Sign in to follow this  
Followers 0

Installing an IIS Web Server logging events to a PostgreSQL Database


How to Install a Windows Intrusion Detection System (WinIDS)

ids.gif

Running IIS, and logging events to a local PostgreSQL Database

Windows 7 / 8.x / 10 / 2008 R2 SE / 2012 R2 SE / 2016 SE / 2019 SE

Written by: Michael E. Steele



Introduction

During my research, and development I've found a lot of tutorials, and blogs describing the installation process for the UNIX environment. Yet, none of them specifically detailed setting this up in a Windows environment. I've been working on, and updating these tutorials for the past 12 plus years, and managed to get through the complete process in the Windows environment.

These tutorials gives all the basic instructions on how to create a complete, and functioning stand alone Windows Intrusion Detection System (WinIDS). This is all made possible by simply wrapping Snort, a very powerful Intrusion Detection Engine into a multitude of free open source programs. Best of all, other than the cost of the Windows operating system, it's completely free.

These tutorials are the basic of what is needed, and the starting point for installing any functioning Windows Intrusion Detection System (WinIDS). Advanced problems not related to the basic install should not be posted to the forum where the tutorial resides, and where general help is available for problems during the initial tutorial set-up.

If there are any doubts which tutorial that should be used, there is a posted topic HERE that will provide the basics so an informed decision can be made based on which combination of software packages are best suited for the installation.

Copyright Notice

This document is Copyright © 2002-2019 Michael Steele. All rights reserved. Permission to distribute this document is hereby granted providing that distribution is electronic, in it's original form, no money is involved, and this copyright notice is maintained. Other requests for distribution will be considered.

Use the information in this document at your own risk. Michael Steele disavows any potential liability of this document. Use of the concepts, examples, and/or other content of this document are entirely at your own risk.

This tutorial is written in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose.

All copyrights are owned by their owners, unless specifically noted otherwise. Third party trademarks or brand names are the property of their owners. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements.

Support Questions and Help

All support questions related to this specific tutorial MUST be directed to the specific forum for which this Windows Intrusion Detection System (WinIDS) tutorial resides!

By request, there is a premium fee service available for one on one support.

If you have not acquired this tutorial directly from the winsnort.com website, then you most likely do not have the latest revision of this tutorial!

This is a basic Windows Intrusion Detection System (WinIDS) deployment

  • Microsoft's Windows operating systems are used exclusively for these tutorials.
It is highly recommended to start with a fresh install of one of the supported 32bit or 64bit Windows operating systems listed below.
  • Windows 7 Professional
  • Windows 8.x Professional
  • Windows 10 Professional
  • Windows Server 2008 R2 Standard Edition
  • Windows Server 2012 R2 Standard Edition
  • Windows Server 2016 Standard Edition
  • Windows Server 2019 Standard Edition
All the operating systems listed above have been tested using both the 32bit, and 64bit architecture for this tutorial. However, any another Windows operating system listed above, under the same framework will most likely work.

Major support programs used in this install

  • Npcap allows 3rd party applications such as Snort to capture and transmit network packets bypassing the protocol stack.
  • Snort performs real-time traffic analysis and network packet logging on Internet Protocol (IP) networks data streams.
  • Barnyard2 is a dedicated spooler for Snort's unified2 binary output format, and on-forwarding to a PostgreSQL database.
  • Strawberry Perl is everything needed to run perl scripts (.pl), and applications such as PulledPork.
  • PostgreSQL-driven database stores processed events from Barnyard2 for analysis.
  • Microsoft's Internet Information Services will drive the web based Windows Intrusion Detection Systems (WinIDS) GUI security console.
  • BASE serves as the Windows Intrusion Detection Systems (WinIDS) web based GUI security console.

History of Internet Information Services (IIS)

  • IIS 7.5 - included with Windows 7, and Server 2008
  • IIS 8.0 - included with Windows 8
  • IIS 8.5 - included with Windows 8.1, and Server 2012
  • IIS 10.0 - included with Windows 10, Server 2016, and Server 2019

How this Hardware and Software was prepped for this Windows Intrusion Detection System (WinIDS) tutorial

  • A fresh install of any 32/64bit Version of Windows listed above in will do.
  • All available Service Packs and updates MUST be applied from the Microsoft Download Center.
  • For these tutorials there are two partitions: C: (System) with 300GB, and D: (WinIDS) with 1TB.
  • Installed memory should be no less than 4GB (more is always better).
The Windows Intrusion Detection System (WinIDS) will fail if the default installation path is not Implemented correctly!

The default installation path noted above is hard coded into this tutorial, and is also hard coded into some of the install scripts. Installers will need to make the appropriate changes in both places if the default installation path is anything other then 'd:\winids', or the support files are located anywhere other than the 'd:\temp' folder.

The Windows Intrusion Detection System (WinIDS) will fail if the default installation path is not Implemented correctly!


Prepping for the Windows Intrusion Detection System (WinIDS) Tutorial


Downloading and extracting the core 'Windows Intrusion Detection Systems (WinIDS)' Software Support Pack

It is imperative to only use the files included in the 'WinIDS - (32/64bit) Software Support Packs' below. These files have been thoroughly tested and compatible with this particular Windows Intrusion Detection Systems (WinIDS) tutorial.
Depending on the processors architecture, download the appropriate support file below!
dload.png 32bit Windows All: Download and save the 'WinIDS - 32bit Core Software Support Pack' to a temporary location.

Open File Explore and navigate to the location of the 'winids-cssp-x32.zip' file, right-click the 'winids-cssp-x32.zip' file, highlight and left-click 'Extract all...', in the 'Files will be extracted to this folder:' dialog box type 'd:\temp' (less the outside quotes), left-click and uncheck the 'Show extracted files when complete' radio box, left-click extract, in the 'Password:' dialog box type 'w1nsn03t.c0m' (less the outside quotes), left-click 'OK', and eXit File Explorer..

dload.png 64bit Windows All: Download and save the 'WinIDS - 64bit Core Software Support Pack' to a temporary location.

Open File Explore and navigate to the location of the 'winids-cssp-x64.zip' file, right-click the 'winids-cssp-x64.zip' file, highlight and left-click 'Extract all...', in the 'Files will be extracted to this folder:' dialog box type 'd:\temp' (less the outside quotes), left-click and uncheck the 'Show extracted files when complete' radio box, left-click extract, in the 'Password:' dialog box type 'w1nsn03t.c0m' (less the outside quotes), left-click 'OK', and eXit File Explorer..

