Sign in to follow this  
Followers 0

Installing Email Alerting to an existing Windows Intrusion Detection System

Morpheus

Windows Intrusion Detection System - Companion Add-On Tutorial

ids.gif

Installing Event Email Alerting into an existing WinIDS

Written by: Michael E. Steele



Introduction

This tutorial is a simple to understand, step-by-step tutorial for adding priority e-mail event alerting to all existing Windows Intrusion Detection Systems (WinIDS).

Copyright Notice

This document is Copyright © 2002-2024 Michael Steele. All rights reserved. Permission to distribute this document is hereby granted providing that distribution is electronic, no money is involved, and this copyright notice is maintained. Other requests for distribution will be considered.

Use the information in this document at your own risk. Michael Steele disavows any potential liability of this document. Use of the concepts, examples, and/or other content of this document are entirely at your own risk.

This guide is written in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose.

All copyrights are owned by their owners, unless specifically noted otherwise. Third party trademarks or brand names are the property of their owners. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements.

Support Questions and Help

All support questions related to this specific tutorial MUST be directed to the specific forum for which this Windows Intrusion Detection System (WinIDS) tutorial resides!

By request, there is a premium fee service available for one on one support.

If you have not acquired this tutorial directly from the winsnort.com website, then you most likely do not have the latest revision of this tutorial!

How to use this guide

The Windows Intrusion Detection System (WinIDS) will fail if the default installation path is not Implemented correctly!

The default installation path noted above is hard coded into this tutorial, and is also hard coded into some of the install scripts. Installers will need to make the appropriate changes in both places if the default installation path is anything other then 'd:\winids', or the support files are located anywhere other than the 'd:\temp' folder.

The Windows Intrusion Detection System (WinIDS) will fail if the default installation path is not Implemented correctly!

It is important when asked to 'Open a CMD window with Administrator privileges' it is done, or the install will fail.

It is also important when asked to 'Close a CMD window' it is done, or the install will fail.

Note: The user installing this tutorial MUST be a member of the Administrators group.

Note: If the User Account Control dialog box appears at ANY time during this install ALWAYS left-click 'Yes' to continue, or the install will fail.

Instructions on starting a command prompt as an Administrator

In the Windows Search box, type cmd, and then press CTRL+SHIFT+ENTER.

Mandatory prerequisites

  • Access to a VALID outgoing SMTP server from the Windows Intrusion Detection System (WinIDS).
  • A Master or Slave Windows Intrusion Detection System (WinIDS) has been installed.
  • The files from the original Windows Intrusion Detection System (WinIDS) tutorial may be required for this tutorial.
Installation will use the default path or paths as directed in the guide. Your paths may be different so be sure to replace the paths we used for the paths you used.


Prepping for the Windows Intrusion Detection System (WinIDS) Tutorial


Downloading and extracting the WinIDS Companion Software Development Pack

It is imperative to only use the files included in the 'WinIDS Companion Software Development Pack' below. These files have been thoroughly tested and compatible with this particular Windows Intrusion Detection Systems (WinIDS) tutorial.
dload.png Download and save the 'WinIDS Companion Software Development Pack' to a temporary location.

Open File Explore and navigate to the location of the 'winids-csdp.zip' file, right-click the 'winids-csdp.zip' file, highlight and left-click 'Extract all...', in the 'Files will be extracted to this folder:' dialog box type 'd:\temp' (less the outside quotes), left-click and uncheck the 'Show extracted files when complete' radio box, left-click extract, in the 'Password:' dialog box type 'w1nsn03t.c0m' (less the outside quotes), left-click 'OK', and eXit File Explorer..

How to add Email Alerting to an existing Windows Intrusion Detection System (WinIDS)


Installing and Configuring EventWatchNT

In File Explore and navigate to the 'd:\temp' folder, right-click the 'eventwatchnt_v233.exe' file and left-click the 'Run as administrator.

The 'WinZip Self-Extractor' starts. In the 'Unzip to folder:' dialog box type 'd:\winids\eventwatchnt', and left-click 'Unzip', a confirmation window opens stating 'x file(s) unzipped successfully', left-click 'OK', and Left-click 'Close' to eXit the 'WinZip Self-Extractor'.

In File Explore and navigate to the 'd:\winids\eventwatchnt' folder, right-click the 'eventwatchnt.exe' file and left-click 'Run as administrator'.

If this is the first run left-click 'I Agree' at the 'License Agreement for EventwatchNT' screen.
The EventwatchNT Configuration wizard starts with some dialog boxes filled in. In the 'Sender Name:' dialog box type the name of the WinIDS

In the next configuration you will enter the actual domainname.com of this sensor. When you receive an Email Alert this will be the originating address of the event.
In the 'Sender Email Address:' dialog box type 'eventwatch@yourdomain.com' (less the outside quotes).

In the 'Recipients:' dialog box type the email address where the events will be sent.

In the 'SMPT Server:' dialog box type the name or IP of the VALID outgoing SMTP server.

