Installing an IIS Web Server logging events to a MySQL Database


How to Install a Windows Intrusion Detection System (WinIDS)

ids.gif

Running IIS, and logging events to a local MySQL Database

Windows 7 / 8.x / 10 / 2008 R2 SE / 2012 R2 SE / 2016 SE

Written by: Michael E. Steele



Introduction

During my research, and development I've found a lot of tutorials, and blogs describing the installation process for the UNIX environment. Yet, none of them specifically detailed setting this up in a Windows environment. I've been working on, and updating these tutorials for the past 12 plus years, and managed to get through the complete process in the Windows environment.

These tutorials gives all the basic instructions on how to create a complete, and functioning stand alone Windows Intrusion Detection System (WinIDS). This is all made possible by simply wrapping Snort, a very powerful Intrusion Detection Engine into a multitude of free open source programs. Best of all, other than the cost of the Windows operating system, it's completely free.

These tutorials are the basic of what is needed, and the starting point for installing any functioning Windows Intrusion Detection System (WinIDS). Advanced problems not related to the basic install should not be posted to the forum where the tutorial resides, and where general help is available for problems during the initial tutorial set-up.

If there are any doubts which tutorial that should be used, there is a posted topic here that will provide the basics so an informed decision can be made based on which combination of software packages are best suited for the installation.

Copyright Notice

This document is Copyright © 2002-2017 Michael Steele. All rights reserved. Permission to distribute this document is hereby granted providing that distribution is electronic, in it's original form, no money is involved, and this copyright notice is maintained. Other requests for distribution will be considered.

Use the information in this document at your own risk. Michael Steele disavows any potential liability of this document. Use of the concepts, examples, and/or other content of this document are entirely at your own risk.

This tutorial is written in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose.

All copyrights are owned by their owners, unless specifically noted otherwise. Third party trademarks or brand names are the property of their owners. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements.

Support Questions and Help

All support questions related to this specific tutorial MUST be directed to the specific forum for which this Windows Intrusion Detection System (WinIDS) tutorial resides!

By request, there is a premium fee service available for one on one support.

If you have not acquired this tutorial directly from the winsnort.com website, then you most likely do not have the latest revision of this tutorial!

This is a basic Windows Intrusion Detection System (WinIDS) deployment

  • Microsoft's Windows operating systems are used exclusively for these tutorials.
It is highly recommended to start with a fresh install of one of the supported 32bit or 64bit Windows operating systems listed below.
  • Windows 7 Professional
  • Windows 8.x Professional
  • Windows 10 Professional
  • Windows Server 2008 R2 Standard Edition
  • Windows Server 2012 R2 Standard Edition
  • Windows Server 2016 Standard Edition
All the operating systems listed above have been tested using both the 32bit, and 64bit architecture for this tutorial. However, any another Windows operating system listed above, under the same framework will most likely work.

Major support programs used in this install

  • WinPcap allows 3rd party applications such as Snort to capture and transmit network packets bypassing the protocol stack.
  • Snort performs real-time traffic analysis and network packet logging on Internet Protocol (IP) networks data streams.
  • Barnyard2 is a dedicated spooler for Snort's unified2 binary output format, and on-forwarding to a MySQL database.
  • Strawberry Perl is everything needed to run perl scripts (.pl), and applications such as PulledPork.
  • MySQL-driven database stores processed events from Barnyard2 for analysis.
  • Microsoft's Internet Information Services will drive the web based Windows Intrusion Detection Systems (WinIDS) GUI security console.
  • BASE serves as the Windows Intrusion Detection Systems (WinIDS) web based GUI security console.

History of Internet Information Services (IIS)

  • IIS 7.5 - included with Windows 7, and Server 2008 R2 SE
  • IIS 8.0 - included with Windows 8
  • IIS 8.5 - included with Windows 8.1, and Server 2012 R2 SE
  • IIS 10.0 - included with Windows 10, and Server 2016 SE

How this Hardware and Software was prepped for this Windows Intrusion Detection System (WinIDS) tutorial

  • A fresh install of Windows 7 Professional 64bit, but any 32/64bit Version of Windows listed above in will do.
  • All available Service Packs and updates MUST be applied from the Microsoft Download Center.
  • A user account was created for 'Operator', the password was set to 'z1pp3r', and user 'Operator' was assigned Administrative privileges.
  • This complete Windows Intrusion Detection System (WinIDS) tutorial was installed logged on as user 'Operator'.
  • There was 4GB of memory installed, but 3GB should be the absolute minimum (more is always better).
  • There were two partitions created - C: (System) with 300GB, and D: (WinIDS) with 1TB.
  • This complete Windows Intrusion Detection System (WinIDS) was installed into the 'd:\winids' folder.
The Windows Intrusion Detection System (WinIDS) will fail if the default installation path is not Implemented correctly!

The default installation path noted above is hard coded into this tutorial, and is also hard coded into some of the install scripts. Installers will need to make the appropriate changes in both places if the default installation path is anything other then 'd:\winids', or the support files are located anywhere other than the 'd:\temp' folder.

The Windows Intrusion Detection System (WinIDS) will fail if the default installation path is not Implemented correctly!


Prepping for the Windows Intrusion Detection System (WinIDS) Tutorial


Downloading and extracting the core 'Windows Intrusion Detection Systems (WinIDS)' Software Support Pack

It is imperative to only use the files included in the 'WinIDS - (32/64bit) Software Support Packs' below. These files have been thoroughly tested and compatible with this particular Windows Intrusion Detection Systems (WinIDS) tutorial.
Depending on the processors architecture, download the appropriate support pack below!
dload.png 32bit Windows All: Download and save the 'WinIDS - 32bit Core Software Support Pack' to a temporary location.

Open an Explorer window and navigate to the location of the 'winids-cssp-x32.zip' file, right-click the 'winids-cssp-x32.zip' file, highlight and left-click 'Extract all...', in the 'Files will be extracted to this folder:' dialog box type 'd:\temp' (less the outside quotes), left-click and uncheck the 'Show extracted files when complete' radio box, left-click extract, in the 'Password:' dialog box type 'w1nsn03t.c0m' (less the outside quotes), and left-click 'OK'.

dload.png 64bit Windows All: Download and save the 'WinIDS - 64bit Core Software Support Pack' to a temporary location.

