Sign in to follow this  
Followers 0

Updating the Rules, Signatures, and sig-msg.map file


Windows Intrusion Detection System - Companion Add-On Tutorial

ids.gif

Updating the Windows Intrusion Detection Systems (WinIDS)

Rules, Signatures, and sid.msg.map file

Written by: Michael E. Steele



Introduction

During my research, and development I've found a lot of tutorials, and blogs describing the installation process for the UNIX environment. Yet, none of them specifically detailed setting this up in a Windows environment. I've been working on, and updating these tutorials for the past 12 plus years, and managed to get through the complete process in the Windows environment.

These tutorials gives all the basic instructions on how to either update major components, or add-on components to the Windows Intrusion Detection System (WinIDS).

Copyright Notice

This document is Copyright © 2002-2019 Michael Steele. All rights reserved. Permission to distribute this document is hereby granted providing that distribution is electronic, in it's original form, no money is involved, and this copyright notice is maintained. Other requests for distribution will be considered.

Use the information in this document at your own risk. Michael Steele disavows any potential liability of this document. Use of the concepts, examples, and/or other content of this document are entirely at your own risk.

This tutorial is written in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose.

All copyrights are owned by their owners, unless specifically noted otherwise. Third party trademarks or brand names are the property of their owners. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements.

Support Questions and Help

All support questions related to this specific tutorial MUST be directed to the specific forum for which this Windows Intrusion Detection System (WinIDS) tutorial resides!

By request, there is a premium fee service available for one on one support.

If you have not acquired this tutorial directly from the winsnort.com website, then you most likely do not have the latest revision of this tutorial!

This is a basic rules update to the Windows Intrusion Detection System (WinIDS)

This tutorial will cover the updating of the Windows Intrusion Detection Systems (WinIDS) rules, signatures, and the sid-msg.map file. There are two required downloads.
  • Rules, the lifeblood of the Windows Intrusion Detection System (WinIDS).
  • Signatures, the event information used to display in the Windows Intrusion Detection Systems (WinIDS) security console.


Prepping for updating the Windows Intrusion Detection System (WinIDS) Rules, Signatures, and sid-msg.map' file Tutorial


Downloading The required software

For this tutorial the original files from the 'WinIDS - xxbit Core Software Support Pack' must be located in its original folder (d:\temp).
The following procedure will require the installer to be a registered user, and logged into the snort.org web site.
From a browser log into the snort.org web site, and sign-in.

If any of the next two downloads asks to overwrite, make SURE to overwrite the file.
At the main screen left-click the 'Downloads' button, Scroll down to the 'Rules' section, under 'Community, under 'Documentation' left-click 'opensource.tar.gz', and save to the 'd:\temp' folder.

In the 'Rules' category under 'registered', under 'Snort vx.x' left-click the latest version of the 'snortrules-snapshot-xxx.tar.gz' file (usually at the top), and save to the 'd:\temp' folder.

At this point all the files listed below should be located in the 'd:\temp' folder.
  • snortrules-snapshot-xxx.tar.gz
  • opensource.tar.gz

Updating the Windows Intrusion Detection Systems (WinIDS) Rules, Signatures, and sid-msg.map file


During this procedure the Windows Intrusion Detection System should continue to process triggered events. Snort will be running with the current set of rules in cached memory.

Backing up the current Snort Installation

Open a CMD window and type 'xcopy /E /I d:\winids\snort d:\winids\snort-old' (less the outside quotes), and tap the 'Enter' key.

The above procedure will preserve any custom files that can be manually copied back, if needed.

Prepping and Installing the Latest Rule Set

At the CMD prompt type 'rd d:\winids\snort\etc /S /Q' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'rd d:\winids\snort\rules /S /Q' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'rd d:\winids\snort\preproc_rules /S /Q' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'tartool d:\temp\snortrules-snapshot-xxxx.tar.gz d:\winids\snort' (less the outside quotes), and tap the 'Enter' key.

In the above 'd:\temp\snortrules-snapshot-xxxx.tar.gz' the exact filename will be required for the version of snort rules that were downloaded.
At the CMD prompt type 'xcopy d:\winids\snort-old\rules\*_list.* d:\winids\snort\rules /Q /Y' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'xcopy d:\winids\snort-old\rules\local.* d:\winids\snort\rules /Q /Y' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'xcopy d:\winids\snort-old\rules\experimental.* d:\winids\snort\rules /Q /Y' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'rd d:\winids\snort\so_rules /S /Q' (less the outside quotes), and tap the 'Enter' key.

Installing the Latest Signatures

Apache2 Installs: At the CMD prompt type 'rd d:\winids\Apache24\htdocs\base\signatures /S /Q' (less the outside quotes), and tap the 'Enter' key.

Apache2 Installs: At the CMD prompt type 'tartool d:\temp\opensource.tar.gz d:\winids\apache24\htdocs\base\signatures' (less the outside quotes), and tap the 'Enter' key.

IIS Installs: At the CMD prompt type 'rd d:\winids\inetpub\wwwroot\base\signatures /S /Q' (less the outside quotes), and tap the 'Enter' key.

IIS Installs: At the CMD prompt type 'tartool d:\temp\opensource.tar.gz d:\winids\inetpub\wwwroot\base\signatures' (less the outside quotes), and tap the 'Enter' key.

The above command may take a few minutes to complete as its moving twenty thousand plus files.

Updating the 'sid-msg.map' file

WARNING: The following procedure MUST be preformed EVERY time the rules have been changed or edited! By omitting this procedure the Windows Intrusion Detection Systems security console will not be accurate!
At the CMD prompt type 'd:\winids\create-sidmap\create-sidmap.pl d:\winids\snort\rules\ > d:\winids\snort\etc\sid-msg.map' (less the outside quotes), and tap the 'Enter' key.

Configuring Snort, the Heart of the Windows Intrusion Detection System (WinIDS)

The updating process replaced all the configurations files with the default configuration files. It is highly suggested that the OLD snort.conf file be merged with the NEW snort.conf file manually as this will transfer any custom settings, and preserve any new additions. After merging the files the remaining part of this section can be skipped.

The ORIGINAL snort.conf file is located in the d:\snort-old\etc folder of the backup, and the NEW default snort.conf file is located in the d:\snort\etc folder.

By continuing this section the Windows Intrusion Detection System (WinIDS) will be configured fore default settings!
At the CMD prompt type 'notepad2 d:\winids\snort\etc\snort.conf' (less the outside quotes), and tap the 'Enter' key.

Use the Find option in Notepad2 to locate and change the variables below.
Original Line(s): ipvar HOME_NET any
Change to: ipvar HOME_NET 192.168.1.0/24

In the above HOME_NET example (192.168.1.0/24), using a CIDR of 24 the Windows Intrusion Detection System (WinIDS) will monitor addresses 192.168.1.1 - 192.168.1.254. It is important to specify the correct internal IP segment of the Windows Intrusion Detection System (WinIDS) network that needs monitoring, and to set the correct CIDR.
Original Line(s): var RULE_PATH ../rules
Change to: var RULE_PATH d:\winids\snort\rules

Original Line(s): var SO_RULE_PATH ../so_rules
Change to: # var SO_RULE_PATH ../so_rules

Original Line(s): var PREPROC_RULE_PATH ../preproc_rules
Change to: var PREPROC_RULE_PATH d:\winids\snort\preproc_rules

Original Line(s): var WHITE_LIST_PATH ../rules
Change to: var WHITE_LIST_PATH d:\winids\snort\rules

Original Line(s): var BLACK_LIST_PATH ../rules
Change to: var BLACK_LIST_PATH d:\winids\snort\rules

Original Line(s): dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
Change to: dynamicpreprocessor directory d:\winids\snort\lib\snort_dynamicpreprocessor

Original Line(s): dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
Change to: dynamicengine d:\winids\snort\lib\snort_dynamicengine\sf_engine.dll

Original Line(s): decompress_swf { deflate lzma } \
Change to: decompress_swf { deflate } \

Original Line(s): # preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low }
Change to: preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } logfile { portscan.log }

Original Line(s): # output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
Change to: output unified2: filename merged.log, limit 128

Original Line(s):
# include $PREPROC_RULE_PATH/preprocessor.rules
# include $PREPROC_RULE_PATH/decoder.rules
# include $PREPROC_RULE_PATH/sensitive-data.rules
Change to:
include $PREPROC_RULE_PATH/preprocessor.rules
include $PREPROC_RULE_PATH/decoder.rules
include $PREPROC_RULE_PATH/sensitive-data.rules

Save the file, and eXit Notepad2.

