Morpheus

Administrators
  • Content count

    560
  • Joined

  • Last visited

Everything posted by Morpheus

  1. You should have already set up the switch for the correct interface, and you shouldn't be guessing at this point in the tutorial. The correct format, and has been fixed: 'include $RULE_PATH/test.rules' At this point there have been so many problems that my suggestion it wipe the drive and start over fresh and follow the tutorial verbatim.
  2. It is normal for Barnyard2 to stop at waiting for data. There needs to be events triggered to move past that. To namually trigger events try this.
  3. Did you go to the section titled Testing IIS, and the PHP installation and complete? Did the test.php display the PHP summary?
  4. Go to the section titled Configuring IIS for PHP, and the Windows Intrusion Detection Systems security console and complete. Go to the section titled Testing IIS, and the PHP installation and complete. To manually start Barnyard2: Open a CMD window with Administrator privileges and type 'd:\winids\activators\start.bat' (less the outside quotes), and tap the 'Enter' key. Closing the window will close Barnyard2. Shrink the Barnyard2 window to the task bar for normal operations.
  5. Make SURE barnyard2 is not running, but it shouldn't be. Uninstall the PostgreSQL server. You might be able to do this simply by running the PostgreSQL server install again, and choosing to uninstall. Remove everything the uninstall will allow. You can also go to the Add/Remove programs to uninstall. After uninstall go to the d:/winids folder and delete the PostgreSQL folder, and reboot. Go to the section titled Installing the PostgreSQL Database Server and complete. Go to the section titled Configuring the PostgreSQL Database Server and complete. At the CMD prompt type 'd:\winids\postgresql\bin\pg_ctl restart -w -t 10 -D d:\winids\postgresql\data\ -m f' (less the outside quotes), and tap the 'Enter' key. Go to the section titled Configuring Barnyard2 checking to make sure Barnyard2 was correctly configured, and continue to complete tutorial.
  6. It appears you have not completed Configuring the PostgreSQL Database Server. Go back to that section and complete. It might be easier to just reinstall the database and start over?
  7. Go back to the section titled Configuring IIS for PHP, and the Windows Intrusion Detection Systems security console and do it again.
  8. Sure, just disassemble the script and manually preform each step.
  9. You need to follow the guide. The guides have all paths hard coded into them, as does any of the scripts that need to be ran. It is very possible to put programs anywhere as long as everything gets linked in the end. Missing one configuration would most likely cause a failure. If you have completed the tutorial using your custom configuration and have gotten to the end with no errors then its conceivable that everything is linked correctly. There are a lot of reasons why there are no events; Snort not running, Barnyard2 not running, misconfigured snort.conf, monitoring the wrong interface, connected to a switch with no mirroring enabled, possibly there are no events being triggered, etc... Did you try to manually trigger events. There is a topic on that, use the search function.
  10. If you follow the guide it works. What is the error you are receiving? Yes, you need barnyard2 in order to shuttle the events from the snort log to the database.