Open an Explorer window and navigate to the location of the 'winids-cssp-x64.zip' file, right-click the 'winids-cssp-x64.zip' file, highlight and left-click 'Extract all...', in the 'Files will be extracted to this folder:' dialog box type 'd:\temp' (less the outside quotes), left-click and uncheck the 'Show extracted files when complete' radio box, left-click extract, in the 'Password:' dialog box type 'w1nsn03t.c0m' (less the outside quotes), and left-click 'OK'.

Downloading additional, and required support files for all supported Windows operating systems

It is imperative to only use the files downloaded from the URL links below. All the files have been verified as compatible with this particular Windows Intrusion Detection Systems (WinIDS) tutorial. All the files below will need to be downloaded into the folder (d:\temp) that was created when the files from the above 'WinIDS - (32/64bit) Software Support Pack' were extracted.
dload.png WinPcap 4.1.3: Download and save the file to the d:\temp folder.

In some instances after downloading the Snort executable below, the '.exe' extension might be missing. After downloading, navigate to the location of the Snort executable, and if the '.exe' extension is missing, add '.exe' (less the outside quotes) to the end of the filename.
dload.png Snort 2_9_11: Download and save the file to the d:\temp folder.

The following two files will require the installer to be a registered user on the snort.org web site, and logged in. After logging into the snort.org web site, come back to the Windows Intrusion Detection Systems (WinIDS) tutorial, and initiate the next two downloads.
dload.png snortrules-snapshot-29110: Download and save the file to the d:\temp folder.

dload.png Rule Documentation (opensource.gz): Download and save the file to the d:\temp folder.

Downloading additional support files based on a specific Operating Systems Hardware Architecture

There are several additional files listed under two groups below. Download only, and all the files listed under the appropriate processors architecture group that the Windows Intrusion Detection System (WinIDS) will be installed on.
32bit Windows All: Required additional downloads for the 32bit architecture install!

dload.png Strawberry Perl 5.26.1.1: Download and save the file to the d:\temp folder.

dload.png MySQL Database 5.7.19.0: Download and save the file to the d:\temp folder.

dload.png PHP 5.6.30 NTS (VC11): Download and save the file to the d:\temp folder.


64bit Windows All: Required additional downloads for the 64bit architecture install!

dload.png Strawberry Perl 5.26.1.1: Download and save the file to the d:\temp folder.

dload.png MySQL Database 5.7.19.0: Download and save the file to the d:\temp folder.

dload.png PHP 5.6.30 NTS (VC11): Download and save the file to the d:\temp folder.

Installing the core support files, and making basic configuration changes

It is important when asked to 'Open a CMD window with Administrator privileges' it is done, or the install may fail.

Note: The user account installing this Windows Intrusion Detection System (WinIDS) MUST be a member of the Administrators group.

Instructions on starting a command prompt as an Administrator

In the Windows Search box, type cmd, and then press CTRL+SHIFT+ENTER.

Note: If the User Account Control dialog box appears left-click 'Yes' to continue.
Windows 8.x / 10 / 2012 R2 SE / 2016 SE: The original Windows install media (DVD/USB/ISO) is now required to be inserted or mounted..

The correct source drive letter where the Windows install media is located must be inserted into the 'x' position below.
Windows 8.x / 10 / 2012 R2 SE / 2016 SE: Open a CMD window with Administrator privileges and type 'dism.exe /online /enable-feature /all /featurename:NetFX3 /Source:x:\sources\sxs' (less the outside quotes), and tap the 'Enter' key.

The following is a confirmation that the '.NET Framework 3.5 Features' were installed successfully.
Deployment Image Servicing and Management tool
Version: (redacted)
Image Version: (redacted)
Enabling feature(s)
[==========================100.0%==========================]
The operation completed successfully.
Do not proceed until 'The operation completed successfully.', and the original Windows install media has been removed, or unmounted.
Windows All: Open a CMD window with Administrator privileges if one is not opened and type 'd:\temp\modder.vbs' (less the outside quotes), and tap the 'Enter' key.

Allow the script to automatically reboot the system! DO NOT INTERVENE! This background process could take several minutes to complete.
The modder.vbs file preforms several tasks:
  • Turns User Account Control (UAC) off
  • Installs Microsoft Visual C++ 2012/2013/2015
  • Installs 'Notepad2' to Windows\System32
  • Installs 'unzip' to Windows\System32
  • Installs 'tartool' to Windows\System32
  • Inserts 'winids' hostname to hosts file
  • Sets 'Hidden Files' as off in registry
  • Sets 'Show File Extensions' as on in registry
  • Sets 'Visual Effects' as minimal in registry
  • Reboots system
After the reboot it is strongly advise that the Microsoft Baseline Security Analyzer (MBSA) be used to identify and correct common security miss configurations. Each issue should be resolved prior to starting this tutorial.


Installing the Windows Intrusion Detection System (WinIDS)


Installing WinPcap

Open a CMD window and type 'd:\temp\WinPcap_4_1_3.exe' (less the outside quotes), and tap the 'Enter' key.

If the 'Program Compatibility Assistant' appears, left-click 'Run the program without getting help'.
The WinPcap installation wizard appears, left-click 'Next', left-click 'Next', left-click the 'I Agree' button, make SURE the 'Automatically start the WinPcap driver at boot time' is checked, left-click install, and left-click 'Finish'.

Installing Snort, the Traffic Detection and Inspection Engine

At the CMD prompt type 'd:\temp\Snort_2_9_11_Installer.exe' (less the outside quotes), and tap the 'Enter' key.

The Snort installation wizard appears, left-click the 'I Agree' button, left-click 'Next', left-click 'Next', in the 'Destination Folder' dialog box, type 'd:\winids\snort' (less the outside quotes), left-click 'Next' allowing Snort to install, left-click the 'Close' button, left-click 'OK'.

Testing the Windows Intrusion Detection System (WinIDS) for network traffic

At the CMD prompt type 'd:\winids\snort\bin\snort -W' (less the outside quotes), and tap the 'Enter' key.

The following may be only a partial example of what might be listed as valid Network Interface Card or cards. There may be several Network Interface Cards listed with their corresponding 'Index' number. It will be up to the installer to determine the correct Network Interface Card (Index number) that will be monitoring the Windows Intrusion Detection System (WinIDS).
Index	Physical Address	IP Address
-----	----------------	----------
    1	00:0C:29:25:B4:96	0000:0000:fe80:0000:0000:0000:ad63:31cf
In the above list, the correct 'Index' number is important, and will need to be remembered for later use in this tutorial.
At the CMD prompt type 'd:\winids\snort\bin\snort -v -ix' (less the outside quotes), and tap the 'Enter' key.

