Morpheus

Administrators
  • Content count

    563
  • Joined

  • Last visited

Everything posted by Morpheus

  1. Ok, is it only collecting events using the test rules, or is it actually collecting events based on the active rules?
  2. Not real sure about some of you configurations. It appears you are using an outdated snort.conf file. You will need to retrieve a stock snort.conf and configure. Do not activate the SO rules as they are not compatable with Windows. Delete all the files in snort/logs prior to restarting.
  3. I'm asking this in this in the snort-users list. I'm also seeing this when I run snort -v -i1 and I don't remember ever seeing this. Warning: are usually only informational. That warning is completely useless because its wanting to load the preprocessors, and that requires using the -c switch which has never been required when using the -v switch for viewing packets. Let's see what they come back with... This most likely has nothing to do with no events being captured.
  4. Looks like a user authentication problem. Try logging into the database manually using user snort . That is the authentication Barnyard2 uses. If that fails the drop the user snort and create it again.
  5. Looks like there was an error configuring the database. You could uninstall it and confgure it again?
  6. Try reversing the slashes: Change from: \i d:\winids\barnyard2\schemas\create_postgresql; Change to: \i d:/winids/barnyard2/schemas/create_postgresql; Let me know if that works... Can you also try removing the ; at the end to see if it works?
  7. ​Sounds great, Let us know how it works out, and we can fix up a tutorial.
  8. ​You need to configure line number: 190 snort_version=x.x.x.x
  9. Attach your pulledpork.conf file.
  10. You need to post a screen shot of the complete error. Did you run the modder.vbs file? Did you install the version of Strawberry perl per the tutorial? Did you install to the d:\ drive?
  11. It's not an error, its a warning because it's not supported in Windows. Too bad because it would make updating the rules so much easier. There may be a way to do this with a Windows equivalent, or possibly Cygwin, but I've not looked directly into that. There will be a bunch of warnings showing up, they are purely informational, and never a show stopper.
  12. Where exactly in the tutorial is it failing?
  13. Was this happening before or after installing PulledPork? Attach the snort.conf, pulledpork.conf, and barnyard.conf
  14. It appears all that is needed is to add each of the rules file into the enablesid.conf file? If I remember right there is a global way to do this without having to add a list of rules? Thanks...
  15. Ok, thanks. I have added both protocols to the modder.vbs file that will activate on the first reboot. igmp 2 IGMP # Internet Group Management Protocol stcp 132 SCTP # Stream Control Transmission Protocol   Can you post your enablesid.conf that enables all the rules?
  16. It's been here for a very long time and just works for basic purposes. I think Windows will now actually allow email notifications as part of its core functions for triggered events.  You might try looking at this I'm sure there are a few way to go this. Search for sending email alerts on windows events. The above should do the trick, or possibly something similar. Let me know if this helps and it could be a good alternative to the existing way its documented.  
  17. I'm not real sure about these items as I haven't used PP in a very long time. I usually pull it up when something goes wrong to fix. 1) You are saying that running the test for Snort 'd:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -i1 -T' produces this error: I ran the test (d:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -i1 -T) and am not seeing this error? You said there is something missing in the 'C:\Windows\System32\drivers\etc\protocol' file: Here is the file: # Copyright (c) 1993-2006 Microsoft Corp. # # This file contains the Internet protocols as defined by various # RFCs. See http://www.iana.org/assignments/protocol-numbers # # Format: # # <protocol name> <assigned number> [aliases...] [#<comment>] ip 0 IP # Internet protocol icmp 1 ICMP # Internet control message protocol ggp 3 GGP # Gateway-gateway protocol tcp 6 TCP # Transmission control protocol egp 8 EGP # Exterior gateway protocol pup 12 PUP # PARC universal packet protocol udp 17 UDP # User datagram protocol hmp 20 HMP # Host monitoring protocol xns-idp 22 XNS-IDP # Xerox NS IDP rdp 27 RDP # "reliable datagram" protocol ipv6 41 IPv6 # Internet protocol IPv6 ipv6-route 43 IPv6-Route # Routing header for IPv6 ipv6-frag 44 IPv6-Frag # Fragment header for IPv6 esp 50 ESP # Encapsulating security payload ah 51 AH # Authentication header ipv6-icmp 58 IPv6-ICMP # ICMP for IPv6 ipv6-nonxt 59 IPv6-NoNxt # No next header for IPv6 ipv6-opts 60 IPv6-Opts # Destination options for IPv6 rvd 66 RVD # MIT remote virtual disk What exactly needs to be added? igmp 2 IGMP # Internet Group Management Protocol It this something that should be included? I can automatically search the 'C:\Windows\System32\drivers\etc\protocol' file when the modder.vbs runs, and add the setting if it's missing. As a note: PP is extremely powerful rule management tool, and it's been my experience that asking question in the snort-users group will get answers faster than in the pullerpork-users group.
  18. Can you go to the Snort users list and ask, I'm not sure why it's not logging. They may be getting to the database, but possibly not showing in the security console? Let us know if you get it figured out. Working on Pulledpork right now, there is a problem and I'm trying to get it to complete ;(
  19. Not sure as it looks like the hosts file was corrupted prior to the modder.vbs inserting its line. Looks like a localized incident but will note it, and see if it appears again. Thanks...
  20. Not sure about the hosts without a screen shot. Fixed the space in the other issue. Thanks...
  21. Make SURE you have installed all the updates from the Windows update server, and make sure you are executing the modder.vbs from a command window that has administrator privileges. If the above is true then: Open the modder.vbs file and change line 12 to: getVersionNumber = 6.1
  22. Open a CMD window and type: reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentVersion Note: you should get something like the below. In this case the "CurrewntVersion" number is 6.9. You should be seeing something different "CurrentVersion" because of the warning message received. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion CurrentVersion REG_SZ 6.9 Open the 'modder.vbs' file with a text editor. Go to line 16 and add the new "CurrentVersion" number, and save the file. Example below is based on the "CurrentVersion" of 6.9 above: Case 6.0, 6.1, 6.2, 6.3, 6.9: