Morpheus

Administrators
  • Content count

    542
  • Joined

  • Last visited

About Morpheus

  • Rank
    Administrator

Profile Information

  • Country
    United States

Recent Profile Visitors

18,503 profile views
  1. Windows Intrusion Detection System - Companion Add-On Tutorial Logging Events to a Remote Syslog Server Written by: Michael E. Steele Get Support! Introduction This tutorial is a simple to understand, step-by-step tutorial for logging events from a Windows Intrusion Detection System (WinIDS) to a remote Windows or UNIX Syslog Server. Copyright Notice This document is Copyright © 2002-2019 Michael Steele. All rights reserved. Permission to distribute this document is hereby granted providing that distribution is electronic, no money is involved, and this copyright notice is maintained. Other requests for distribution will be considered. Use the information in this document at your own risk. Michael Steele disavows any potential liability of this document. Use of the concepts, examples, and/or other content of this document are entirely at your own risk. This guide is written in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. All copyrights are owned by their owners, unless specifically noted otherwise. Third party trademarks or brand names are the property of their owners. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements. Support Questions and Help All support questions related to this specific tutorial MUST be directed to the specific forum for which this Windows Intrusion Detection System (WinIDS) tutorial resides! By request, there is a premium fee service available for one on one support. If you have not acquired this tutorial directly from the winsnort.com website, then you most likely do not have the latest revision of this tutorial! How to use this guide This installation is based on the installer being logged on with 'Administrator' privileges for the entire installation. The Windows Intrusion Detection System (WinIDS) will fail if the default installation path is not Implemented correctly! The default installation path noted above is hard coded into this tutorial, and is also hard coded into some of the install scripts. Installers will need to make the appropriate changes in both places if the default installation path is anything other then 'd:\winids', or the support files are located anywhere other than the 'd:\temp' folder. The Windows Intrusion Detection System (WinIDS) will fail if the default installation path is not Implemented correctly! An existing Windows Intrusion Detection System (WinIDS) using one of the tutorials, either a stand alone Windows Intrusion Detection System (WinIDS), or a remote Windows Intrusion Detection System (WinIDS). It is important when asked to 'Open a CMD window with Administrator privileges' it is done, or the install will fail. It is also important when asked to 'Close a CMD window' it is done, or the install will fail. Note: The user installing this tutorial MUST be a member of the Administrators group. Note: If the User Account Control dialog box appears at ANY time during this install ALWAYS left-click 'Yes' to continue, or the install will fail. Instructions on starting a command prompt as an Administrator In the Windows Search box, type cmd, and then press CTRL+SHIFT+ENTER. Prepping for the Windows Intrusion Detection System (WinIDS) Tutorial Assumptions being made prior to starting tutorial An existing Windows Intrusion Detection System (WinIDS) has been installed. A Windows or UNIX Syslog Server has been installed on the remote PC. The IP address is known of the remote PC where the Syslog Server has been installed. The Syslog listening port is known on the remote Syslog Server (suggest 514). The status of listening port for the remote Syslog Server MUST be open for connections. Testing for an open listening port on the remote Syslog Server From the Windows Intrusion Detection System (WinIDS) go to the 'You Get Signal' website. Replace the local IP address with the IP Address of the remote Syslog Server in the 'Remote Address' dialog box. In the 'Port Number' dialog box type the listening port number of the remote Syslog Server, and left-click 'Check'. *** If the above response is closed then do not proceed until the status is open. *** Configuring the Windows Intrusion Detection System (WinIDS) for Remote Syslog logging Configuring Snort to include Syslog logging Open a CMD window with Administrator privileges and type 'notepad2 d:\winids\snort\etc\snort.conf' (less the outside quotes), and tap 'Enter' key. Use the Find in Notepad2 to locate and change the variables below. Original Line(s): # output alert_syslog: LOG_AUTH LOG_ALERT Change to: output alert_syslog: host=SYSLOG_SVR_IP_ADDR:PORT, LOG_AUTH LOG_ALERT Make SURE the SYSLOG_SVR_IP_ADDR above reflects the IP Address of the remote Syslog server, and the PORT above reflects the