Windows Intrusion Detection System - Companion Add-On Tutorial
Updating the Windows Intrusion Detection Systems (WinIDS)
Scheduling and Updating the Rules with optional settings
Written by: Michael E. Steele
Introduction
During my research and development for the past 20 plus years I've found a lot of tutorials, including blogs describing the installation process for the UNIX environment, but nothing specifically detailed for setting up an intrusion detection system in a Windows environment.These tutorials gives all the basic instructions on how to either update major components, or add-on components to the Windows Intrusion Detection System (WinIDS).
Copyright Notice
This document is Copyright © 2003-2025 Michael Steele. All rights reserved. Permission to distribute this document is hereby granted providing that distribution is electronic, in it's original form, no money is involved, and this copyright notice is maintained. Other requests for distribution will be considered.Use the information in this document at your own risk. Michael Steele disavows any potential liability of this document. Use of the concepts, examples, and/or other content of this document are entirely at your own risk.
This tutorial is written in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose.
All copyrights are owned by their owners, unless specifically noted otherwise. Third party trademarks or brand names are the property of their owners. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements.
Get Support
All general support questions related to a specific tutorial MUST be directed to the specific forum for that particular tutorial. If there is any confusion just click on the 'Get Community Support' button at the top of each tutorial to get transported to the correct forum!By request, there is a premium fee service available for one on one support.
Scheduling a Rules update and the optional features for an existing Windows Intrusion Detection System (WinIDS)
Pulledpork is a powerful rule management tool used in managing the Windows Intrusion Detection System rules. Any changes to the rules will require the rules to be processsed to activate any changes.
During the initial setup of the Windows Intrusion detection System the first set of rules was installed and manually processed using Pulledpork. The Rules Updater is a hook into Pulledpork with a couple of extra options added. I won't get into all the ins and outs of Pulledpork as it is extensive.
The desktop shortcut for the Rules Updater will process the rules locally by default and the progress will output to the open console window.
Remote and Master sensors should be scheduled with the directions below or rules updates will need to be activated manually with the desktop shortcut. If scheduling has been activated then the sendmail feature should also be activated if a valid SMTP server is available. If the rules update is scheduled then email will be the only way to be notified of the status (completed successfully, not needed and failed) of the rules update. As another feature the emails will include the sensor name in the subject of the email where the rules update occurred.
During the initial setup of the Windows Intrusion detection System the first set of rules was installed and manually processed using Pulledpork. The Rules Updater is a hook into Pulledpork with a couple of extra options added. I won't get into all the ins and outs of Pulledpork as it is extensive.
The desktop shortcut for the Rules Updater will process the rules locally by default and the progress will output to the open console window.
Remote and Master sensors should be scheduled with the directions below or rules updates will need to be activated manually with the desktop shortcut. If scheduling has been activated then the sendmail feature should also be activated if a valid SMTP server is available. If the rules update is scheduled then email will be the only way to be notified of the status (completed successfully, not needed and failed) of the rules update. As another feature the emails will include the sensor name in the subject of the email where the rules update occurred.
Scheduling a Rules update for the Windows Intrusion Detection System (WinIDS)
The Rules updater usually take less than a minute to process if no updates are available and could take up to several minutes if an update is available. The Rules updater takes into account for success and failure. The Rules updater will restore the backup if an update happens and fails the validation process. The console will display the failure and or an email report will be sent if sendmail is active.
After a successful Rules update the Snort process cycles which means that Snort will not log alerts for approximately 15 seconds while Snort reboots (reloads the configuration and rereads all the rules).
There are several optional settings available in the Rules Updater:
Note: If the Rules updater is only going to be ran manually from the desktop then there is no reason for any configuration change.
Open a CMD window with Administrator privileges and type 'notepad2 d:\winids\activators\winruleup.ps1' (less the outside quotes) and tap the 'Enter' key.
After a successful Rules update the Snort process cycles which means that Snort will not log alerts for approximately 15 seconds while Snort reboots (reloads the configuration and rereads all the rules).
There are several optional settings available in the Rules Updater:
- The Rules updater can be scheduled
- The Rules Updater can run silent
- The Rules Updater can Email results to a valid SMTP server and will include the sensor name in the email subject
Use the Find option in Notepad2 to locate and change the variables below and follow the comments in the script.
Configurations
$sendmail = 0 # Turn off (0) sending email or turn on (1) sending email
$silent = 0 # Turn off (0) silent mode (1) Turn on silent mode if scheduling
SMTP Email Configurations
$smtpServer = "" # Insert a valid SMTP Server address between the quotes
$smtpPort = 587 # Insert a valid SMTP Port (25 non-SSL), (587 SSL), (465 SSL)
$smtpUser = "" # Insert a valid SMTP Username between the quotes - Use caution in keeping it secure!