  11. Winsnort.com has been pretty diligent on keeping the Winsnort.com forums current. This usually happens without many major problems, and this has proven true with this latest update. The update was a total success, and there appears to be no residual after effects. Please be sure to inform management if there are any issues. So without further ado here is the latest and greatest change log. New or Changed Features in 4.1.12 Key Changes This is a maintenance release to fix reported issues and add refinement to existing features. In addition to bug fixes and performance improvements, it includes following enhancements: New Features: When you mouseover the badge showing who liked a post, you will now see a larger list of who liked that post. You can still click to get the full list. Ratings now show half-stars for the average (for example, if one user votes 3 stars and another 4, it will show 3 and a half stars) and there is now an indication if you have rated something. A "Preview" button has been added to the post editor which shows how the post will appear after BBCode processing. Tabs show how the post will appear on desktop, tablet and mobile. Users can now choose to ignore notifications for being mentioned in posts by particular users. You can now filter searches by specific forums/categories. You can now control whether open and click tracking should be used for emails sent by SparkPost. Activity Stream enchantments: The filter dropdowns now have an "Apply" button for better usability (previously you had to click outside the dropdown). The "Expanded/Collapsed" toggles are now clearer. Hitting back from a clicked item in any activity stream now remembers your position and loaded results. Other enhancements and improvements: The way dates are formatted can now be customized by language strings. For example, if you want to change the date format to "DD-MM-YYYY" that is now possible. With this change, the new default is US-style ("March 4, 1992") rather than the previous European-style ("4 March 1992"). Advertisements no longer have padding which makes them easier to position in other areas such as headers. When comparing revisions of articles in Pages databases, a new browser-based diff tool is used which is more user-friendly and moves the computation from the server to the user's browser for greater performance. Better indication of files pending approval in Downloads. The version number for themes now displays in the AdminCP list. Technical features: If you are using the utf8 rather than utf8mb4 character set (which will mean you can't post Emoji) there is a new tool in the AdminCP to upgrade to utf8mb4. System logs have been rewritten to use the database for logging where possible with a more user-friendly interface in the AdminCP. Downloading files from Amazon S3 has been changed to redirect the user to a temporary download URL rather than serve the file through your server for significantly improved performance and reliability, especially with large files. If it is available on the server, ImageMagick will now be used rather than GD by default. ImageMagick also has a new setting to control JPG quality. APC User Cache is now supported in addition to APC. Warning: This release does not support PHP 5.4 as it is end of life and no longer supported by PHP. If you are running PHP 5.4 do not upgrade and ask your web host to update to a supported version of PHP. Additional Information Important Fixes In addition to many smaller bug fixes and performance improvements, the following important fixes are included: Uploading animated gifs was broken in some areas Support departments in Commerce could not be deleted. Member groups could not be deleted. The summary when submitting a calendar event may show the wrong time. Double posts may occur on Windows servers. Reports were not being sorted correctly. PM search is now more reliable. Profiles, and pages from the Pages app were missing from the sitemap in the default configuration. Using very high limits for the number of questions per poll may cause errors. Setting up the REST API may fail. Information for 3rd party developers There has been API changes to \IPS\Email. Contributors can view details here: https://invisionpower.com/forums/topic/429144-4112-changes-ipsemail/ There has been API changes to \IPS\Log. Contributors can view details here: https://invisionpower.com/forums/topic/429065-4112-changes-ipslog/ An earlier version of IPS Community Suite performed coding standard checks when in developer mode, throwing errors if code did not meet certain coding standards. This functionality has been restored. Note that these checks only run in developer mode. CKEditor has been updated to 4.5.9. FontAwesome has been updated to 4.6.0. jQuery has been updated to 1.12.3. CodeMirror has been updated to 5.14.2. XRegExp has been updated to 3.1.0. The REST API output for a member now has a "validating" element to indicate if the member is awaiting validation. The code to update the impressions for an advertisements has been moved from \IPS\Output::sendOutput() into a new method, \IPS\core\Avdertisement::updateImpressions() for easier hooking. Queue tasks now have an optional method, postComplete(), which is ran after the queue task has finished for any final cleanup that needs to be performed. The DEV_DEBUG_TEMPLATES constant has been renamed to DEBUG_TEMPLATES and now works when not in developer mode. You can now add a postUpgrade.php file to any folder in the setup folder of an application to define a message which should display after upgrading through that version. Changes included: 4.1.9 When your link auto-embeds in a post such as with an image, YouTube video, Twitter link, etc. an option will now display