The above run line will require the 'Index' number of the monitoring Network Interface Card inserted in the place of the 'x' position above. This will start Snort in verbose mode, verifying there is network traffic on interface 'x'.
Open any web-browser and generate some traffic.

There should now be multiple packets passing through the CMD window, and something similar to the following output is a confirmation indicating that everything is ready to proceed.
10/08-12:12:32.131826 10.0.0.29:1068 -> 65.55.121.241:80
TCP TTL:128 TOS:0x0 ID:1586 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x7430B82E Ack: 0x1850214F Win: 0xFAF0 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Note: If no traffic is passing through the CMD window, try another 'Index' number.
After verifying active network traffic, eXit the web-browser, activate the CMD window, and press the 'CTRL/C' keys to stop the Snort process.

Do not proceed until network traffic is being displayed in the CMD window.

Installing the Latest Rule Set

At the CMD prompt type 'tartool d:\temp\snortrules-snapshot-29110.tar.gz d:\winids\snort' (less the outside quotes), and tap the 'Enter' key.

Installing Strawberry Perl

Depending on the processors architecture, install the appropriate support file below!
32bit Windows All: At the CMD prompt type 'd:\temp\strawberry-perl-5.26.1.1-32bit.msi' (less the outside quotes), and tap the 'Enter' key.

64bit Windows All: At the CMD prompt type 'd:\temp\strawberry-perl-5.26.1.1-64bit.msi' (less the outside quotes), and tap the 'Enter' key.

The Strawberry Perl installation wizard appears, left-click 'Next', left-click the 'I accept the terms...' radio button, left-click 'Next', in the 'Install Strawberry Perl to:' dialog box type 'd:\winids\strawberry\' (less the outside quotes), left-click 'Next', left-click 'Install', left-click and uncheck the 'Read README file.' radio box, and left-click 'Finish'.

At the CMD prompt type 'exit' (less the outside quotes), and tap the 'Enter' key.

Installing Internet Information Services into Windows 7, 8.x, or 10

Open a CMD window and type 'appwiz.cpl' (less the outside quotes), and tap the 'Enter' key.

The 'Program and Features' control panel opens. Under 'Control Panel Home' left-click 'Turn Windows features on or off'. In the 'Turn Windows features on or off' expand 'Internet Information Services'. To the left of 'Web Management tools' left-click the radio box (it may only turn blue or black). To the left of the 'World Wide Web Services left-click check the radio box (it may only turn blue or black). Expand 'World Wide Web Services', and expand 'Application Development Features'. Under 'Application Development Features' scroll down and left-click the select box titled 'CGI', and left-click 'OK' allowing windows to make changes to features, and eXit the 'Programs and Features' control panel.

At the CMD prompt type 'd:\temp\moveiis.bat' (less the outside quotes), and tap the 'Enter' key.

Installing Internet Information Services into Server 2008 R2 SE

Open a CMD window and type 'appwiz.cpl' (less the outside quotes), and tap the 'Enter' key.

The 'Program and Features' control panel opens. Under 'Control Panel Home' left-click 'Turn Windows features on or off'. The 'Server Manager' control panel opens. Under 'Server Manager (Computer Name)' scroll down to the section labeled 'Roles Summary', and left-click 'Add Roles'. The 'Add Roles Wizard' control panel opens. At the 'Before you begin' selection window, Left-click 'Next'. At the 'Select Server Roles' selection window under 'Roles:' scroll down and left-click checking the select box to the left of 'Web Server (IIS)', and left-click 'Next'. At the 'Web Server (IIS)' selection window, left-click 'Next'. At the 'Select Roles Services' selection window scroll down and expand 'Application Development'. Under 'Application Development' scroll down and left-click the select box titled 'CGI', and left-click 'Next'. At the 'Confirm Installation Selections' selection window, left-click 'Install' allowing IIS to complete the roles, role services, or features installation, left-click 'Close', eXit 'Programs and Features', and eXit the 'Server Manager'.

At the CMD prompt type 'd:\temp\moveiis.bat' (less the outside quotes), and tap the 'Enter' key.

Installing Internet Information Services into Server 2012 R2 SE, or 2016 SE

Open a CMD window and type 'appwiz.cpl' (less the outside quotes), and tap the 'Enter' key.

The 'Program and Features' control panel opens. Under 'Control Panel Home' left-click 'Turn Windows features on or off'. The 'Server Manager' opens, and the 'Add Roles and Features Wizard' opens. At the 'Before you begin' selection window, Left-click 'Next'. At the 'Select installation type' selection window, left-click 'Next'. At the 'Select destination server' selection window, left-click 'Next'. At the 'Select server roles' selection window under 'Roles' scroll down left-click 'Web Server (IIS)'. The 'Add features that are required for Web Server (IIS)?' windows opens, left-click 'Add Features', and left-click 'Next'. At the 'Select features' selection window, left-click 'Next'. At the 'Web Server Role (IIS)' selection window, left-click 'Next'. At the 'Select roles services' selection window scroll down and expand 'Application Development'. Under 'Application Development' scroll down and left-click the select box titled 'CGI', and left-click 'Next'. At the 'Confirm installation selections' selection window, left-click 'Install' allowing IIS to complete the 'Feature installation', left-click 'Close', eXit 'Programs and Features', and eXit the 'Server Manager'.

At the CMD prompt type 'd:\temp\moveiis.bat' (less the outside quotes), and tap the 'Enter' key.

Installing BASE, the Windows Intrusion Detection Systems (WinIDS) Security Console

At the CMD prompt type 'unzip -oqq d:\temp\base-1.4.5.zip -d d:\winids\inetpub\wwwroot\base' (less the outside quotes), and tap the 'Enter' key.

Installing Barnyard2

At the CMD prompt type 'unzip -oqq d:\temp\barnyard2-2.1.14-build337.zip -d d:\winids\barnyard2' (less the outside quotes), and tap the 'Enter' key.

Installing the MySQL Database Server

At the CMD prompt type 'd:\temp\mysql-installer-community-5.7.19.0.msi' (less the outside quotes), and tap the 'Enter' key.

The MySQL Database server installers 'License Agreement' screen appears. Left-click checking the 'I accept the license terms' radio box, and left-click 'Next'.