Testing the Snort configuration file

At the CMD prompt type 'd:\winids\snort\bin\snort -W' (less the outside quotes), and tap the 'Enter' key.

The following is a partial example of what might be listed as valid Network Interface Cards.
Index	Physical Address	IP Address
-----	----------------	----------
    1	00:0C:29:25:B4:96	0000:0000:fe80:0000:0000:0000:ad63:31cf
In the above list, the 'Index' number is important, and will need to be remembered for later use in this tutorial. There may be several Network Interface Cards listed, and it will be up to the installer to determine the correct Network Interface Card (Index number) that will be monitoring the Windows Intrusion Detection System (WinIDS).

The switch for the Network Interface Card will always be '-ix' (less the outside quotes), and the 'x' (less the outside quotes) will always represent the 'Index' number of Network Interface Card that will be monitoring the Windows Intrusion Detection System (WinIDS).
At the CMD prompt type 'd:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix -T' (less the outside quotes), and tap the 'Enter' key.

The above run line will require the 'Index' number of the monitoring Network Interface Card added to the 'x' above.

This will start Snort in self-test mode for configuration and rule file testing, and depending on the resources used, and/or available, it could take several minutes to run the self-test mode.

If all the tests are passed, the following is a confirmation that the Snort configuration file and rules have tested good.
Snort successfully validated the configuration!
Snort exiting
Do not proceed until 'Snort successfully validated the configuration!'
At the CMD prompt type 'net stop snort & net start snort' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'exit' (less the outside quotes), and tap the 'Enter' key.

Starting the Windows Intrusion Detection Systems (WinIDS) Security Console

After restarting Snort it could take Barnyard2 several minutes to reconnect and start populating triggered events into the Windows Intrusion Detection Systems (WinIDS) Security Console. If no triggered events start to show up in a reasonable length of time, come visit the forums for help on manually generating events.
Open a web-browser and type 'http://winids' (less the outside quotes) into the URL Address box, and tap the 'Enter' key.

Cleaning up the rule updating process

An emergency backup was mirrored to 'd:\winids\snort-old'. If this add-on was a complete failure all that is needed to revert back to the original Snort installation is to delete the new 'd:\winids\snort' folder, rename the 'd:\winids\snort-old' to 'd:\winids\snort', return to the section labeled 'Testing the Snort configuration file', and complete.

If the updating process has been successful and the backup is no longer needed the below process will scrub the backup folder
Open a CMD window and type 'rd d:\winids\snort-old /S /Q' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'exit' (less the outside quotes), and tap the 'Enter' key.

In Conclusion

Congratulations, you have just completed updating the Windows Intrusion Detection Systems (WinIDS) Rules, Signatures, and sid-msg.map file.

It is highly encouraged to perform some post-installation tasks if still needed to get a fully production-ready Windows Intrusion Detection System (WinIDS).

This includes:
  • Tuning your rules and preprocessors.
  • Tuning Snort thresholds and limit values.
  • Securing your host (Maybe changing the default database user access, disabling unneeded services, etc.).
  • Adding user authentication to the Windows Intrusion Detection Systems (WinIDS) Security Console.
  • Configure a system, such as PulledPork to auto-update the Windows Intrusion Detection Systems (WinIDS) rules and signatures.

Optional Companion Documents

Be SURE to check out the available 'Companion Add-on Documents' to enhance the Windows Intrusion Detection System (WinIDS) experience.

Updating the Windows Intrusion Detection Systems (WinIDS) Major components


Debugging Installation errors

Check the Event Viewer as most of the support programs will throw FATAL errors into the Windows Application log.

General tutorial issues

For general problem issues that pertain to this specific tutorial, left-click the get community support button at the top of this tutorial, or manually navigate to the correct community support forum pertaining to this specific tutorial.

Feedback

I would love to get feedback from you about this tutorial. Any recommendations, or ideas, please leave feedback HERE.

Michael E. Steele | Microsoft Certified System Engineer (MCSE)
Email Support: support@winsnort.com
Snort: Open Source Network IDS - www.snort.org