$smtpPassword = "" # Insert a valid SMTP Password between the quotes - Use caution in keeping it secure!
$from = "" # Insert with valid From email address between the quotes
$to = "" # Insert with valid To email address between the quotes
Save the file and eXit Notepad2.
Scheduling Rules Updates
At the CMD prompt type 'taskschd.msc' (less the outside quotes), tap the 'Enter' key and the Task Manager' opens.In the right-hand pane under Actions, left-click "Create Task..." and the "Create Task" window opens.
To the right of the "Name:" dialog box type "Update WinIDS Rules" and left-click "Next".
To the left of "Run with highest privileges" left-click placing a check mark.
To the left of "Hidden" left-click placing a check mark.
To the right of "Configure for:" use the drop down and select "Windows 10" (for all installs) and left-click "OK".
A popup notification may appear stating " You must enter..." just left-click "OK"
Left-click the "Action" tab and left-click the "New..." button.
To the right of "Actions" left-click the drop down and select "Start a program".
In the field under "Program/script" type "powershell.exe" (less the outside quotes).
In the "Add arguments (optional)" field type "-ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File D:\winids\activators\winruleup.ps1" (less the outside quotes) and left-click "OK".
Left-click the "Triggers" tab and left click the "New..." button.
To the right of "Begin the task:" use the dropdown and select "At startup".
To the left of "Repeat task every:" left-click placing a check mark.
To the right of "Repeat task every:" use the dropdown and select "1 hour".
To the right of "for a duration:" use the dropdown, select "indefinitely".
Note: The "Repeat task every:" and "for a duration" is only an option and can be adjusted as needed. The above settings will check for a new rule update every hour for an indefinite period of time sending an email after each run.
To the left of "Enabled" make sure it is checked and left-click "OK" to complete adding the task.
Note: To test the script, under "Name" there should be a "Update WinIDS Rules" task listed, left-click highlighting the "Update WinIDS Rules" task and on the right under "Selected Item" left-click "Run".
It usually takes about a minute to send an email result if no rules update has happened and several minutes if one has. If no email has been received then there is an issue with the SMTP configuration or the interface setting in the script.
To test email when a new rules update has happened, delete all the files in the "D:\winids\script\temp" folder and run the script. An email should be received in less than 5 minutes with the results.
It usually takes about a minute to send an email result if no rules update has happened and several minutes if one has. If no email has been received then there is an issue with the SMTP configuration or the interface setting in the script.
To test email when a new rules update has happened, delete all the files in the "D:\winids\script\temp" folder and run the script. An email should be received in less than 5 minutes with the results.
In Conclusion
Congratulations, Rules can now be automatically updated using a task with email as the only reporting method and by running the script with the desktop icon which outputs to an open console.Optional Companion Documents
Be SURE to check out the available 'Companion Add-on Documents' to enhance the Windows Intrusion Detection System (WinIDS) experience.
- How to add Event Logging to a local Syslog Server.
This tutorial will show how to configure Snort to send events to a local Syslog Server, on an existing Windows Intrusion Detection System (WinIDS).
- How to add Event Logging to a remote Syslog Server.
This tutorial will show how to configure Snort to send events to a remote Syslog Server from an existing Windows Intrusion Detection System (WinIDS).
- How to add Email Alerting to an existing Windows Intrusion Detection System (WinIDS)
This tutorial will show how to email user defined priority events on an existing Windows Intrusion Detection System (WinIDS).
- How to schedule automatic rules updating
This tutorial is a simple to understand process on how to schedule automatic rules updating.
- How to compile Barnyard2 on Windows using Cygwin
This tutorial is a simple to understand, step-by-step guide for Compiling Barnyard2 on Windows using Cygwin (UNIX emulator).
- How to build and deploy a passive Ethernet tap
This tutorial will show how to build and deploy a passive Ethernet tap.
Updating the Windows Intrusion Detection Systems (WinIDS) Major components
- How to update the Snort Intrusion Detection Engine
This tutorial will show How to update the Snort Intrusion Detection Engine.
- How to update the Windows Intrusion Detection Systems rules
This tutorial will show how to update the Windows Intrusion Detection Systems rules.
Debugging Installation errors
Check the Event Viewer as most of the support programs will throw FATAL errors into the Windows Application log.General tutorial issues
For general problem issues that pertain to this specific tutorial, left-click the get community support button at the top of this tutorial, or manually navigate to the correct community support forum pertaining to this specific tutorial.Feedback
I would love to get feedback from you about this tutorial. Any recommendations, or ideas, please leave feedback HERE.Michael E. Steele | Microsoft Certified System Engineer (MCSE)
Email Support: support@winsnort.com
Snort: Open Source Network IDS - www.snort.org