listening port of the remote Syslog Server. Now save the file and eXit Notepad2. Testing the Snort configuration file At the CMD prompt type 'd:\winids\snort\bin\snort -W' (less the outside quotes), and tap the 'Enter' key. The following is a partial example of what might be listed as valid Network Interface Cards. Index Physical Address IP Address ----- ---------------- ---------- 1 00:0C:29:25:B4:96 0000:0000:fe80:0000:0000:0000:ad63:31cf In the above list, the 'Index' number is important, and will need to be remembered for later use in this tutorial. There may be several Network Interface Cards listed, and it will be up to the installer to determine the correct Network Interface Card (Index number) that will be monitoring the Windows Intrusion Detection System (WinIDS). The switch for the Network Interface Card will always be '-ix' (less the outside quotes), and the 'x' (less the outside quotes) will always represent the 'Index' number of Network Interface Card that will be monitoring the Windows Intrusion Detection System (WinIDS). At the CMD prompt type 'd:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix -T' (less the outside quotes), and tap the 'Enter' key. The above run line will require the 'Index' number of the monitoring Network Interface Card added to the 'x' above. This will start Snort in self-test mode for configuration and rule file testing, and depending on the resources used, and/or available, it could take several minutes to run the self-test mode. If all the tests are passed, the following is a confirmation that the Snort configuration file and rules have tested good. Snort successfully validated the configuration! Snort exiting Do not proceed until 'Snort successfully validated the configuration!' Configuring the Snort service run line for the Syslog Server logging At the CMD prompt type 'net stop snort' (less the outside quotes), and tap 'Enter' key. At the CMD prompt type 'cd /d d:\winids\snort\bin' (less the outside quotes), and tap 'Enter' key. At the CMD prompt type 'snort /SERVICE /SHOW' (less the outside quotes), and tap 'Enter' key. The output display will be the full run line that Snort uses in the startup, and might look like the below: Snort is currently configured to run as a Windows service using the following command-line parameters: -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -i1 At the CMD prompt type 'snort /SERVICE /UNINSTALL' (less the outside quotes), and tap 'Enter' key. The following as a confirmation that the Snort service was successfully removed from the services database. [SNORT_SERVICE] Attempting to uninstall the Snort service. [SNORT_SERVICE] Successfully removed registry keys from: \HKEY_LOCAL_MACHINE\SOFTWARE\Snort\ [SNORT_SERVICE] Successfully removed the Snort service from the Services database. The new Snort auto start configuration line needs to be added that contains the switch to turn on the option to log all events to the Syslog Server. The Snort run line that should be entered in below should be exactly what was displayed when the snort /SERVICE /SHOW command was ran previously, except adding ' -s' (less the outside quotes) to the end. At the CMD prompt type 'snort /SERVICE /INSTALL -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -i1 -s' (less the outside quotes), and tap the 'Enter' key. The following as a confirmation that the Snort service was successfully added to the services database. [SNORT_SERVICE] Attempting to install the Snort service. [SNORT_SERVICE] The full path to the Snort binary appears to be: D:\winids\snort\bin\snort /SERVICE [SNORT_SERVICE] Successfully added registry keys to: \HKEY_LOCAL_MACHINE\SOFTWARE\Snort\ [SNORT_SERVICE] Successfully added the Snort service to the Services database. At the CMD prompt type 'sc config snortsvc start= auto' (less the outside quotes), and tap the 'Enter' key. The following as a confirmation that the Snort auto start service has been successfully activated. [SC] ChangeServiceConfig SUCCESS At the CMD prompt type 'net start snort' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'exit' (less the outside quotes), and tap the 'Enter' key. In Conclusion At this point, it could take several minutes before seeing events arriving in the remote Syslog Server. Optional Companion Documents Be SURE to check out the available 'Companion Add-on Documents' to enhance the Windows Intrusion Detection System (WinIDS) experience. How to Install PHP graphing capabilities in offline mode for the Windows Intrusion Detection Systems security console. This tutorial will show how to Install PHP graphing capabilities in offline mode for the Windows Intrusion Detection Systems security console. How to update the Master Sensor rules, signatures, and sig-msg.map using PulledPork This tutorial will show how to update the Master Sensor rules, signatures, and the sig-msg.map file using PulledPork on an existing Windows