Downloading additional, and required support files for all supported Windows operating systems

It is imperative to only use the files downloaded from the URL links below. All the files have been verified as compatible with this particular Windows Intrusion Detection Systems (WinIDS) tutorial. All the files below will need to be downloaded into the folder (d:\temp) that was created when the files from the above 'WinIDS - (32/64bit) Software Support Pack' were extracted.
dload.png npcap-0.996: Download and save the file to the d:\temp folder.

In some instances after downloading the Snort executable below, the '.exe' extension might be missing. After downloading, navigate to the location of the Snort executable, and if the '.exe' extension is missing, add '.exe' (less the outside quotes) to the end of the filename.
dload.png Snort 2_9_14_1: Download and save the file to the d:\temp folder.

The next download requires the installer to be a registered user on the snort.org website, and logged in.

Navigate to the snort.org website and either login or create a new account. While still being logged into the snort.org web site return to the Windows Intrusion Detection Systems (WinIDS) tutorial, and initiate the next download.

Note: If the installer is not logged into the snort.org website prior to initiating the next download, the installer will be re-directed to the snort.org website. At that point either create a new account or login. While still being logged into the snort.org website return to the Windows Intrusion Detection Systems (WinIDS) tutorial, and initiate the next download.
dload.png snortrules-snapshot-29141: Download and save the file to the d:\temp folder.

dload.png Rule Documentation (opensource.gz): Download and save the file to the d:\temp folder.

Downloading additional support files based on a specific Operating Systems Hardware Architecture

There are several additional files listed under two groups below. Download only, and all the files listed under the appropriate processors architecture group that the Windows Intrusion Detection System (WinIDS) will be installed on.
32bit Windows All: Required additional downloads for the 32bit architecture install!

dload.png Strawberry Perl 5.30.0.1: Download and save the file to the d:\temp folder.

dload.png PostgreSQL Database 10.10-1: Download and save the file to the d:\temp folder.

dload.png PHP 5.6.40 NTS (VC11): Download and save the file to the d:\temp folder.


64bit Windows All: Required additional downloads for the 64bit architecture install!

dload.png Strawberry Perl 5.30.0.1: Download and save the file to the d:\temp folder.

dload.png PostgreSQL Database 10.10-1: Download and save the file to the d:\temp folder.

dload.png PHP 5.6.40 NTS (VC11): Download and save the file to the d:\temp folder.

Installing the core support files, and making basic configuration changes

It is important when asked to 'Open a CMD window with Administrator privileges' it is done, or the install will fail.

It is also important when asked to 'Close a CMD window' it is done, or the install will fail.

Note: The user installing this tutorial MUST be a member of the Administrators group.

Note: If the User Account Control dialog box appears at ANY time during this install ALWAYS left-click 'Yes' to continue, or the install will fail.

Instructions on starting a command prompt as an Administrator

In the Windows Search box, type cmd, and then press CTRL+SHIFT+ENTER.
Windows 8.x / 10 / 2012 R2 SE / 2016 SE / 2019 SE: The original Windows install media (DVD/USB/ISO) is now required to be inserted or mounted..

Windows 8.x / 10 / 2012 R2 SE / 2016 SE / 2019 SE: Open a CMD window with Administrator privileges and type 'dism.exe /online /enable-feature /all /featurename:NetFX3 /Source:x:\sources\sxs' (less the outside quotes), and tap the 'Enter' key.

The correct source drive letter where the Windows install media is located must be inserted into the 'x' position above.

The following is a confirmation that the '.NET Framework 3.5 Features' were installed successfully.
Deployment Image Servicing and Management tool
Version: (redacted)
Image Version: (redacted)
Enabling feature(s)
[==========================100.0%==========================]
The operation completed successfully.
Do not proceed until 'The operation completed successfully.', and the original Windows install media has been removed, or unmounted.
Windows All: Open a CMD window with Administrator privileges if one is not opened and type 'd:\temp\modder.vbs' (less the outside quotes), and tap the 'Enter' key.

Allow the script to automatically reboot the system! DO NOT INTERVENE! This background process could take several minutes to complete.
The modder.vbs file preforms several tasks:
  • Installs Microsoft Visual C++ 2012/2013/2017
  • Installs 'Notepad2' to Windows\System32
  • Installs 'unzip' to Windows\System32
  • Installs 'tartool' to Windows\System32
  • Installs the DejaVuSans font for BASE graphing
  • Inserts 'winids' hostname into hosts file
  • Inserts 'IGMP and SCTP' into the protocol file for Snort rules
  • Inserts 'Nodosfilewarning' into User ENV to suppress CYGWIN warning message when starting Barnyard2
  • Sets 'Show File Extensions' as on in registry
  • Reboots system
After the reboot it is strongly advise that the Microsoft Baseline Security Analyzer (MBSA) be used to identify and correct common security miss configurations. Each issue should be resolved prior to starting this tutorial.


Installing the Windows Intrusion Detection System (WinIDS)


Installing Npcap

At the CMD prompt type 'd:\temp\npcap-0.996.exe' (less the outside quotes), and tap the 'Enter' key.

The 'License Agreement' window opens, left-click 'I Agree'.

The 'Installation Options' window opens, uncheck everything, and then check 'Install Npcap in WinPcap API-compatible Mode', left-click 'Install'.

The 'Installing' window opens, allow the install to complete.

The 'Installation Complete' window opens, left-click 'Next'.

The 'Finished' window opens, left-click 'Finish'.

Installing Snort, the Traffic Detection and Inspection Engine

At the CMD prompt type 'd:\temp\Snort_2_9_14_1_Installer.exe' (less the outside quotes), and tap the 'Enter' key.

The 'License Agreement' window opens, left-click 'I Agree'.

The 'Choose Components' window opens, left-click 'Next'.

The 'Choose Install Location' window opens, in the 'Destination Folder' dialog box, type 'd:\winids\snort' (less the outside quotes), left-click 'Next' allowing the install to complete.

The 'Snort has been successfully installed' window opens, left-click 'OK'.

Testing the Windows Intrusion Detection System (WinIDS) for network traffic

At the CMD prompt type 'd:\winids\snort\bin\snort -W' (less the outside quotes), and tap the 'Enter' key.

The following is a partial example of what might be listed as valid Network Interface Cards.
Index	Physical Address	IP Address
-----	----------------	----------
    1	00:0C:29:25:B4:96	0000:0000:fe80:0000:0000:0000:ad63:31cf
There may be several Network Interface Cards listed, and it will be up to the installer to determine the correct Network Interface Card (Index number) that will be monitoring the Windows Intrusion Detection System (WinIDS).

