Sign in to follow this  
Followers 0

Converting Barnyard2 to run as a Windows Service


Windows Intrusion Detection System - Companion Add-On Tutorial

ids.gif

Configuring Barnyard2 to run as a Windows service

Written by: Michael E. Steele



Introduction

This tutorial is a simple to understand, step-by-step tutorial to upgrade an existing Master Windows Intrusion Detection System to run Barnyard2 as a Windows service.

Running Barnyard2 as a Windows service has a few major advantages over the default install:
  • Barnyard2 will run without anyone having to log in allowing events to be automatically spooled to the database in real time, all the time.
  • The Master Windows Intrusion Detection Systems security console will start with all the new events already spooled with no waiting.
Note: Barnyard2 will no longer start in a terminal window, and events can only be viewed in the Master Windows Intrusion Detection Systems security console.

Copyright Notice

This document is Copyright © 2002-2019 Michael Steele. All rights reserved. Permission to distribute this document is hereby granted providing that distribution is electronic, in it's original form, no money is involved, and this copyright notice is maintained. Other requests for distribution will be considered.

Use the information in this document at your own risk. Michael Steele disavows any potential liability of this document. Use of the concepts, examples, and/or other content of this document are entirely at your own risk.

This guide is written in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose.

All copyrights are owned by their owners, unless specifically noted otherwise. Third party trademarks or brand names are the property of their owners. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements.

Support Questions and Help

All support questions related to this specific tutorial MUST be directed to the specific forum for which this Windows Intrusion Detection System (Winds) tutorial resides!

By request, there is a premium fee service available for one on one support.

If you have not acquired this tutorial directly from the winsnort.com website, then you most likely do not have the latest revision of this tutorial!

Installing the core support files, and making basic configuration changes, if needed

This tutorial assumes there is an existing Master Windows Intrusion Detection Systems (Winds) installed, and the files from the original Windows Intrusion Detection System (Winds) tutorial have been downloaded, and are located in the d:\temp folder.

It is imperative to only use the files included in the 'Winds - (32/64bit) Software Support Pack'. Those files have been thoroughly tested and compatible with this particular tutorial.

It is important when asked to 'Open a CMD window with Administrator privileges' it is done, or the install will fail.

It is also important when asked to 'Close a CMD window' it is done, or the install will fail.

Note: The user installing this tutorial MUST be a member of the Administrators group.

Note: If the User Account Control dialog box appears at ANY time during this install ALWAYS left-click 'Yes' to continue, or the install will fail.

Instructions on starting a command prompt as an Administrator

In the Windows Search box, type cmd, and then press CTRL+SHIFT+ENTER.

Converting Barnyard2 to run as a Windows Service Tutorial


Adding Barnyard2 to the Windows Services Database

Open a CMD window with Administrator privileges and type 'unzip -oqq d:\temp\service_files.zip -d c:\windows' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'cd /d c:\windows' (less the outside quotes), and tap the enter key.

At the CMD prompt type 'instsrv srvany c:\windows\srvany.exe' (less the outside quotes), and tap the enter key.

The following is a confirmation that 'srvany' was successfully added to the Windows Services Database.
The service was successfully added!
Do not proceed until the srvany service has been successfully added!
At the CMD prompt type 'instsrv Barnyard2 c:\windows\srvany.exe' (less the outside quotes), and tap the enter key.

The following is a confirmation that Barnyard2 was successfully added to the Windows Services Database.
The service was successfully added!
Do not proceed until the Barnyard2 service has been successfully added!
At the CMD window type 'd:\temp\auto-remote-barnyard2.reg' (less the outside quotes), and tap the 'Enter' key.

The Registry Editor selection box opens and asks; 'Are you sure you want to continue?', left-click 'Yes', and at the next input selection left-click 'OK'.

At the CMD prompt type 'sc config Barnyard2 start= delayed-auto' (less the outside quotes), and tap the 'Enter' key.

The following as a confirmation that the Barnyard2 auto-start service has been successfully activated.
[SC] ChangeServiceConfig SUCCESS
Do not proceed until the Barnyard2 auto-start service has been successfully activated.
At the CMD prompt type 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Barnyard2 /f' (less the outside single quotes), and tap the 'Enter' key.

The above run line will remove the existing registry key that invokes Barnyard2 to run when someone logs in.

The following is a confirmation that the registry key was removed successfully.
The operation completed successfully.
Do not proceed until 'The operation completed successfully.'
At the CMD prompt type 'taskkill /F /IM barnyard2.exe' (less the outside quotes), and tap the 'Enter' key.

The above run line terminates the existing Barnyard2 process.

The following is a confirmation that the Barnyard2 process has been successfully terminated.
SUCCESS: The process "barnyard2.exe" with PID 2340 has been terminated.
Do not proceed until the Barnyard2 process has been terminated.
At the CMD prompt type 'net start barnyard2' (less the outside quotes), and tap the 'Enter'.

The above run line starts the new Barnyard2 Windows service.

The following is a confirmation that the Barnyard2 Windows service was successfully started.
The Barnyard2 service is starting.
The Barnyard2 service was started successfully.
Do not proceed until the Barnyard2 service has been started successfully.
After starting Barnyard2 it could take several minutes to reconnect and start populating triggered events into the Windows Intrusion Detection Systems (WinIDS) Security Console. If no triggered events start to show up in a reasonable length of time, come visit the forums for help on manually generating events.

In conclusion

Congratulations, you have just converted the default Barnyard2 to run as a Windows service. I hope this tutorial has been of great assistance.

Optional Companion Documents

Be SURE to check out the available 'Companion Add-on Documents' to enhance the Windows Intrusion Detection System (WinIDS) experience.

Updating the Windows Intrusion Detection Systems (WinIDS) Major components


Debugging Installation errors

Check the Event Viewer as most of the support programs will throw FATAL errors into the Windows Application log.

General tutorial issues

For general problem issues that pertain to this specific tutorial, left-click the get community support button at the top of this tutorial, or manually navigate to the correct community support forum pertaining to this specific tutorial.

Feedback

I would love to get feedback from you about this tutorial. Any recommendations, or ideas, please leave feedback HERE.

Michael E. Steele | Microsoft Certified System Engineer (MCSE)
Email Support: support@winsnort.com
Snort: Open Source Network IDS - www.snort.org