Morpheus

If Snort is setup correctly queries to the log folder are defaulted to the snort folder. 

No you don't need to do anything. What you are seeing is correct. I made an error in the tutorial and have since corrected it. Check out the tutorial, and it should match your install.

What is the process you used and I'll check it on another build.
Did you just add the below to your local.rules file?
alert ( msg: "ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK"; sid: 4; gid: 112; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )
Did you use something to generate the alert?
 

Looks like there was a problem with the modder file adding winids to the hosts file.
add to hosts file: 127.0.0.1 winids

There was an issue with the repository being hacked and was taken down. The tutorials were changed in order to internally control that process.

The user has apparently fixed the issue without posting the root cause of the issue.

Go back to the section titled below to get the solution:
Testing the Windows Intrusion Detection System (WinIDS) for network traffic

Make sure you have ran the modder.vbs file as Administrator and allowed it to reboot on its own.
Make sure the test.php file has been copied to the d:\winids\apache24\htdocs\base folder.
 
Make sure you can ping winids:

 
Make sure all the required Microsoft Visual C++ packages have been installed:

 
If all the above is correct then please attach the php.ini file and the httpd.conf file.
 

The Windows Intrusion Detection Systems (WinIDS) tutorials are accessed by using the 'Tutorials' link in the main menu bar.
 
The Windows Intrusion Detection System (WinIDS) is officially supported on the following operating systems in 64bit architecture only!
Windows x64 7 Professional Windows x64 10 Professional Windows x64 11 Professional Windows x64 Server 2008 R2 Standard Edition Windows x64 Server 2012 R2 Standard Edition Windows x64 Server 2016 Standard Edition Windows x64 Server 2019 Standard Edition Windows x64 Server 2022 Standard Edition  
Note: The Windows Intrusion Detection System (WinIDS) may not have any issues being installed on any variant of the Windows operating system listed above, including Datacenter.  However, Winsnort.com has only verified that the Windows Intrusion Detection System does work on any of the Windows's versions listed above, and those are the only ones supported in the forums.
 
Winsnort.com has six specific tutorials for installing a Windows Intrusion Detection System (WinIDS) using a Microsoft Windows operating system.
 
There are four full blown tutorials for installing a Master (stand-alone) Windows Intrusion Detection Systems (WinIDS), and there are two tutorials dealing with installing slave sensors.
 
If you are going to be installing a full-blown Windows Intrusion Detection System (WinIDS) then there are only a couple of major decisions to make.
 
Decision 1: Which of the two supported Web Servers to use:
The Microsoft Internet Information Server (IIS) The Apache2 Web Server Decision 2: Which of the two supported Database Server to use:
The MySQL Database Server The PostgreSQL Database Server  
If you are going to be installing a slave sensor, then there is only one major decision to make.
 
Decision 1: Which of the two supported Remote Database Servers the slave will be sending events too.
The MySQL Database Server The PostgreSQL Database Server Note: There are a multitude of additional support programs that will be installed across all installations.
 
Picking the correct tutorial always starts with one of the supported Operating Systems being installed, and it's always best to start with a fresh install. Now it comes down to which Web Server, and which Database server to use. The tutorials are written so installation can be any possible configuration of operating system, Web Server, or Database Server. It's completely the installers preference.
 
Support Forums: Each tutorial has its own specific support forum. It is important to request support in the correct forum that matches the tutorial. For the installers convenience there is a 'Get Support' button at the top of each tutorial that will open the correct support forum for that particular tutorial. It is important to use the correct support forum until the tutorial has been completed and events are being shuttled to the Windows Intrusion Detection Systems (WinIDS) security console. Once the Windows Intrusion Detection System has been verified to be working than questions should be asked in the Client forum.
 
If there are any questions, reply to this topic for an answer. This topic will be followed by the moderator, and or administrator. Questions should be answered in a reasonable amount of time. However, it could take up to 24 hours for a response. Winsnort.com has a great community, and they may jump in and help for a quicker response.
 
Good luck, and happy WinSnorting...

The above looks normal. If you open the command window in the task bar it should say waiting for data. if you see packets being displayed in the command window than there is a problem. Those packets should be registering in the security console.
If you are not seeing any packets in the command window than there is nothing triggering events. There could be several reasons why; not on the same subnet, plugged into a switch and switches must have port mirroring set to the security consoles ip.

Looks like you ran into a problem installing and moving the IIS server. I'm not sure how this can be fixed as I've never seen the error. You might try reinstalling from scratch ands make SURE the command window is in Admin mode before running the move script.

 
 
I found a few quirks but nothing major. Swap the files in the attached .zip with your existing files.
winIDS.zip

Not sure but it's not getting the MSV C++ installed correctly
Did you run the modder.vbs file?
Is this a fresh install of the operating system?
Have you tried installing the MS Visual C ++ redistributable as 'Run as Administrator'?

I just noticed:
 
Change this: d:winidssnortbinsnort -c d:winidssnortetcsnort.conf -l d:winidssnortlog –i1 -T
 
To this: d:winidssnortbinsnort -c d:winidssnortetcsnort.conf -l d:winidssnortlog -i1 -T

 
1) Wonder what else didn't happen when the modder.vbs file ran?
 
2) Sourcefire has updated their snort.org site in the past few days and there has been issues with the rules, and opensource files?
 
3) I'm not sure as that has never happened here. This is most likely an issue related to item 1
 
I'll look into item 2 and adjust to the new name.
 
Update: Several of the file names were changed on the snort.org site, and all the tutorials now reflect those changes.