The switch for the Network Interface Card will always be '-ix' (less the outside quotes), and the 'x' (less the outside quotes) will always represent the 'Index' number of Network Interface Card that will be monitoring the Windows Intrusion Detection System (WinIDS).
At the CMD prompt type 'd:\winids\snort\bin\snort -v -ix' (less the outside quotes), and tap the 'Enter' key.

The above run line will require the 'Index' number of the monitoring Network Interface Card inserted in the place of the 'x' position above. This will start Snort in verbose mode, verifying there is network traffic on interface 'x'.
Open any web-browser and generate some traffic.

There should now be multiple packets passing through the CMD window, and something similar to the following output is a confirmation indicating that everything is ready to proceed.
10/08-12:12:32.131826 10.0.0.29:1068 -> 65.55.121.241:80
TCP TTL:128 TOS:0x0 ID:1586 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x7430B82E Ack: 0x1850214F Win: 0xFAF0 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Note: If no traffic is passing through the CMD window, try another 'Index' number.
After verifying active network traffic, eXit the web-browser, activate the CMD window, and press the 'CTRL/C' keys to stop the Snort process.

Do not proceed until network traffic is being displayed in the CMD window.

Installing the Latest Rule Set

At the CMD prompt type 'tartool d:\temp\snortrules-snapshot-29141.tar.gz d:\winids\snort' (less the outside quotes), and tap the 'Enter' key.

Installing Strawberry Perl

Depending on the processors architecture, install the appropriate support file below!
32bit Windows All: At the CMD prompt type 'd:\temp\strawberry-perl-5.30.0.1-32bit.msi' (less the outside quotes), and tap the 'Enter' key.

64bit Windows All: At the CMD prompt type 'd:\temp\strawberry-perl-5.30.0.1-64bit.msi' (less the outside quotes), and tap the 'Enter' key.

The 'Welcome to the Setup Wizard for Strawberry Perl...' window opens, left-click 'Next'.

The 'End-User License Agreement' window opens, left-click checking the 'I accept the terms...' radio button, and left-click 'Next'.

The 'Destination Folder' window opens, in the 'Install Strawberry Perl to:' dialog box type 'd:\winids\strawberry\' (less the outside quotes), and left-click 'Next'.

The 'Ready to install Strawberry Perl..' window opens, left-click 'Install'.

The 'Install Strawberry Perl..' window opens, allow the install to complete, and left-click 'Next'.

The 'Completed the Strawberry Perl...' window opens, uncheck the 'Read README file.' radio box, and left-click 'Finish'.

At the CMD prompt type 'exit' (less the outside quotes), and tap the 'Enter' key.

Installing Internet Information Services into Windows 7, 8.x, or 10

Open a CMD window with Administrator privileges and type 'appwiz.cpl' (less the outside quotes), and tap the 'Enter' key.

The 'Program and Features' control panel opens. Under 'Control Panel Home' left-click 'Turn Windows features on or off'.

In the 'Turn Windows features on or off' expand 'Internet Information Services'.

To the left of 'Web Management tools' left-click checking the radio box (it may turn blue or black).

To the left of the 'World Wide Web Services left-click checking the radio box (it may turn blue or black).

Expand 'World Wide Web Services', and expand 'Application Development Features'.

Under 'Application Development Features' scroll down and left-click ckecking the radio box titled 'CGI', and left-click 'OK' allowing windows to make changes to 'Windows Features', left-click 'Close', and eXit the 'Programs and Features' control panel.

At the CMD prompt type 'd:\temp\moveiis.bat' (less the outside quotes), and tap the 'Enter' key.

Installing Internet Information Services into Server 2008 R2 SE

Open a CMD window with Administrator privileges and type 'appwiz.cpl' (less the outside quotes), and tap the 'Enter' key.

The 'Program and Features' control panel opens. Under 'Control Panel Home' left-click 'Turn Windows features on or off'.

The 'Server Manager' opens. Under 'Server Manager (Computer Name)' left click 'Roles'.

Under 'Roles Summary' left-click 'Add Roles'.

The 'Add Roles Wizard' control panel opens. At the 'Before you begin' selection window left-click 'Next'.

At the 'Select Server Roles' selection window under 'Roles:' scroll down and left-click checking the select box to the left of 'Web Server (IIS)', and left-click 'Next'.

At the 'Web Server (IIS)' selection window left-click 'Next'.

At the 'Select Roles Services' selection window scroll down and expand 'Application Development'. Under 'Application Development' scroll down and left-click the select box titled 'CGI', and left-click 'Next'.

At the 'Confirm Installation Selections' selection window left-click 'Install' allowing IIS to complete the roles, role services, or features installation, left-click 'Close', eXit the 'Server Manager', and eXit the 'Programs and Features' control panel.

At the CMD prompt type 'd:\temp\moveiis.bat' (less the outside quotes), and tap the 'Enter' key.

Installing Internet Information Services into Server 2012 R2 SE, 2016 SE, or 2019 SE

Open a CMD window with Administrator privileges and type 'appwiz.cpl' (less the outside quotes), and tap the 'Enter' key.

The 'Program and Features' control panel opens. Under 'Control Panel Home' left-click 'Turn Windows features on or off'.

The 'Server Manager' window opens, and the 'Add Roles and Features Wizard' auto starts.

At the 'Before you begin' left-click 'Next'.

At the 'Select installation type' left-click 'Next'.

At the 'Select Destination server' left-click 'Next'.

At the 'Select server roles' under 'Roles' scroll down left-click 'Web Server (IIS)'.

The 'Add features that are required for Web Server (IIS)?' opens, left-click 'Add Features', and left-click 'Next'.

At the 'Select features' left-click 'Next'.

At the 'Web Server Role (IIS)' left-click 'Next'.

At the 'Select roles services' scroll down and expand 'Application Development'.

Under 'Application Development' scroll down and left-click the select box titled 'CGI', and left-click 'Next'.

At the 'Confirm installation selections' left-click 'Install' allowing IIS to complete the 'Feature installation', left-click 'Close', eXit 'Server Manager', and eXit the 'Programs and Features' control panel.

At the CMD prompt type 'd:\temp\moveiis.bat' (less the outside quotes), and tap the 'Enter' key.

Installing BASE, the Windows Intrusion Detection Systems (WinIDS) Security Console

At the CMD prompt type 'unzip -oqq d:\temp\base-1.4.5.zip -d d:\winids\inetpub\wwwroot\base' (less the outside quotes), and tap the 'Enter' key.