The MySQL Database server installers 'Choosing a Setup Type' screen appears. Left-click selecting the 'Custom' radio button, and left-click 'Next'.

The MySQL Database server installers 'Select Products and Features' screen appears. Under 'Available Products:' left-click expanding 'MySQL Servers', left-click expanding 'MySQL Server', and left-click expanding 'MySQL Servers 5.7'.

Depending on the processors architecture, make the appropriate selection below!
32bit Windows All: Left-click highlighting 'MySQL Server 5.7.xx - X86'.

64bit Windows All: Left-click highlighting 'MySQL Server 5.7.xx - X64'.

Left click the arrow pointing to the right moving the 'MySql Server 5.7.xx - Xxx' to the 'Products/Features To Be Installed:' section. Under 'Products/Features To Be Installed:' left-click highlighting 'MySql Server 5.7.xx - Xxx'. Just above the 'Cancel' button left-click 'Advanced Options', and the 'Advanced Options for MySQL Server 5.7.xx' opens. In the 'Install Directory:' dialog box type 'd:\winids\mysql' (less the outside quotes). In the 'Data Directory:' dialog box type 'd:\winids\mysql' (less the outside quotes), left-click 'OK', and left-click 'Next'.

The MySQL Database server installers 'Installation' screen appears. Left-click 'Execute' allowing the MySQL server to 'Complete' the install, and left-click 'Next'.

The MySQL Database server installers 'Product Configuration' screen appears, and left-click 'Next'.

The MySQL Database server installers 'Type and Networking' screen appears. Verify the radio button to the left of 'Standalone MySQL Server / Classic MySQL Replication' is selected (it should be blue), left-click 'Next'.

The MySQL Database server installers 'Type and Networking' screen appears. Under 'Server Configuration Type' left-click the 'Config Type:", left-click selecting 'Server Machine', and left-click 'Next'.

The MySQL Database server installers 'Accounts and Roles' screen appears. In the 'MySQL Root Password:' dialog box type 'd1ngd0ng' (less the outside quotes). In the 'Repeat Password:' dialog box type 'd1ngd0ng' (less the outside quotes), and left-click 'Next'.

The MySQL Database server installers 'Windows Service' screen appears. In the 'Windows Service Name:' dialog box type 'MySQL' (less the outside quotes), and left-click 'Next'.

The MySQL Database server installers 'Plugins and Extensions' screen appears, and left-click 'Next'.

The MySQL Database server installers 'Apply Configuration' screen appears. Left-click 'Execute' allowing the configuration for MySQL Server to succeed, and left-click 'Finish'.

The MySQL Database server installers 'Product Configuration' screen appears. Left-click 'Next'.

The MySQL Database server installers 'Installation Complete' screen appears. Left-click 'Finish' to complete the MySQL Database installation.

At the CMD prompt type 'copy d:\winids\mysql\lib\libmysql.dll c:\windows\system32' (less the outside quotes), and tap the 'Enter' key.

Should display '1 file(s) copied.', and return to the command prompt.

Installing ADODB

At the CMD prompt type 'unzip -oqq d:\temp\adodb-5.20.9.zip -d d:\winids' (less the outside quotes), and tap the 'Enter' key.

Installing PHP

Depending on the processors architecture, install the appropriate support file below!
32bit Windows All: At the CMD prompt type 'unzip -oqq d:\temp\php-5.6.30-nts-Win32-VC11-x86.zip -d d:\winids\php' (less the outside quotes), and tap the 'Enter' key.

64bit Windows All: At the CMD prompt type 'unzip -oqq d:\temp\php-5.6.30-nts-Win32-VC11-x64.zip -d d:\winids\php' (less the outside quotes), and tap the 'Enter' key.

Updating the 'sid-msg.map' file

At the CMD prompt type 'unzip -oqq d:\temp\activators.zip -d d:\winids\activators' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'unzip -oqq d:\temp\create-sidmap.zip -d d:\winids\create-sidmap' (less the outside quotes), and tap the 'Enter' key.

The 'sid-msg.map' file essentially maps the Rule MSG alert name to the sid number assigned to the rule.

This really comes into play when the output method from Snort is in unified2 format, taking that output, and reading it with Barnyard2 for input into the database.

Since the rule msg is not stored in the unified2 file format, it's necessary for Barnyard2 to read the sid-msg.map file to correctly input the names of the events into the database when associated with an alert by sid.

Without the 'sid-msg.map' being read by barnyard2, the events in the database will show up only as gid:sid. (1:2133 for example). Also, updating the rules and not updating the 'sid-msg.map' will also show events from all new rules as gid:sid. (1:2133 for example).
At the CMD prompt type 'perl d:\winids\create-sidmap\create-sidmap.pl d:\winids\snort\rules\ > d:\winids\snort\etc\sid-msg.map' (less the outside quotes), and tap the 'Enter' key.

Configuring Snort, the Heart of the Windows Intrusion Detection System (WinIDS)

At the CMD prompt type 'type NUL > d:\winids\snort\rules\white_list.rules' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'type NUL > d:\winids\snort\rules\black_list.rules' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'notepad2 d:\winids\snort\etc\snort.conf' (less the outside quotes), and tap the 'Enter' key.

Use the Find option in Notepad2 to locate and change the variables below.
Original Line(s): ipvar HOME_NET any
Change to: ipvar HOME_NET 192.168.1.0/24

In the above HOME_NET example (192.168.1.0/24), using a CIDR of 24 the Windows Intrusion Detection System (WinIDS) will monitor addresses 192.168.1.1 - 192.168.1.254. It is important to specify the correct internal IP segment of the Windows Intrusion Detection System (WinIDS) network that needs monitoring, and to set the correct CIDR.
Original Line(s): var RULE_PATH ../rules
Change to: var RULE_PATH d:\winids\snort\rules

Original Line(s): var SO_RULE_PATH ../so_rules
Change to: # var SO_RULE_PATH ../so_rules

Original Line(s): var PREPROC_RULE_PATH ../preproc_rules
Change to: var PREPROC_RULE_PATH d:\winids\snort\preproc_rules

Original Line(s): var WHITE_LIST_PATH ../rules
Change to: var WHITE_LIST_PATH d:\winids\snort\rules

Original Line(s): var BLACK_LIST_PATH ../rules
Change to: var BLACK_LIST_PATH d:\winids\snort\rules

Original Line(s): dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
Change to: dynamicpreprocessor directory d:\winids\snort\lib\snort_dynamicpreprocessor