to revert the embed back to a plain text link if you do not want the embed. New setting to disable embedding. Facebook/Twitter integration improvements If you are an administrator and encounter a system error, additional debug output will now display. Regular members will see the normal error message. Custom Fields for Support Requests in Commerce now show on the front-end. If an advertisement is set up with a main image, but not smaller images for tablets/mobiles, the ad would not show at all on tablets/mobiles. This has changed so the main image will display on all devices unless smaller images are provided. Topics scheduled to automatically lock or unlock will now reflect this in the topic listing and when viewing the topic. Placing a link to a Facebook status will embed when possible. When viewing a report, the container (for example, the forum) the content is from is displayed. Three character searches are now allowed in the Admin CP Live Search. The Account Settings page now uses vertical rather than horizontal tabs to prevent overflow. If Gravatar is enabled, and a user has not defined an profile photo, then their email address will be used to fetch from Gravatar unless explicitly set not to. Gfycat embeds now use their oEmbed endpoint rather than their JS API. Using Amazon CloudFront as https provider will now be recognized as valid secure connection. The member REST API endpoint will now return custom fields. The Developer Center for Plugins now shows the filename in the list of hooks, and when editing a hook, a breadcrumb includes a link back to the list. Inline notifications can now be dismissed Efficiency improvements to the search index You can now close a poll independently of the topic Important Fixes In addition to dozens of smaller fixes this release includes fixes for the follow items that impacted many clients: Several security enhancements. The posting parser has been made more efficient. Some BBCode does not parse correctly in version 4 and we have applied some fixes for this. In general BBCode is deprecated so we only provide basic support. Sitemaps could sometimes be blank if there was no content in a specific section. Certain URLs from version 3 were not redirecting properly to the new version 4 format. The timezone detection is now more robust and will more gracefully fail if it cannot determine a visitor's timezone. Permission matrices have been reworked to send less data to prevent exceeding server limitations. Decimal handling has been reworked in Commerce for more precise calculations. The database class now handles InnoDB deadlocks more gracefully, and some queries have been changed to reduce the likeliness of deadlocks. Performance improvements to areas which perform large updates on the members table (for example, when editing permissions). Pages 'number' custom fields previously had an upper limit for submitted values around 2 billion. Multiple fixes for tag searching Also included: 4.1.8.1 This is a very small release to fix a few rather annoying issues from 4.1.8. Sorry about that Fixes an issue where incoming emails were not being received correctly. Fixes an issue where guests could do a partial account registration which could cause some confusion to the administrator when editing. Fixes an issue where the AdminCP dashboard may incorrectly report tasks aren't running when they actually are. Also included: 4.1.8 This is a maintenance release to fix reported issues. Also included: 4.1.7 This is a maintenance release to fix reported issues. Please note that in this release we have updated the copyright data in many source files. This means that if you are upgrading through the Admin CP the update will take slightly longer to download and extract than normal.
  12. There may be some corruption with the list of interfaces as the -W switch should bring up that list. If doesn't look like it will effect anything, as long as you know which interface to choose.
  13. I'm not real sure, but you could try opening a CMD window and typing cmd.exe /c chcp 1252 Let us know if this works...
  14. The above is normal. If you are getting a connection error than it's most likely related to user authentication, or possibly the database is not running?
  15. Never seen that screen before. Did you follow the tutorial and ONLY install what the tutorial instructed? Did you install Winpcap ? There are ONLY two thing that need to be installed to use the -W switch Snort Winpcap Must be a problem with one of those, but best guess would to remove Winpcap and install. There is a possibility Winpcap is not seeing any lagitamate Network Interface Cards, or there are no Network Interface Cards installed?
  16. Go into the add and remove programs and make sure Microsoft Visual C++ 2012 is installed. Go back to the tutorial and complete the section labeled: Configuring IIS for PHP, and the Windows Intrusion Detection Systems security console
  17. Winsnort.com only supports specific versions of Windows which are posted in each tutorial. If a non-supported version are used then there may be quirks. There is no way for Winsnort.com to verify this, but this error 500 could be related to other issues. DISM is available in Windows 10, as it is with Server 2016. Once the install is completed it is recommended to close any holes and setup whatever it takes to secure the Windows Intrusion Detection System (WinIDS). If you want to write up short tip in securing the Apache Webserver, and Barnyard2 I think it could be of use to some users. If you do and it's something a novice could do during the install. I could add it to the tutorials. I'm really trying to stay away from some of this advanced stuff because it does cause additional work, and problems.