Installing Barnyard2

Depending on the processors architecture, install the appropriate support file below!
32bit Windows All: At the CMD prompt type 'unzip -oqq d:\temp\barnyard2-x86-2.1.14-build337.zip -d d:\winids\barnyard2' (less the outside quotes), and tap the 'Enter' key.

64bit Windows All: At the CMD prompt type 'unzip -oqq d:\temp\barnyard2-x64-2.1.14-build337.zip -d d:\winids\barnyard2' (less the outside quotes), and tap the 'Enter' key.

Installing the PostgreSQL Database Server

Depending on the processors architecture, install the appropriate support file below!
32bit Windows All: At the CMD prompt type 'd:\temp\postgresql-10.10-1-windows.exe' (less the outside quotes), and tap the 'Enter' key.

64bit Windows All: At the CMD prompt type 'd:\temp\postgresql-10.10-1-windows-x64.exe' (less the outside quotes), and tap the 'Enter' key.

The 'Setup PostgreSQL' window opens, left-click 'Next'.

the 'Installation Directory' window opens. In the dialog box type 'd:\winids\postgresql' (less the outside quotes), and left-click 'Next'.

The 'Select Components' window opens. In the list of selected Components uncheck 'Stack Builder', and left-click 'Next'.

The 'Data Directory' window opens. The dialog box should already be populated with 'd:\winids\postgresql\data' (less the outside quotes), and left-click 'Next'.

The 'Password' window opens. In the 'Password' dialog box type 'd1ngd0ng' (less the outside quotes), in the 'Retype password' dialog box type 'd1ngd0ng' (less the outside quotes), left-click 'Next'.

The 'port' window opens. The listening port dialog box should already be populated with '5432', left-click 'Next'.

The 'Advanced Options' window opens. The 'Locale' pull-down select box should already be populated with '[Default local]', left-click 'Next'.

The 'Pre Installation Summery' window opens. Verify all the below pre select settings are correct, and left-click 'Next'.

Installation Directory: D:\winids\PostgreSQL
Server Installation Directory: D:\winids\PostgreSQL
Data Directory: D:\winids\PostgreSQL\data
Database Port: 5432
Database Superuser: postgres
Operating System Account: NT AUTHORITY\NetworkService
Database Service: postgresql-x64-xx
Command Line Tools Installation Directory: D:\winids\PostgreSQL
pgAdmin4 Installation Directory: D:\winids\PostgreSQL\pgAdmin 4
The 'Ready to Install' window opens, left-click 'Next' allowing the installation to complete.

The 'Completing the PostgreSQL Setup Wizard' window opens, left-click 'Finish'.

Installing ADODB

At the CMD prompt type 'unzip -oqq d:\temp\adodb-5.20.14.zip -d d:\winids' (less the outside quotes), and tap the 'Enter' key.

Installing PHP

Depending on the processors architecture, install the appropriate support file below!
32bit Windows All: At the CMD prompt type 'unzip -oqq d:\temp\php-5.6.40-nts-Win32-VC11-x86.zip -d d:\winids\php' (less the outside quotes), and tap the 'Enter' key.

64bit Windows All: At the CMD prompt type 'unzip -oqq d:\temp\php-5.6.40-nts-Win32-VC11-x64.zip -d d:\winids\php' (less the outside quotes), and tap the 'Enter' key.

Updating the 'sid-msg.map' file

At the CMD prompt type 'unzip -oqq d:\temp\activators.zip -d d:\winids\activators' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'unzip -oqq d:\temp\create-sidmap.zip -d d:\winids\create-sidmap' (less the outside quotes), and tap the 'Enter' key.

The 'sid-msg.map' file essentially maps the Rule MSG alert name to the sid number assigned to the rule.

This really comes into play when the output method from Snort is in unified2 format, taking that output, and reading it with Barnyard2 for input into the database.

Since the rule msg is not stored in the unified2 file format, it's necessary for Barnyard2 to read the sid-msg.map file to correctly input the names of the events into the database when associated with an alert by sid.

Without the 'sid-msg.map' being read by barnyard2, the events in the database will show up only as gid:sid. (1:2133 for example). Also, updating the rules and not updating the 'sid-msg.map' will also show events from all new rules as gid:sid. (1:2133 for example).
At the CMD prompt type 'perl d:\winids\create-sidmap\create-sidmap.pl d:\winids\snort\rules\ > d:\winids\snort\etc\sid-msg.map' (less the outside quotes), and tap the 'Enter' key.

Configuring Snort, the Heart of the Windows Intrusion Detection System (WinIDS)

At the CMD prompt type 'type NUL > d:\winids\snort\rules\white_list.rules' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'type NUL > d:\winids\snort\rules\black_list.rules' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'notepad2 d:\winids\snort\etc\snort.conf' (less the outside quotes), and tap the 'Enter' key.

Use the Find option in Notepad2 to locate and change the variables below.
Original Line(s): ipvar HOME_NET any
Change to: ipvar HOME_NET 192.168.1.0/24

In the above HOME_NET example (192.168.1.0/24), using a CIDR of 24 the Windows Intrusion Detection System (WinIDS) will monitor addresses 192.168.1.1 - 192.168.1.254. It is important to specify the correct internal IP segment of the Windows Intrusion Detection System (WinIDS) network that needs monitoring, and to set the correct CIDR.
Original Line(s): var RULE_PATH ../rules
Change to: var RULE_PATH d:\winids\snort\rules

Original Line(s): var SO_RULE_PATH ../so_rules
Change to: # var SO_RULE_PATH ../so_rules

Original Line(s): var PREPROC_RULE_PATH ../preproc_rules
Change to: var PREPROC_RULE_PATH d:\winids\snort\preproc_rules

Original Line(s): var WHITE_LIST_PATH ../rules
Change to: var WHITE_LIST_PATH d:\winids\snort\rules

Original Line(s): var BLACK_LIST_PATH ../rules
Change to: var BLACK_LIST_PATH d:\winids\snort\rules

Original Line(s): dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
Change to: dynamicpreprocessor directory d:\winids\snort\lib\snort_dynamicpreprocessor

Original Line(s): dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
Change to: dynamicengine d:\winids\snort\lib\snort_dynamicengine\sf_engine.dll

Original Line(s): decompress_swf { deflate lzma } \
Change to: decompress_swf { deflate } \

Original Line(s): # preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low }
Change to: preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } logfile { portscan.log }

Original Line(s): # output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
Change to: output unified2: filename merged.log, limit 128

Original Line(s):
# include $PREPROC_RULE_PATH/preprocessor.rules
# include $PREPROC_RULE_PATH/decoder.rules
# include $PREPROC_RULE_PATH/sensitive-data.rules
Change to:
include $PREPROC_RULE_PATH/preprocessor.rules
include $PREPROC_RULE_PATH/decoder.rules
include $PREPROC_RULE_PATH/sensitive-data.rules

Save the file, and eXit Notepad2.