Original Line(s): dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
Change to: dynamicengine d:\winids\snort\lib\snort_dynamicengine\sf_engine.dll

Original Line(s): dynamicdetection directory /usr/local/lib/snort_dynamicrules
Change to: # dynamicdetection directory /usr/local/lib/snort_dynamicrules

Original Line(s):
preprocessor normalize_ip4
preprocessor normalize_tcp: block, rsv, pad, urp, req_urg, req_pay, req_urp, ips, ecn stream
preprocessor normalize_icmp4
preprocessor normalize_ip6
preprocessor normalize_icmp6
Change to:
# preprocessor normalize_ip4
# preprocessor normalize_tcp: block, rsv, pad, urp, req_urg, req_pay, req_urp, ips, ecn stream
# preprocessor normalize_icmp4
# preprocessor normalize_ip6
# preprocessor normalize_icmp6

Original Line(s): decompress_swf { deflate lzma } \
Change to: decompress_swf { deflate } \

Original Line(s): # preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low }
Change to: preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } logfile { \portscan.log }

Original Line(s): # output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
Change to: output unified2: filename merged.log, limit 128

Original Line(s): include classification.config
Change to: include d:\winids\snort\etc\classification.config

Original Line(s): include reference.config
Change to: include d:\winids\snort\etc\reference.config

Original Line(s):
# include $PREPROC_RULE_PATH/preprocessor.rules
# include $PREPROC_RULE_PATH/decoder.rules
# include $PREPROC_RULE_PATH/sensitive-data.rules
Change to:
include $PREPROC_RULE_PATH/preprocessor.rules
include $PREPROC_RULE_PATH/decoder.rules
include $PREPROC_RULE_PATH/sensitive-data.rules

Original Line(s): include threshold.conf
Change to: include d:\winids\snort\etc\threshold.conf

Save the file, and eXit Notepad2.

Testing the Snort configuration file

At the CMD prompt type 'd:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix -T' (less the outside quotes), and tap the 'Enter' key.

The above run line will require the 'Index' number of the monitoring Network Interface Card added to the 'x' above.

This will start Snort in self-test mode for configuration and rule file testing, and depending on the resources used and/or available it could take up to 30 minutes to run the self-test mode.

If all the tests are passed, the following is a confirmation that the Snort configuration file and rules have tested good.
Snort successfully validated the configuration!
Snort exiting
Do not proceed until 'Snort successfully validated the configuration!'

Configuring PHP

At the CMD prompt type 'copy d:\winids\php\php.ini-production d:\winids\php\php.ini' (less the outside quotes), and tap the 'Enter' key.

Should display '1 file(s) copied.', and return to the CMD prompt.
At the CMD prompt type 'notepad2 d:\winids\php\php.ini' (less the outside quotes), and tap the 'Enter' key.

Use the Find option in Notepad2 to locate and change the variables below.
Original Line(s): max_execution_time = 30
Change to: max_execution_time = 60

Original Line(s): error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
Change to: ; error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT

Original Line(s): ;include_path = ".;c:\php\includes"
Change to: include_path = "d:\winids\php;d:\winids\php\pear"

Original Line(s): ; extension_dir = "ext"
Change to: extension_dir = "d:\winids\php\ext"

Original Line(s): ; cgi.force_redirect = 1
Change to: cgi.force_redirect = 0

Original Line(s): ; extension=php_gd2.dll
Change to: extension=php_gd2.dll

Original Line(s): ; extension=php_mysql.dll
Change to: extension=php_mysql.dll

Original Line(s): ;date.timezone =
Change to: date.timezone = America/New_York

In the above date.timezone setting, America/New_York is only the default. Inserting the correct Timezone setting where the Windows Intrusion Detection System (WinIDS) will be located is essential. Check out the PHP website for the List of Supported Timezones.
Original Line(s): ;session.save_path = "/tmp"
Change to: session.save_path = "c:\windows\temp"

Save the file, and eXit Notepad2.

Configuring IIS for PHP, and the Windows Intrusion Detection Systems security console

At the CMD prompt type 'c:\windows\system32\inetsrv\iis.msc' (less the outside quotes), tap the 'Enter' key, and the 'Internet Information Services (IIS) Manager' opens.

If the 'Internet Information Services (IIS) Manager' opens and asks 'Do you want to get started with...' left-click 'No'.
On the left under 'Connections' left-click highlighting '<server name>' at the very top of the column, in the center window titled '<server name> Home' go down to the section labeled 'IIS', right-click 'Handler Mappings', left-click 'Open Feature', on the right under 'Actions' left-click 'Add Script Map...', in the 'Request Path:' dialog box type '*.php' (less the outside quotes), in the 'Executable:' dialog box type 'd:\winids\php\php-cgi.exe' (less the outside quotes), in the 'Name:' dialog box type 'PHP' (less the outside quotes), left-click 'OK', the 'Add Script Map' notification message appears, and left-click 'Yes'.

In center window titled 'Handler Mappings' under the 'Name' column make sure 'PHP' (less the outside quotes) is listed at the very bottom.
On the left under 'Connections' expand 'Sites', left-click 'Default Web Site', under the center window titled 'Default Web Site Home' go down to the section labeled 'IIS', right-click 'Default Document', left-click 'Open Feature', on the right under 'Actions' left-click 'Add...', the 'Add Default Document' applet appears, in the 'Name:' dialog box type 'base_main.php' (less the outside quotes), and left-click 'OK'.

In the 'Default Document' under the 'Name' column 'base_main.php' (less the outside quotes) should be listed at the very top, and the 'Entry Type' should be 'Local'.
Under 'Connections' right-click 'Default Web Site', highlight 'Manage Web Site', highlight and left-click 'Advanced Settings', in the 'Advanced Settings' applet under (General) left-click 'Physical Path', in the dialog box to the right of 'Physical Path' type 'd:\winids\inetpub\wwwroot\base' (less the outside quotes), left-click 'OK', and eXit the 'Internet Information Services (IIS) Manager' applet.

At the CMD prompt type 'iisreset /restart' (less the outside quotes), and tap the 'Enter' key.

Testing IIS, and the PHP installation

Open a CMD window and type 'copy d:\temp\test.php d:\winids\inetpub\wwwroot\base' (less the outside quotes), and tap the 'Enter' key.

