Sign in to follow this  
Followers 0

Converting Barnyard2 to run as a Windows Service


Windows Intrusion Detection System - Companion Add-On Tutorial

ids.gif

Configuring Barnyard2 to run as a Windows service

Written by: Michael E. Steele



Introduction

This tutorial is a simple to understand, step-by-step tutorial to upgrade an existing Master Windows Intrusion Detection System to run Barnyard2 as a Windows service.

By default the Master Windows Intrusion Detection System requires someone to be logged into the Windows Intrusion Detection System in order for Barnyard2 to shuttle events to the database.

Running Barnyard2 as a Windows service, events are shuttled to the database immediately weather anyone is logged in or not.

Copyright Notice

This document is Copyright © 2002-2017 Michael Steele. All rights reserved. Permission to distribute this document is hereby granted providing that distribution is electronic, in it's original form, no money is involved, and this copyright notice is maintained. Other requests for distribution will be considered.

Use the information in this document at your own risk. Michael Steele disavows any potential liability of this document. Use of the concepts, examples, and/or other content of this document are entirely at your own risk.

This guide is written in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose.

All copyrights are owned by their owners, unless specifically noted otherwise. Third party trademarks or brand names are the property of their owners. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements.

Support Questions and Help

All support questions related to this specific tutorial MUST be directed to the specific forum for which this Windows Intrusion Detection System (WinIDS) tutorial resides!

By request, there is a premium fee service available for one on one support.

If you have not acquired this tutorial directly from the winsnort.com website, then you most likely do not have the latest revision of this tutorial!

Installing the core support files, and making basic configuration changes, if needed

This tutorial assumes there is an existing Master Windows Intrusion Detection Systems (WinIDS) installed, and the files from the original Windows Intrusion Detection System (WinIDS) tutorial have been downloaded, and are located in the d:\temp folder.

It is imperative to only use the files included in the 'WinIDS - (32/64bit) Software Support Pack'. Those files have been thoroughly tested and compatible with this particular tutorial.

It is important when asked to 'Open a CMD window with Administrator privileges' it is done, or the install will fail.

It is also important when asked to 'Close a CMD window' it is done, or the install will fail.

Note: The user installing this tutorial MUST be a member of the Administrators group.

Note: If the User Account Control dialog box appears at ANY time during this install ALWAYS left-click 'Yes' to continue, or the install will fail.

Instructions on starting a command prompt as an Administrator

In the Windows Search box, type cmd, and then press CTRL+SHIFT+ENTER.

Converting Barnyard2 to run as a Windows Service Tutorial


Adding Barnyard2 to the Windows Services Database

Open a CMD window with Administrator privileges and type 'unzip -oqq d:\temp\service_files.zip -d c:\windows' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'cd /d c:\windows' (less the outside quotes), and tap the enter key.

At the CMD prompt type 'instsrv srvany c:\windows\srvany.exe' (less the outside quotes), and tap the enter key.

The following is a confirmation that 'srvany' was successfully added to the Windows Services Database.
The service was successfully added!
Do not proceed until the srvany service has been successfully added!
At the CMD prompt type 'instsrv Barnyard2 c:\windows\srvany.exe' (less the outside quotes), and tap the enter key.

The following is a confirmation that Barnyard2 was successfully added to the Windows Services Database.
The service was successfully added!
Do not proceed until the Barnyard2 service has been successfully added!
At the CMD window type 'd:\temp\auto-remote-barnyard2.reg' (less the outside quotes), and tap the 'Enter' key.

The Registry Editor selection box opens and asks; 'Are you sure you want to continue?', left-click 'Yes', and at the next input selection left-click 'OK'.

At the CMD prompt type 'sc config Barnyard2 start= delayed-auto' (less the outside quotes), and tap the 'Enter' key.

The following as a confirmation that the Barnyard2 auto-start service has been successfully activated.
[SC] ChangeServiceConfig SUCCESS
Do not proceed until the Barnyard2 auto-start service has been successfully activated.
Open a CMD window and type 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Barnyard2 /f' (less the outside single quotes), and tap the 'Enter' key.

The above run line will remove the existing registry key that invokes Barnyard2 to run when someone logs in.

The following is a confirmation that the registry key was removed successfully.
The operation completed successfully.
Do not proceed until 'The operation completed successfully.'
At the CMD prompt type 'taskkill /F /IM barnyard2.exe' (less the outside quotes), and tap the 'Enter' key.

The above run line terminates the existing Barnyard2 process.

The following is a confirmation that the Barnyard2 process has been successfully terminated.
SUCCESS: The process "barnyard2.exe" with PID 2340 has been terminated.
Do not proceed until the Barnyard2 process has been terminated.
At the CMD prompt type 'net start barnyard2' (less the outside quotes), and tap the 'Enter'.

The above run line starts the new Barnyard2 Windows service.

The following is a confirmation that the Barnyard2 Windows service was successfully started.
The Barnyard2 service is starting.
The Barnyard2 service was started successfully.
Do not proceed until the Barnyard2 service has been started successfully.
Note: It may take several minutes before events start arriving in the Windows Intrusion Detection Systems security console.

In conclusion

Congratulations, you have just converted the default Barnyard2 to run as a Windows service. I hope this tutorial has been of great assistance.

Optional Companion Documents

Be SURE to check out the available 'Companion Add-on Documents' to enhance the Windows Intrusion Detection System (WinIDS) experience.
  • How to install MySQL Tools into a MySQL enabled Windows Intrusion Detection System (WinIDS)
    This tutorial will show how to install the 'MySQL System Tray Monitor' as a service to monitor the condition of the MySQL database in real time, on an existing Windows Intrusion Detection System (WinIDS). This will allow starting and stopping of the database. The 'MySQL System Tray Monitor' has two tools associated with it that can be accessed directly from the 'MySQL System Tray Monitor'. These tools will allow editing, maintaining, and repairing of the MySQL database. Use extreme caution using these tools.

Updating the Windows Intrusion Detection Systems (WinIDS) Major components


Debugging Installation errors

Check the Event Viewer as most of the support programs will throw FATAL errors into the Application log.

General problems

For general help, left-click the support button at the top of this tutorial, or manually navigate to the correct forum.

Michael E. Steele | Microsoft Certified System Engineer (MCSE)
Email Support: support@winsnort.com
Snort: Open Source Network IDS - www.snort.org