Testing the Snort configuration file

At the CMD prompt type 'd:\winids\snort\bin\snort -W' (less the outside quotes), and tap the 'Enter' key.

The following is a partial example of what might be listed as valid Network Interface Cards.
Index	Physical Address	IP Address
-----	----------------	----------
    1	00:0C:29:25:B4:96	0000:0000:fe80:0000:0000:0000:ad63:31cf
There may be several Network Interface Cards listed, and it will be up to the installer to determine the correct Network Interface Card (Index number) that will be monitoring the Windows Intrusion Detection System (WinIDS).

The switch for the Network Interface Card will always be '-ix' (less the outside quotes), and the 'x' (less the outside quotes) will always represent the 'Index' number of Network Interface Card that will be monitoring the Windows Intrusion Detection System (WinIDS).
At the CMD prompt type 'd:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix -T' (less the outside quotes), and tap the 'Enter' key.

The above run line will require the 'Index' number of the monitoring Network Interface Card added to the 'x' above.

This will start Snort in self-test mode for configuration and rule file testing, and depending on the resources used, and/or available, it could take several minutes to run the self-test mode.

If all the tests are passed, the following is a confirmation that the Snort configuration file and rules have tested good.
Snort successfully validated the configuration!
Snort exiting
Do not proceed until 'Snort successfully validated the configuration!'

Configuring PHP

At the CMD prompt type 'copy d:\winids\php\php.ini-production d:\winids\php\php.ini' (less the outside quotes), and tap the 'Enter' key.

Should display '1 file(s) copied.', and return to the CMD prompt.
At the CMD prompt type 'notepad2 d:\winids\php\php.ini' (less the outside quotes), and tap the 'Enter' key.

Use the Find option in Notepad2 to locate and change the variables below.
Original Line(s): max_execution_time = 30
Change to: max_execution_time = 60

Original Line(s): error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
Change to: ; error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT

Original Line(s): ;include_path = ".;c:\php\includes"
Change to: include_path = "d:\winids\php;d:\winids\php\pear"

Original Line(s): ; extension_dir = "ext"
Change to: extension_dir = "d:\winids\php\ext"

Original Line(s): ;cgi.force_redirect = 1
Change to: cgi.force_redirect = 0

Original Line(s): ;extension=php_gd2.dll
Change to: extension=php_gd2.dll

Original Line(s): ;extension=php_pgsql.dll
Change to: extension=php_pgsql.dll

Original Line(s): ;date.timezone =
Change to: date.timezone = America/New_York

In the above date.timezone setting, America/New_York is only the default. Inserting the correct Timezone setting where the Windows Intrusion Detection System (WinIDS) will be located is essential. Check out the PHP website for the List of Supported Timezones.
Original Line(s): ;session.save_path = "/tmp"
Change to: session.save_path = "c:\windows\temp"

Save the file, and eXit Notepad2.

Configuring IIS for PHP, and the Windows Intrusion Detection Systems security console

At the CMD prompt type 'c:\windows\system32\inetsrv\iis.msc' (less the outside quotes), tap the 'Enter' key, and the 'Internet Information Services (IIS) Manager' opens.

If the 'Internet Information Services (IIS) Manager' opens and asks 'Do you want to get started with...' left-click 'No'.
On the left under 'Connections' left-click highlighting '<server name>' at the very top of the column, in the center window titled '<server name> Home' go down to the section labeled 'IIS', right-click 'Handler Mappings', left-click 'Open Feature', on the right under 'Actions' left-click 'Add Script Map...', in the 'Request Path:' dialog box type '*.php' (less the outside quotes), in the 'Executable:' dialog box type 'd:\winids\php\php-cgi.exe' (less the outside quotes), in the 'Name:' dialog box type 'PHP' (less the outside quotes), left-click 'OK', the 'Add Script Map' notification message appears, and left-click 'Yes'.

In center window titled 'Handler Mappings' under the 'Name' column make sure 'PHP' (less the outside quotes) is listed at the very bottom.
On the left under 'Connections' expand 'Sites', left-click 'Default Web Site', under the center window titled 'Default Web Site Home' go down to the section labeled 'IIS', right-click 'Default Document', left-click 'Open Feature', on the right under 'Actions' left-click 'Add...', the 'Add Default Document' applet appears, in the 'Name:' dialog box type 'base_main.php' (less the outside quotes), and left-click 'OK'.

In the 'Default Document' under the 'Name' column 'base_main.php' (less the outside quotes) should be listed at the very top, and the 'Entry Type' should be 'Local'.
Under 'Connections' right-click 'Default Web Site', highlight 'Manage Web Site', highlight and left-click 'Advanced Settings', in the 'Advanced Settings' applet under (General) left-click 'Physical Path', in the dialog box to the right of 'Physical Path' type 'd:\winids\inetpub\wwwroot\base' (less the outside quotes), left-click 'OK', and eXit the 'Internet Information Services (IIS) Manager' applet.

At the CMD prompt type 'iisreset /restart' (less the outside quotes), and tap the 'Enter' key.

Testing IIS, and the PHP installation

Open a CMD window and type 'copy d:\temp\test.php d:\winids\inetpub\wwwroot\base' (less the outside quotes), and tap the 'Enter' key.

Should display '1 file(s) copied.', and return to the CMD prompt.
Open a web-browser and type 'http://winids/test.php' (less the outside quotes) into the URL Address box, and tap the 'Enter' key.

Note: There is a possibility Edge may require additional privileges to open, and Internet Explore should be used if this happens.

Several sections of information concerning the status and install of PHP should be displayed.

In the first section of information make SURE that the item labeled 'Loaded Configuration File' is pointing to 'd:\winids\php\php.ini' (less the outside quotes).

In the section labeled 'Configuration - PHP Core' (less the outside quotes) make SURE that the item labeled 'extension_dir' is pointing to 'd:\winids\php\ext' (less the outside quotes) in columns 'Local Values' (less the outside quotes), and 'Master Values' (less the outside quotes).

In the section labeled 'Configuration - PHP Core' (less the outside quotes) make SURE that the item labeled 'include_path' is pointing to 'd:\winids\php;d:\winids\php\pear' (less the outside quotes) in columns 'Local Values' (less the outside quotes), and 'Master Values' (less the outside quotes).