Should display '1 file(s) copied.', and return to the CMD prompt.
Open a web-browser and type 'http://winids/test.php' (less the outside quotes) into the URL Address box, and tap the 'Enter' key.

There is a possibility Edge may require additional privileges to open, and Internet Explore should be used if this happens.
If this test fails, go back to the section labeled 'Configuring IIS for PHP, and the Windows Intrusion Detections Security Console' and configure again.
Several sections of information concerning the status and install of PHP should be displayed.

In the first section of information make SURE that the item labeled 'Loaded Configuration File' is pointing to 'd:\winids\php\php.ini' (less the outside quotes).

In the section labeled 'Configuration - PHP Core' (less the outside quotes) make SURE that the item labeled 'extension_dir' is pointing to 'd:\winids\php\ext' (less the outside quotes) in columns 'Local Values' (less the outside quotes), and 'Master Values' (less the outside quotes).

In the section labeled 'Configuration - PHP Core' (less the outside quotes) make SURE that the item labeled 'include_path' is pointing to 'd:\winids\php;d:\winids\php\pear' (less the outside quotes) in columns 'Local Values' (less the outside quotes), and 'Master Values' (less the outside quotes).

In the section labeled 'session' (less the outside quotes) make SURE that the item labeled 'session.save_path' is pointing to 'c:\windows\temp' (less the outside quotes) in columns 'Local Values' (less the outside quotes), and 'Master Values' (less the outside quotes).
Do not proceed until all the above paths are correct!
eXit the web-browser.

At the CMD prompt type 'del d:\winids\inetpub\wwwroot\base\test.php' (less the outside quotes), and tap the 'Enter' key.

Adding Snort to the Windows Services Database

At the CMD prompt type 'cd /d d:\winids\snort\bin' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'snort /SERVICE /INSTALL -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix' (less the outside quotes), and tap the 'Enter' key.

The above run line will require the 'Index' number of the monitoring Network Interface Card added to the 'x' position above.

The following is a confirmation that the Snort service was successfully added to the Windows Services Database.
 [SNORT_SERVICE] Attempting to install the Snort service.
 [SNORT_SERVICE] The full path to the Snort binary appears to be:
    D:\winids\snort\bin\snort /SERVICE
 [SNORT_SERVICE] Successfully added registry keys to:
    \HKEY_LOCAL_MACHINE\SOFTWARE\Snort\
 [SNORT_SERVICE] Successfully added the Snort service to the Windows Services Database.
Do not proceed until the Snort service has been successfully added to the Windows Services Database.
At the CMD prompt type 'sc config snortsvc start= auto' (less the outside quotes), and tap the 'Enter' key.

The following as a confirmation that the Snort auto-start service has been successfully activated.
[SC] ChangeServiceConfig SUCCESS
Do not proceed until the Snort auto-start service has been SUCCESSfully activated.
At the CMD prompt type 'exit' (less the outside quotes), and tap the 'Enter' key.

Configuring the MySQL Database Server

Open a CMD window and type 'notepad2 d:\winids\mysql\my.ini' (less the outside quotes), and tap the 'Enter' key.

Use the find and locate the line '[mysqld]' (less the outside quotes), and just below add the next line.
bind-address=127.0.0.1
Save the file, and eXit Notepad2.

Creating the Windows Intrusion Detection System Databases
At the CMD prompt type 'mysql -u root -pd1ngd0ng' (less the outside quotes), and tap the 'Enter' key.

You will be dropped into the MySQL administration console CMD prompt.
At the mysql CMD prompt type 'create database snort;' (less the outside quotes), and tap the 'Enter' key.

It will display 'Query OK...' and drop back to the mysql prompt.
At the mysql CMD prompt type 'create database archive;' (less the outside quotes), and tap the 'Enter' key.

It will display 'Query OK...' and drop back to the mysql prompt.
At the mysql CMD prompt type 'show databases;' (less the outside quotes), and tap the 'Enter' key.

There should be several databases listed, 'information_schema', 'archive', 'mysql', and 'snort'.

Creating the Windows Intrusion Detection System Database Tables
At the mysql CMD prompt type 'connect snort;' (less the outside quotes), and tap the 'Enter' key.

It will display 'Current database: snort' and drop back to the mysql prompt.
At the mysql CMD prompt type 'source d:\winids\barnyard2\schemas\create_mysql' (less the outside quotes), and tap the 'Enter' key.

It will display multiple 'Query OK, 1 rows affected (0.0? sec)' entries and drop back to the mysql prompt.
At the mysql CMD prompt type 'source d:\winids\inetpub\wwwroot\base\sql\create_base_tbls_mysql.sql' (less the outside quotes), and tap the 'Enter' key.

The last entry to the screen should show 'Records: 4 Duplicates: 0 Warnings: 0' (less the outside quotes), and drop back to the mysql prompt.
At the mysql CMD prompt type 'show tables;' (less the outside quotes), and tap the 'Enter' key.

The last entry to the screen should show '22 rows in set (0.00 sec)' (less the outside quotes), and drop back to the mysql prompt.
At the mysql CMD prompt type 'connect archive;' (less the outside quotes), and tap the 'Enter' key.

It will display 'Current database: archive' and drop back to the mysql prompt.
At the mysql CMD prompt type 'source d:\winids\barnyard2\schemas\create_mysql' (less the outside quotes), and tap the 'Enter' key.

It will display multiple 'Query OK, 1 rows affected (0.0? sec)' entries and drop back to the mysql prompt.
At the mysql CMD prompt type 'source d:\winids\inetpub\wwwroot\base\sql\create_base_tbls_mysql.sql' (less the outside quotes), and tap the 'Enter' key.

The last entry to the screen should show 'Records: 4 Duplicates: 0 Warnings: 0' (less the outside quotes), and drop back to the mysql prompt.
At the mysql CMD prompt type 'show tables;' (less the outside quotes), and tap the 'Enter' key.

The last entry to the screen should show '22 rows in set (0.00 sec)' (less the outside quotes), and drop back to the mysql prompt.

Creating the Windows Intrusion Detection System Database Access, and Authenticated Users
At the mysql CMD prompt type 'set password for root@localhost = password('d1ngd0ng');' (less the outside quotes), and tap the 'Enter' key.

At the mysql CMD prompt type 'grant INSERT,SELECT,UPDATE on snort.* to snort identified by 'l0gg3r';' (less the outside quotes), and tap the 'Enter' key.