Logged events have a priority range from 1-3. One being the highest priority to 3 being the lowest priority event. This section of the documentation will walk you through setting up the IDS for sending events based on the highest priority event.
In the 'Email Subject:' type 'WinIDS Priority 1 Alert!' (less the outside quotes).

In the 'Filter(s):' dialog box type (including the [ ] and must be typed exact) '[Priority: 1]' (less the outside quotes).

In the 'Type:' select box choose 'Include'.

At this pint you should be able to click the 'Test' button and send a test message to the 'Senders Email Address' that was selected above.
In the 'Event logs to monitor' select box, only 'Application' needs to be ticked.

In the 'Events to report' select box, only 'WARNING' needs to be ticked.

In the 'Options' select box. Only 'HTML Email' needs to be ticked.

In the 'Installation' select box, left-click the 'Install' button.

In the 'Service Control' Select box, left-click on the 'Start' button.

Click the 'OK' button at the top right to eXit the EventwatchNT application.

Exit File Explorer.

Open a CMD window with Administrator privileges and type 'eventvwr' (less the outside quotes), and tap the 'Enter' key.

Expand 'Windows Logs', right-click 'Application', select 'Properties', and tick 'Overwrite events as needed', left-click the 'Apply' button, left-click 'OK', and eXit the Event Viewer.

Configuring the Snort Detection Engine for Application logging

At the CMD prompt type 'notepad2 d:\winids\snort\etc\snort.conf' (less the outside quotes), and tap the 'Enter' key.

Use the Find in Notepad2 to locate and change the variables below.
Original Line(s): # output alert_syslog: LOG_AUTH LOG_ALERT
Change to: output alert_syslog: LOG_AUTH LOG_INFO

Save the file and eXit Notepad2.

Testing the Snort configuration file

At the CMD prompt type 'd:\winids\snort\bin\snort -W' (less the outside quotes), and tap the 'Enter' key.

The following is a partial example of what might be listed as valid Network Interface Cards. 
Index	Physical Address	IP Address
-----	----------------	----------
    1	00:0C:29:25:B4:96	0000:0000:fe80:0000:0000:0000:ad63:31cf
In the above list, the 'Index' number is important, and will need to be remembered for later use in this tutorial. There may be several Network Interface Cards listed, and it will be up to the installer to determine the correct Network Interface Card (Index number) that will be monitoring the Windows Intrusion Detection System (WinIDS).

The switch for the Network Interface Card will always be '-ix' (less the outside quotes), and the 'x' (less the outside quotes) will always represent the 'Index' number of Network Interface Card that will be monitoring the Windows Intrusion Detection System (WinIDS).
At the CMD prompt type 'd:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix -T' (less the outside quotes), and tap the 'Enter' key.

The above run line will require the 'Index' number of the monitoring Network Interface Card added to the 'x' above.

This will start Snort in self-test mode for configuration and rule file testing, and depending on the resources used, and/or available, it could take several minutes to run the self-test mode.

If all the tests are passed, the following is a confirmation that the Snort configuration file and rules have tested good. 
Snort successfully validated the configuration!
Snort exiting
Do not proceed until 'Snort successfully validated the configuration!'
At the CMD prompt type 'shutdown -r -t 01' (less the outside quotes), and tap the 'Enter' key to reboot.

After the system is rebooted, Barnyard2 will be running in a Minimized window located in the Windows task bar. It could take several minutes for Barnyard2 to initialize and start shuttling triggered events to the database. If everything is working correctly all events with a '[Priority: 1]' (less the outside quotes) should be emailed to the specified account.

In Conclusion

Congratulations, you have just completed setting up the Windows Intrusion Detection System (WinIDS) to send out e-Mails based on Priority-1 events.

At this point you are done with this tutorial, all events should be arriving into the Windows Application log in event viewer, and you should be receiving e-Mail alerts based on Priority-1 events. If no emails are being received check the Application Log in the Event Viewer to verify the existence of any Priority-1 events.

An example of what the events should look line in the email: 
________________________________________
EVENT #   : 2310
EVENTLOG  : Application
EVENT TYPE: WARNING (2)
SOURCE    : snort
EVENT ID  : 1
TIME      : 3/4/2019 11:26:59 PM
MESSAGE   : [1:16282:4] PUA-P2P Bittorrent uTP peer request [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 220.86.45.46:7388 -> 192.168.1.3:18318 
________________________________________

Optional Companion Documents

Be SURE to check out the available 'Companion Add-on Documents' to enhance the Windows Intrusion Detection System (WinIDS) experience.

Updating the Windows Intrusion Detection Systems (WinIDS) Major components


Debugging Installation errors

Check the Event Viewer as most of the support programs will throw FATAL errors into the Windows Application log.

General tutorial issues

For general problem issues that pertain to this specific tutorial, left-click the get community support button at the top of this tutorial, or manually navigate to the correct community support forum pertaining to this specific tutorial.

Feedback

I would love to get feedback from you about this tutorial. Any recommendations, or ideas, please leave feedback HERE.

Michael E. Steele | Microsoft Certified System Engineer (MCSE)
Email Support: support@winsnort.com
Snort: Open Source Network IDS - www.snort.org
FrancklinMBG likes this