In the section labeled 'session' (less the outside quotes) make SURE that the item labeled 'session.save_path' is pointing to 'c:\windows\temp' (less the outside quotes) in columns 'Local Values' (less the outside quotes), and 'Master Values' (less the outside quotes).
Do not proceed until all the above paths are correct!
eXit the web-browser.

At the CMD prompt type 'del d:\winids\inetpub\wwwroot\base\test.php' (less the outside quotes), and tap the 'Enter' key.

Adding Snort to the Windows Services Database

At the CMD prompt type 'cd /d d:\winids\snort\bin' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'd:\winids\snort\bin\snort -W' (less the outside quotes), and tap the 'Enter' key.

The following is a partial example of what might be listed as valid Network Interface Cards.
Index	Physical Address	IP Address
-----	----------------	----------
    1	00:0C:29:25:B4:96	0000:0000:fe80:0000:0000:0000:ad63:31cf
There may be several Network Interface Cards listed, and it will be up to the installer to determine the correct Network Interface Card (Index number) that will be monitoring the Windows Intrusion Detection System (WinIDS).

The switch for the Network Interface Card will always be '-ix' (less the outside quotes), and the 'x' (less the outside quotes) will always represent the 'Index' number of Network Interface Card that will be monitoring the Windows Intrusion Detection System (WinIDS).
At the CMD prompt type 'snort /SERVICE /INSTALL -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix' (less the outside quotes), and tap the 'Enter' key.

The above run line will require the 'Index' number of the monitoring Network Interface Card added to the 'x' above.

This will install Snort into the Windows Services Database.

The following is a confirmation that the Snort service was successfully added to the Windows Services Database.
 [SNORT_SERVICE] Attempting to install the Snort service.
 [SNORT_SERVICE] The full path to the Snort binary appears to be:
    D:\winids\snort\bin\snort /SERVICE
 [SNORT_SERVICE] Successfully added registry keys to:
    \HKEY_LOCAL_MACHINE\SOFTWARE\Snort\
 [SNORT_SERVICE] Successfully added the Snort service to the Windows Services Database.
Do not proceed until the Snort service has been successfully added to the Windows Services Database.
At the CMD prompt type 'sc config snortsvc start= auto' (less the outside quotes), and tap the 'Enter' key.

The following is a confirmation that the Snort auto-start service has been successfully activated.
[SC] ChangeServiceConfig SUCCESS
Do not proceed until the Snort auto-start service has been SUCCESSfully activated.

Configuring the PostgreSQL Database Server

At the CMD prompt type 'd:\winids\postgresql\bin\psql -U postgres' (less the outside quotes), and tap the 'Enter' key.

At the 'Password for user postgres: " prompt type 'd1ngd0ng' (less the outside quotes), and tap the 'Enter' key.

Key presses will not echo the characters!
Creating the Windows Intrusion Detection System Databases
At the 'postgres=#' prompt type 'create database archive;' (less the outside quotes), and tap the 'Enter' key.

At the 'postgres=#' prompt type 'create database snort;' (less the outside quotes), and tap the 'Enter' key.

Creating the Windows Intrusion Detection System Authenticated Users
At the 'postgres=#' prompt type 'create user snort with password 'l0gg3r';' (less the outside quotes), and tap the 'Enter' key.

At the 'postgres=#' prompt type 'create user base with password 'an@l1st';' (less the outside quotes), and tap the 'Enter' key.

Creating the Windows Intrusion Detection System Database Tables
At the 'postgres=#' prompt type '\connect archive;' (less the outside quotes), and tap the 'Enter' key.

At the 'archive=#' prompt type '\i d:/winids/barnyard2/schemas/create_postgresql;' (less the outside quotes), and tap the 'Enter' key.

At the 'archive=#' prompt type '\i d:/winids/inetpub/wwwroot/base/sql/create_base_tbls_pgsql.sql;' (less the outside quotes), and tap the 'Enter' key.

At the 'archive=#' prompt type '\i d:/winids/inetpub/wwwroot/base/sql/create_base_tbls_pgsql_extra.sql;' (less the outside quotes), and tap the 'Enter' key.

At the 'archive=#' prompt type 'GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO base;' (less the outside quotes), and tap the 'Enter' key.

At the 'archive=#' prompt type 'GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO base;' (less the outside quotes), and tap the 'Enter' key.

At the 'archive=#' prompt type '\connect snort;' (less the outside quotes), and tap the 'Enter' key.

At the 'snort=#' prompt type '\i d:/winids/barnyard2/schemas/create_postgresql;' (less the outside quotes), and tap the 'Enter' key.

At the 'snort=#' prompt type '\i d:/winids/inetpub/wwwroot/base/sql/create_base_tbls_pgsql.sql;' (less the outside quotes), and tap the 'Enter' key.

At the 'snort=#' prompt type '\i d:/winids/inetpub/wwwroot/base/sql/create_base_tbls_pgsql_extra.sql;' (less the outside quotes), and tap the 'Enter' key.

At the 'snort=#' prompt type 'GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO base;' (less the outside quotes), and tap the 'Enter' key.

At the 'snort=#' prompt type 'GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO base;' (less the outside quotes), and tap the 'Enter' key.

At the 'snort=#' prompt type 'GRANT INSERT, SELECT, UPDATE ON ALL TABLES IN SCHEMA public TO snort;' (less the outside quotes), and tap the 'Enter' key.

At the 'snort=#' prompt type 'GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO snort;' (less the outside quotes), and tap the 'Enter' key.

At the 'snort=#' prompt type '\q' (less the outside quotes), and tap the 'Enter' key.

Confirming PostgreSQL and Snort are operational

At the CMD prompt type 'd:\winids\postgresql\bin\pg_ctl restart -w -t 10 -D d:\winids\postgresql\data\ -m f' (less the outside quotes), and tap the 'Enter' key.

A 'Windows Security Alert' warning dialog box may appear stating 'Windows firewall may have blocked some features of this program', left-click 'Cancel'.
At the CMD prompt type 'net start snort' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'taskmgr.exe' (less the outside quotes), and tap the 'Enter' key.

The 'Windows Task Manager' starts, in the bottom left-click and check 'Show processes from all users', left-click the 'Processes' tab, in the 'Image name' category 'snort.exe', and several instances of 'postgres.exe' should be listed as a process.

Do not proceed until the processes above are running!
eXit the 'Task Manager'.

