort and Barnyard2 are running processes. When the Windows Intrusion Detection System (WinIDS) was initially setup, there were more active rules being run, so you may not see the level of activity afer PulledPork gets installed. When PulledPork is setup there are three levels of monitoring. The 'Security' level is the highest level, and will trigger more events than the other two levels of monitoring. PulledPork activates a basic set of rules based on what the developer has deemed as a sufficient place to start monitoring, based on the level of monitoring selected. You can change this rule monitoring level at any time in the pulledpork.conf, but you will need to run pulledpork after making the change. PulledPork has a lot of configuration options. Reading the documentation, and joining the PulledPork users group is a must. The events that were seen while the test rules were activated, should have been displayed in the open Barnyard2 terminal window, and were they? They should also be visible in the Windows Intrusion Detection (WinIDS) security console, and were they? Note: It's possible there are no events being triggered based on improper configuration, even though the Windows Intrusion Detection System (WinIDS) is operating properly. HOME_NET set incorrectly Windows Intrusion Detection System plugged into a switch that is not mirroring Selecting the wrong monitoring interface

  Snort needs to be restarted after the snort.conf gets edited.   Open a CMD window and type 'notepad2 d:winidsetcsnort.conf' (less the outside quotes) and tap the enter key.   Either hash out (#), or remove the line 'include $RULE_PATHtest.rules' (less the outside quotes), save the snort.conf, and eXit Notepad2.   At the CMD window type 'net stop snort & net start snort' (less the outside quotes) and tap the enter key.   At the CMD window type 'exit' (less the outside quotes) and tap the enter key.   Should be back to normal...

Not sure, but if you want to test, then try this post.

Post a screen shot of what you are not seeing?

The MODDER.VBS is only included in the software support pack.

All the tests went as instructed during install?   Did you run the modder.vbs file?   What happens when you open a CMD terminal window and type "hostname' (less the outside quotes)?   Attach the configuration files:   1) php.ini 2) snort.conf 3) base.conf.php 4) barnyard2.conf