It will display 'Query OK' and drop back to the mysql prompt.
At the mysql CMD prompt type 'grant INSERT,SELECT,UPDATE on snort.* to snort@localhost identified by 'l0gg3r';' (less the outside quotes), and tap the 'Enter' key.

It will display 'Query OK' and drop back to the mysql prompt.
At the mysql CMD prompt type 'grant INSERT,SELECT,UPDATE,DELETE,CREATE on snort.* to base identified by 'an@l1st';' (less the outside quotes), and tap the 'Enter' key.

It will display 'Query OK' and drop back to the mysql prompt.
At the mysql CMD prompt type 'grant INSERT,SELECT,UPDATE,DELETE,CREATE on snort.* to base@localhost identified by 'an@l1st';' (less the outside quotes), and tap the 'Enter' key.

It will display 'Query OK' and drop back to the mysql prompt.
At the mysql CMD prompt type 'grant INSERT,SELECT,UPDATE,DELETE,CREATE on archive.* to base identified by 'an@l1st';' (less the outside quotes), and tap the 'Enter' key.

It will display 'Query OK' and drop back to the mysql prompt.
At the mysql CMD prompt type 'grant INSERT,SELECT,UPDATE,DELETE,CREATE on archive.* to base@localhost identified by 'an@l1st';' (less the outside quotes), and tap the 'Enter' key.

It will display 'Query OK' and drop back to the mysql prompt.
At the mysql CMD prompt type 'use mysql;' (less the outside quotes), and tap the 'Enter' key.

At the mysql CMD prompt type 'select * from user;' (less the outside quotes), and tap the 'Enter' key.

There should be several users listed, 'root', 'snort', 'snort', 'base', and 'base'.
At the mysql CMD prompt type 'quit;' (less the outside quotes), and tap the 'Enter' key

Confirming MySQL and Snort are operational

At the CMD prompt type 'net stop mysql & net start mysql' (less the outside quotes), and tap the 'Enter'.

At the CMD prompt type 'net start snort' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'taskmgr.exe' (less the outside quotes), and tap the 'Enter' key.

The 'Windows Task Manager' starts, in the bottom left-click and check 'Show processes from all users', left-click the 'Processes' tab, in the 'Image name' category 'snort.exe', and 'mysqld.exe' should be listed as a process.

Do not proceed until the processes above are running!
eXit the 'Task Manager'.

Configuring the Windows Intrusion Detection Systems (WinIDS) Security Console

At the CMD prompt type 'copy d:\winids\inetpub\wwwroot\base\base_conf.php.dist d:\winids\inetpub\wwwroot\base\base_conf.php' (less the outside quotes), and tap the 'Enter' key.

Should display '1 file(s) copied.', and return to the CMD prompt.
At the CMD prompt type 'rename d:\temp\opensource.gz opensource.tar.gz' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'tartool d:\temp\opensource.tar.gz d:\winids\inetpub\wwwroot\base\signatures' (less the outside quotes), and tap the 'Enter' key.

The above command may take a few minutes to complete as its moving twenty thousand plus files.
At the CMD prompt type 'notepad2 d:\winids\inetpub\wwwroot\base\base_conf.php' (less the outside quotes), and tap the 'Enter' key.

Use the Find option in Notepad2 to locate and change the variables below.
Original Line(s): $BASE_urlpath = '';
Change to: $BASE_urlpath = 'http://winids';

Original Line(s): $DBlib_path = '';
Change to: $DBlib_path = 'd:\winids\adodb5';

Original Line(s): $DBtype = '?????';
Change to: $DBtype = 'mysql';

Original Line(s):
$alert_dbname   = 'snort_log';
$alert_host     = 'localhost';
$alert_port     = '';
$alert_user     = 'snort';
$alert_password = 'mypassword';
Change to:
$alert_dbname   = 'snort';
$alert_host     = 'winids';
$alert_port     = '';
$alert_user     = 'base';
$alert_password = 'an@l1st';

Original Line(s):
$archive_exists   = 0; # Set this to 1 if you have an archive DB
$archive_dbname   = 'snort_archive';
$archive_host     = 'localhost';
$archive_port     = '';
$archive_user     = 'snort';
$archive_password = 'mypassword';
Change to:
$archive_exists   = 1; # Set this to 1 if you have an archive DB
$archive_dbname   = 'archive';
$archive_host     = 'winids';
$archive_port     = '';
$archive_user     = 'base';
$archive_password = 'an@l1st';

Original Line(s): $show_rows = 48;
Change to: $show_rows = 90;

Original Line(s): $show_expanded_query = 0;
Change to: $show_expanded_query = 1;

Original Line(s): $portscan_file = '';
Change to: $portscan_file = 'd:\winids\snort\log\portscan.log';

Original Line(s): $colored_alerts = 0;
Change to: $colored_alerts = 1;

Original Line(s): $priority_colors = array ('FF0000','FFFF00','FF9900','999999','FFFFFF','006600');
Change to: $priority_colors = array('000000','FF0000','FF9900','FFFF00','999999');

Original Line(s): $graph_font_name = "DejaVuSans";
Change to: // $graph_font_name = "DejaVuSans";

Original Line(s):// $graph_font_name = "";
Change to: $graph_font_name = "";

Original Line(s): //$Geo_IPfree_file_ascii = "/var/www/html/ips-ascii.txt";
Change to: $Geo_IPfree_file_ascii = "d:\winids\inetpub\wwwroot\base\ips-ascii.txt";

Save the file, and eXit Notepad2.

Configuring Graphing for the Windows Intrusion Detection Systems (WinIDS) Security Console

At the CMD prompt type 'copy d:\temp\go-pear.phar d:\winids\php' (less the outside quotes), and tap the 'Enter' key.

Should display '1 file(s) copied.', and return to the CMD prompt.
At the CMD prompt type 'cd /d d:\winids\php' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'php go-pear.phar' (less the outside quotes), and tap the 'Enter' key.

At the next prompt tap the 'Enter' key to install 'System-Wide' PEAR.

At the next prompt tap the 'Enter' key.

At the 'Press any key to continue . . .', press any key to exit back to the CMD prompt.

At the CMD prompt type 'pear install -f --alldeps image_graph mail mail_mime' (less the outside quotes), and tap the 'Enter' key.