Configuring the Windows Intrusion Detection Systems (WinIDS) Security Console

At the CMD prompt type 'copy d:\winids\inetpub\wwwroot\base\base_conf.php.dist d:\winids\inetpub\wwwroot\base\base_conf.php' (less the outside quotes), and tap the 'Enter' key.

Should display '1 file(s) copied.', and return to the CMD prompt.
At the CMD prompt type 'rename d:\temp\opensource.gz opensource.tar.gz' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'tartool d:\temp\opensource.tar.gz d:\winids\inetpub\wwwroot\base\signatures' (less the outside quotes), and tap the 'Enter' key.

The above command may take a few minutes to complete as its moving twenty thousand plus files.
At the CMD prompt type 'notepad2 d:\winids\inetpub\wwwroot\base\base_conf.php' (less the outside quotes), and tap the 'Enter' key.

Use the Find option in Notepad2 to locate and change the variables below.
Original Line(s): $BASE_urlpath = '';
Change to: $BASE_urlpath = 'http://winids';

Original Line(s): $DBlib_path = '';
Change to: $DBlib_path = 'd:\winids\adodb5';

Original Line(s): $DBtype = '?????';
Change to: $DBtype = 'postgres';

Original Line(s):
$alert_dbname   = 'snort_log';
$alert_host     = 'localhost';
$alert_port     = '';
$alert_user     = 'snort';
$alert_password = 'mypassword';
Change to:
$alert_dbname   = 'snort';
$alert_host     = 'winids';
$alert_port     = '';
$alert_user     = 'base';
$alert_password = 'an@l1st';

Original Line(s):
$archive_exists   = 0; # Set this to 1 if you have an archive DB
$archive_dbname   = 'snort_archive';
$archive_host     = 'localhost';
$archive_port     = '';
$archive_user     = 'snort';
$archive_password = 'mypassword';
Change to:
$archive_exists   = 1; # Set this to 1 if you have an archive DB
$archive_dbname   = 'archive';
$archive_host     = 'winids';
$archive_port     = '';
$archive_user     = 'base';
$archive_password = 'an@l1st';

Original Line(s): $use_referential_integrity = 0;
Change to: $use_referential_integrity = 1;

Original Line(s): $show_rows = 48;
Change to: $show_rows = 90;

Original Line(s): $show_expanded_query = 0;
Change to: $show_expanded_query = 1;

Original Line(s): $portscan_file = '';
Change to: $portscan_file = 'd:\winids\snort\log\portscan.log';

Original Line(s): $colored_alerts = 0;
Change to: $colored_alerts = 1;

Original Line(s): $priority_colors = array ('FF0000','FFFF00','FF9900','999999','FFFFFF','006600');
Change to: $priority_colors = array('000000','FF0000','FF9900','FFFF00','999999');

Original Line(s): //$Geo_IPfree_file_ascii = "/var/www/html/ips-ascii.txt";
Change to: $Geo_IPfree_file_ascii = "d:\winids\inetpub\wwwroot\base\ips-ascii.txt";

Save the file, and eXit Notepad2.

Installing The PHP Extension and Application Repository (PEAR)

At the CMD prompt type 'copy d:\temp\go-pear.phar d:\winids\php' (less the outside quotes), and tap the 'Enter' key.

Should display '1 file(s) copied.', and return to the CMD prompt.
At the CMD prompt type 'cd /d d:\winids\php' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'php go-pear.phar' (less the outside quotes), and tap the 'Enter' key.

At the next prompt tap the 'Enter' key to install 'System-Wide' PEAR.

At the next prompt tap the 'Enter' key.

At the 'Press any key to continue . . .', press any key to exit back to the CMD prompt.

Configuring Graphing for the Windows Intrusion Detection Systems (WinIDS) Security Console

At the CMD prompt type 'unzip -oqq d:\temp\graphing.zip -d d:\winids\php\tmp' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'pear install -O d:\winids\php\tmp\Auth_SASL-1.1.0.tgz' (less the outside quotes), and tap the 'Enter' key.
Should display 'install ok: channel://pear.php.net/Auth_SASL-1.1.0', and return to the CMD prompt.
At the CMD prompt type 'pear install -O d:\winids\php\tmp\Math_BigInteger-1.0.3.tgz' (less the outside quotes), and tap the 'Enter' key.
Should display 'install ok: channel://pear.php.net/Math_BigInteger-1.0.3', and return to the CMD prompt.
At the CMD prompt type 'pear install -O d:\winids\php\tmp\Net_Socket-1.2.2.tgz' (less the outside quotes), and tap the 'Enter' key.
Should display 'install ok: channel://pear.php.net/Net_Socket-1.2.2', and return to the CMD prompt.
At the CMD prompt type 'pear install -O d:\winids\php\tmp\Net_SMTP-1.8.1.tgz' (less the outside quotes), and tap the 'Enter' key.
Should display 'install ok: channel://pear.php.net/Net_SMTP-1.8.1', and return to the CMD prompt.
At the CMD prompt type 'pear install -O d:\winids\php\tmp\Mail-1.4.1.tgz' (less the outside quotes), and tap the 'Enter' key.
Should display 'install ok: channel://pear.php.net/Mail-1.4.1', and return to the CMD prompt.
At the CMD prompt type 'pear install -O d:\winids\php\tmp\Mail_Mime-1.10.2.tgz' (less the outside quotes), and tap the 'Enter' key.
Should display 'install ok: channel://pear.php.net/Mail_Mime-1.10.2', and return to the CMD prompt.
At the CMD prompt type 'pear install -O d:\winids\php\tmp\Numbers_Words-0.18.2.tgz' (less the outside quotes), and tap the 'Enter' key.
Should display 'install ok: channel://pear.php.net/Numbers_Words-0.18.2', and return to the CMD prompt.
At the CMD prompt type 'pear install -O d:\winids\php\tmp\Numbers_Roman-1.0.2.tgz' (less the outside quotes), and tap the 'Enter' key.
Should display 'install ok: channel://pear.php.net/Numbers_Roman-1.0.2', and return to the CMD prompt.
At the CMD prompt type 'pear install -O d:\winids\php\tmp\Image_Color-1.0.4.tgz' (less the outside quotes), and tap the 'Enter' key.
Should display 'install ok: channel://pear.php.net/Image_Color-1.0.4', and return to the CMD prompt.
At the CMD prompt type 'pear install -O d:\winids\php\tmp\Image_Canvas-0.3.5.tgz' (less the outside quotes), and tap the 'Enter' key.
Should display 'install ok: channel://pear.php.net/Image_Canvas-0.3.5', and return to the CMD prompt.
At the CMD prompt type 'pear install -O d:\winids\php\tmp\Image_Graph-0.8.0.tgz' (less the outside quotes), and tap the 'Enter' key.
Should display 'install ok: channel://pear.php.net/Image_Graph-0.8.0', and return to the CMD prompt.
At the CMD prompt type 'pear list -a' (less the outside quotes), and tap the 'Enter' key.