  18. You may want to activate all the rules just to make sure everything is working correctly after installing Pulledpork. The policy switch in Pulledpork tells Snort which rules to activate, but in general you may not be seeing any events for some time. This procedure will activate ALL the rules. Make SURE at the end of the test that you revert back to original policy setting or you may end up with millions of events that could bog down the Windows Intrusion Detection System (WinIDS). To activate all the rules bypassing the original policy setting Open a CMD window and type notepad2 d:\winids\pulledpork\etc\enablesid.conf, and tap the Enter key. Scroll all the way to the bottom of the file and add pcre:. (be SURE to add the . at the end!) Save the file and exit. At the CMD prompt type perl d:\winids\pulledpork\pulledpork.pl -c d:\winids\pulledpork\etc\pulledpork.conf -nPT, and tap the Enter key. Note: The added switches (nP) instructs Pulledpork to process the local rules only, excluding the opensource.gz file, which takes 15-45 minutes to process depending on available resources. This process should take about two minutes. The below is displayed in the terminal window after a successful update. Rule Stats... New:-------0 Deleted:---0 Enabled Rules:----27325 Dropped Rules:----0 Disabled Rules:---0 Total Rules:------27325 No IP Blacklist Changes Done Please review d:\winids\snort\log\sid_changes.log for additional details Fly Piggy Fly! Note: The verbose output above will display the Rule Stats, showing both enabled rule count, and disabled rule count should be 0. Do not continue or intervene until 'Fly Piggy Fly!' is displayed in the terminal window. At the CMD prompt type net stop snort & net start snort, and tap the Enter key. Note: Allow a couple of minutes for Barnyard2 to reconnect to the event log file after cycling Snort. At the CMD prompt type exit, and tap the Enter key. To revert back to the original policy setting Open a CMD window and type notepad2 d:\winids\pulledpork\etc\enablesid.conf, and tap the Enter key. Scroll all the way to the bottom of the file and remove the pcre:. Save the file and exit. At the CMD prompt type perl d:\winids\pulledpork\pulledpork.pl -c d:\winids\pulledpork\etc\pulledpork.conf -nPT, and tap the Enter key. The below is displayed in the terminal window after a successful update. Rule Stats... New:-------0 Deleted:---0 Enabled Rules:----9853 Dropped Rules:----0 Disabled Rules:---17472 Total Rules:------27325 No IP Blacklist Changes Done Please review d:\winids\snort\log\sid_changes.log for additional details Fly Piggy Fly! Note: The verbose output above will display the Rule Stats, showing both enabled rule count, and disabled rule count. Do not continue or intervene until 'Fly Piggy Fly!' is displayed in the terminal window. At the CMD prompt type net stop snort & net start snort, and tap the Enter key. Note: Allow a couple of minutes for Barnyard2 to reconnect to the event log file after cycling Snort. At the CMD prompt type exit, and tap the Enter key.
  19. The ips_policy switch has three settings: balanced connectivity security The default ips_policy switch is set to security. If at any time you want to change the ips_policy switch in the pulledpork.conf it will require an additional two switches added to the end of the run line, and the new run line must be ran. perl d:\winids\pulledpork\pulledpork.pl -c d:\winids\pulledpork\etc\pulledpork.conf -nPT The above run line will only process the local rules for the new policy change on the fly without processing the signatures! This run line will not update the rules from the rules repository. It will only update the policy selection from the existing set of rules! The rules should be checked for errors after the update for validation, and the WinIDS must be restarted.
  20. 1) I was waiting for Sourcefire to update the rule package to 2980 before releasing the updated tutorials. Not sure what is going on but there seems to be some disagreements between the two divisions that is causing a delay. However the updated tutorials are now online to fix this. I'm not sure why they pulled 2.9.7.6 from the repository. 2) I just checked on a new install a few days ago and the paths for Perl were added. 3) You might want to place an exclusion into McAfee for the signatures folder. That's a strange one...
  21. Yea, that happens sometimes. Cutting and pasting works really well, but being very careful is a must...
  22. Look at line 45 in the snort.conf file. Match line with the tutorial and that should get you to the fix. If problems still exist attach the snort.conf file.
  23. The winids.rules file is associated with Pulledpork.