The above command line will install several required PEAR packages for the graphing capabilities of BASE, the Windows Intrusion Detection Systems (WinIDS) web based GUI security console.
install ok: channel://pear.php.net/Mail-1.4.1
install ok: channel://pear.php.net/Mail_Mime-1.10.1
install ok: channel://pear.php.net/Numbers_Roman-1.0.2
install ok: channel://pear.php.net/Image_Color-1.0.4
install ok: channel://pear.php.net/Math_BigInteger-1.0.3
install ok: channel://pear.php.net/Net_Socket-1.2.2
install ok: channel://pear.php.net/Auth_SASL-1.1.0
install ok: channel://pear.php.net/Image_Canvas-0.3.5
install ok: channel://pear.php.net/Numbers_Words-0.18.1
install ok: channel://pear.php.net/Net_SMTP-1.8.0
install ok: channel://pear.php.net/Image_Graph-0.8.0
Do not proceed until all the required PEAR packages has been successfully installed.
At the CMD prompt type 'copy d:\winids\inetpub\wwwroot\base\world_map6.* d:\winids\php\pear\image\graph\images\maps' (less the outside quotes), and tap the 'Enter' key.

Should display '2 file(s) copied.', and return to the CMD prompt.

Configuring Barnyard2

At the CMD prompt type 'notepad2 d:\winids\barnyard2\etc\barnyard2.conf' (less the outside quotes), and tap the 'Enter' key.

Use the Find option in Notepad2 to locate and change the variables below.
Original Line(s):
config reference_file:      /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file:            /etc/snort/gen-msg.map
config sid_file:            /etc/snort/sid-msg.map
Change to:
config reference_file:      d:\winids\snort\etc\reference.config
config classification_file: d:\winids\snort\etc\classification.config
config gen_file:            d:\winids\snort\etc\gen-msg.map
config sid_file:            d:\winids\snort\etc\sid-msg.map

Original Line(s): # config event_cache_size: 4096
Change to: config event_cache_size: 32768

Original Line(s): #output database: log, mysql, user=root password=test dbname=db host=localhost
Change to: output database: log, mysql, user=snort password=l0gg3r dbname=snort host=winids sensor_name=WinIDS-Home

Save the file, and eXit Notepad2.

Testing the Barnyard2 configuration file

At the CMD prompt type 'd:\winids\activators\by2-test' (less the outside quotes), and tap the 'Enter' key.

This will start Barnyard2 in self-test mode for configuration testing, and depending on the resources used and/or available it could take up to 30 minutes to run the self-test mode.

If all the tests are passed, the following is a confirmation that the Barnyard2 configuration file is good.
Barnyard2 successfully loaded configuration file!
Snort exiting
database: Closing connection to database "snort"
Do not proceed until Barnyard2 has successfully loaded the configuration file, eXited Snort, and closed the connection to database!

Adding Barnyard2 to auto-run on user login

At the CMD window type 'd:\temp\auto-local-barnyard2.reg' (less the outside quotes), and tap the 'Enter' key.

The 'auto-barnyard.reg' file contains the run line for Barnyard2.
The Registry Editor selection box opens and asks; 'Are you sure you want to add...', left-click 'Yes', and at the next input selection left-click 'OK'.

At the CMD prompt type 'shutdown /r /t 10' (less the outside quotes), and tap the 'Enter' key to reboot.

When the system is rebooted, Barnyard2 will be running in a Minimized window located in the Windows task bar. Opening the Barnyard2 CMD window will display the events as they are being shuttled to the database.

Starting the Windows Intrusion Detection Systems (WinIDS) Security Console

Open a web-browser and type 'http://winids' (less the outside quotes) into the URL Address box, and tap the 'Enter' key.

After the reboot it could take several minutes for events to start populating into the Windows Intrusion Detection Systems (WinIDS) Security Console. Refreshing the browser will show new events when added. If no events start to show up in a reasonable length of time, come visit the forums for help on manually generating events.

In Conclusion

I hope this tutorial has been helpful to you. Please feel free to provide feedback, both issues you experienced and recommendations that you might have. The goal of this tutorial was not just for you to create a Windows Intrusion Detection System (WinIDS) using the most advanced intrusion detection engine known as Snort, but to understand how all the parts work together, and get a deeper understanding of all the components, so that you can troubleshoot and modify your Windows Intrusion Detection System (WinIDS) with confidence.

At this point you are done with this tutorial, events should be arriving into the database, and you should be seeing events in the local Windows Intrusion Detection Systems (WinIDS) Security Console. I encourage you to perform some post-installation tasks needed to get a fully production-ready 'Windows Intrusion Detection System (WinIDS)'.

This includes:
  • Tuning your rules and preprocessors.
  • Tuning Snort thresholds and limit values.
  • Enabling User Access Control (UAC).
  • Adding user authentication to the Windows Intrusion Detection Systems (WinIDS) Security Console.
  • Securing your host (Maybe changing the default database user access, disabling unneeded services, etc.).
  • Configure a system, such as PulledPork to auto-update the Windows Intrusion Detection Systems (WinIDS) rules and signatures.

Security Issues

Lets review what has happens so far:
  • All support programs, including IIS have been installed to a separate partition, which closed a multitude of security holes.
  • The Windows Intrusion Detection Systems (WinIDS) Security Console can ONLY be accessed locally.

Optional Companion Documents

Be SURE to check out the available 'Companion Add-on Documents' to enhance the Windows Intrusion Detection System (WinIDS) experience.
  • How to install MySQL Tools into a MySQL enabled Windows Intrusion Detection System (WinIDS)
    This tutorial will show how to install the 'MySQL System Tray Monitor' as a service to monitor the condition of the MySQL database in real time, on an existing Windows Intrusion Detection System (WinIDS). This will allow starting and stopping of the database. The 'MySQL System Tray Monitor' has two tools associated with it that can be accessed directly from the 'MySQL System Tray Monitor'. These tools will allow editing, maintaining, and repairing of the MySQL database. Use extreme caution using these tools.

Updating the Windows Intrusion Detection Systems (WinIDS) Major components


Debugging Installation errors

Check the Event Viewer as most of the support programs will throw FATAL errors into the Windows Application log.

General tutorial issues

For general issues pertaing to this tutorial, left-click the support button at the top of this tutorial, or manually navigate to the correct support forum.

Feedback

I would love to get feedback from you about this tutorial. Any recommendations, or ideas, please leave feedback here.

Michael E. Steele | Microsoft Certified System Engineer (MCSE)
Email Support: support@winsnort.com
Snort: Open Source Network IDS - www.snort.org