The above command line will list all the installed pear packages that are required for the graphing capabilities of BASE, the Windows Intrusion Detection Systems (WinIDS) web based GUI security console.
INSTALLED PACKAGES, CHANNEL PEAR.PHP.NET:
=========================================
PACKAGE          VERSION STATE
Archive_Tar      1.4.3   stable
Auth_SASL        1.1.0   stable
Console_Getopt   1.4.1   stable
Image_Canvas     0.3.5   alpha
Image_Color      1.0.4   stable
Image_Graph      0.8.0   alpha
Mail             1.4.1   stable
Mail_Mime        1.10.2  stable
Math_BigInteger  1.0.3   stable
Net_SMTP         1.8.1   stable
Net_Socket       1.2.2   stable
Numbers_Roman    1.0.2   stable
Numbers_Words    0.18.2  beta
PEAR             1.10.5  stable
Structures_Graph 1.1.1   stable
XML_Util         1.4.2   stable
Do not proceed until all the hilighted PEAR packages above has been successfully installed.
At the CMD prompt type 'copy d:\winids\inetpub\wwwroot\base\world_map6.* d:\winids\php\pear\image\graph\images\maps' (less the outside quotes), and tap the 'Enter' key.

Should display '2 file(s) copied.', and return to the CMD prompt.

Configuring Barnyard2

At the CMD prompt type 'notepad2 d:\winids\barnyard2\etc\barnyard2.conf' (less the outside quotes), and tap the 'Enter' key.

Use the Find option in Notepad2 to locate and change the variables below.
Original Line(s):
config reference_file:      /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file:            /etc/snort/gen-msg.map
config sid_file:            /etc/snort/sid-msg.map
Change to:
config reference_file:      d:\winids\snort\etc\reference.config
config classification_file: d:\winids\snort\etc\classification.config
config gen_file:            d:\winids\snort\etc\gen-msg.map
config sid_file:            d:\winids\snort\etc\sid-msg.map

Original Line(s): # config event_cache_size: 4096
Change to: config event_cache_size: 32768

Original Line(s): #output database: alert, postgresql, user=snort dbname=snort
Change to: output database: log, postgresql, user=snort password=l0gg3r dbname=snort host=winids sensor_name=WinIDS-Home

Save the file, and eXit Notepad2.

Testing the Barnyard2 configuration file

At the CMD prompt type 'd:\winids\activators\by2-test' (less the outside quotes), and tap the 'Enter' key.

This will start Barnyard2 in self-test mode for configuration testing, and depending on the resources used and/or available it could take up to 30 minutes to run the self-test mode.

If all the tests are passed, the following is a confirmation that the Barnyard2 configuration file is good.
Barnyard2 successfully loaded configuration file!
Barnyard2 exiting
database: Closing connection to database "snort"
Do not proceed until Barnyard2 has successfully loaded the configuration file, eXited Snort, and closed the connection to database!

Adding Barnyard2 to auto-run on user login

At the CMD window type 'd:\temp\auto-local-barnyard2.reg' (less the outside quotes), and tap the 'Enter' key.

The 'auto-barnyard.reg' file contains the run line for Barnyard2.
The Registry Editor selection box opens and asks; 'Are you sure you want to add...', left-click 'Yes', and at the next input selection left-click 'OK'.

At the CMD prompt type 'shutdown /r /t 10' (less the outside quotes), and tap the 'Enter' key to reboot.

When the system is rebooted, Barnyard2 will be running in a Minimized window located in the Windows task bar. Opening the Barnyard2 CMD window will display the events as they are being shuttled to the database.

Starting the Windows Intrusion Detection Systems (WinIDS) Security Console

Open a web-browser and type 'http://winids' (less the outside quotes) into the URL Address box, and tap the 'Enter' key.

After the reboot it could take several minutes for events to start populating into the Windows Intrusion Detection Systems (WinIDS) Security Console. Refreshing the browser will show new events when added. If no events start to show up in a reasonable length of time, come visit the forums for help on manually generating events.

In Conclusion

I hope this tutorial has been helpful to you. Please feel free to provide feedback, both issues you experienced and recommendations that you might have. The goal of this tutorial was not just for you to create a Windows Intrusion Detection System (WinIDS) using the most advanced intrusion detection engine known as Snort, but to understand how all the parts work together, and get a deeper understanding of all the components, so that you can troubleshoot and modify your Windows Intrusion Detection System (WinIDS) with confidence.

At this point you are done with this tutorial, events should be arriving into the database, and you should be seeing events in the local Windows Intrusion Detection Systems (WinIDS) Security Console. I encourage you to perform some post-installation tasks needed to get a fully production-ready 'Windows Intrusion Detection System (WinIDS)'.

This includes:
  • Tuning your rules and preprocessors.
  • Tuning Snort thresholds and limit values.
  • Adding user authentication to the Windows Intrusion Detection Systems (WinIDS) Security Console.
  • Securing your host (Maybe changing the default database user access, disabling unneeded services, etc.).
  • Configure a system, such as PulledPork to auto-update the Windows Intrusion Detection Systems (WinIDS) rules and signatures.

Security Issues

Lets review what has happens so far:
  • All support programs, including IIS have been installed to a separate partition, which closed a multitude of security holes.
  • The Windows Intrusion Detection Systems (WinIDS) Security Console can ONLY be accessed locally.

Optional Companion Documents

Be SURE to check out the available 'Companion Add-on Documents' to enhance the Windows Intrusion Detection System (WinIDS) experience.

Updating the Windows Intrusion Detection Systems (WinIDS) Major components


Debugging Installation errors

Check the Event Viewer as most of the support programs will throw FATAL errors into the Windows Application log.

General tutorial issues

For general problem issues that pertain to this specific tutorial, left-click the get community support button at the top of this tutorial, or manually navigate to the correct community support forum pertaining to this specific tutorial.

Feedback

I would love to get feedback from you about this tutorial. Any recommendations, or ideas, please leave feedback HERE.

Michael E. Steele | Microsoft Certified System Engineer (MCSE)
Email Support: support@winsnort.com
Snort: Open Source Network IDS - www.snort.org

FDids and daxter22 like this