Intrusion Detection System (WinIDS). How to update the Slave sensor rules using PulledPork This tutorial will show how to update the Slave Sensor rules using PulledPork on an existing Windows Intrusion Detection System (WinIDS). How to add Email Alerting to an existing Windows Intrusion Detection System (WinIDS) This tutorial will show how to send user defined priority events sent to a Windows Application Log file being eMailed to user defined eMail accounts, on an existing Windows Intrusion Detection System (WinIDS). How to add Event Logging to a local Syslog Server. This tutorial will show how to configure Snort to send events to a local Syslog Server, on an existing Windows Intrusion Detection System (WinIDS). How to add Event Logging to a remote Syslog Server. This tutorial will show how to configure Snort to send events to a remote Syslog Server from an existing Windows Intrusion Detection System (WinIDS). How to compile Barnyard2 on Windows using Cygwin for PostgreSQL database support This tutorial is a simple to understand, step-by-step tutorial for Compiling Barnyard2 on Windows using Cygwin (UNIX emulator) for PostgreSQL database support. How to build and deploy a passive Ethernet tap This tutorial will show how to build and deploy a passive Ethernet tap. Updating the Windows Intrusion Detection Systems (WinIDS) Major components How to update the Snort Intrusion Detection Engine This tutorial will show How to update the Windows Intrusion Detection Systems Snort Intrusion Detection Engine. How to update the Rules, Signatures, and sig-msg.map file This tutorial will show how to update the Windows Intrusion Detection Systems rules, signatures, and the 'sig-msg.map' file. How to update the PHP General-Purpose Scripting Language This tutorial will show how to update the Windows Intrusion Detection Systems PHP General-Purpose Scripting Language. Debugging Installation errors Check the Event Viewer as most of the support programs will throw FATAL errors into the Application log. General problems For general issues that pertain to this tutorial, left-click the support button at the top of this tutorial, or manually navigate to the correct support forum. Michael E. Steele | Microsoft Certified System Engineer (MCSE) Email Support: support@winsnort.com Snort: Open Source Network IDS - www.snort.org
  2. I have updated the tutorial on installing a local Syslog Server. IT was a major revision and has been tested.
  3. On the PC with VSS go to this URL. The IP address will be displayed and populated in the Remote Address dialog box. Just add port 514 to Port Number dialog box, and left-click 'Check'. This will check to make sure the VSS port is open. If the port is not open then you will need adjust the firewall to allow TCP/UDP traffic for port 514
  4. There is already one in the Companion Add-On section.. You might want to try a real free syslog server.
  5. Looks like there was a problem with the modder file adding winids to the hosts file. add to hosts file: 127.0.0.1 winids
  6. There was an issue with the repository being hacked and was taken down. The tutorials were changed in order to internally control that process.
  7. I just verified both 32/64 packs and the graphing is there. Follow the tutorial.
  8. Go back to the section titled below to get the solution: Testing the Windows Intrusion Detection System (WinIDS) for network traffic
  9. The user has apparently fixed the issue without posting the root cause of the issue.
  10. Make sure you have ran the modder.vbs file as Administrator and allowed it to reboot on its own. Make sure the test.php file has been copied to the d:\winids\apache24\htdocs\base folder. Make sure you can ping winids: Make sure all the required Microsoft Visual C++ packages have been installed: If all the above is correct then please attach the php.ini file and the httpd.conf file.
  11. A little more information: Are you running Snort from the command window? Is this a new install or are you updating an existing install? Please post a full screen shot of the error.
  12. Been doing these tutorials and have installed 1000+ IDS's in the last 15 years and not once have I had to add an extension. It sounds like you have a corrupted .EXE association.This issue can occur if a virus or other 3rd party application has changed or corrupted some default registry settings. These types of quirks seem to pop up when the installer fails to install the Windows Intrusion Detection System on a fresh install of Windows.
  13. There is something odd about your Windows environment requiring the extensions?
  14. You need to change line 900 in the php.ini Change from: ;extension=php_mysql.dll Change to: extension=php_mysql.dll Your PHP in IIS is not configured correctly. Stop the IIS server, copy the file in the attached zip to the C:\Windows\System32\inetsrv\config folder, and restart the IIS server. applicationHost.zip