Installing an Apache2 Web Server logging events to a MySQL Database

How to Install a Windows Intrusion Detection System (WinIDS)

Running Apache2 and logging events to a local MySQL Database

Windows 10 / 11 / 2016 SE / 2019 SE / 2022 SE / 2025 SE

Last Date Revised: July 22, 2023

Written by: Michael E. Steele

Introduction

Take Note: Winsnort has phased out support for the 32bit architecture.

During my research and development for the past 20 plus years I've found a lot of tutorials, including blogs describing the installation process for the UNIX environment, but nothing specifically detailed for setting up an intrusion detection system in a Windows environment.

These tutorials gives all the basic instructions on how to create a complete and all inclusive standalone Windows Intrusion Detection System (WinIDS), including remote sensors. This is all made possible by simply wrapping Snort, a very powerful Intrusion Detection Engine into a multitude of free open source programs. Best of all, other than the cost of the Windows operating system, it's completely free.

The goal of these tutorials was not just to create a Windows Intrusion Detection System (WinIDS) using the most advanced intrusion detection engine known as Snort, but to understand how all the parts work together and to get a deeper understanding of all the components so that troubleshooting and modifying the Windows Intrusion Detection System (WinIDS) can be completed with confidence.

If there are any doubts which tutorial should be used, there is a posted topic HERE that will provide the basics so an informed decision can be made based on which combination of software packages are best suited for the installation.

Copyright Notice

This document is Copyright © 2003-2025 Michael Steele. All rights reserved. Permission to distribute this document is hereby granted providing that distribution is electronic, in it's original form, no money is involved and this copyright notice is maintained. Other requests for distribution will be considered.

Use the information in this document at your own risk. Michael Steele disavows any potential liability of this document. Use of the concepts, examples and/or other content of this document are entirely at your own risk.

This tutorial is written in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose.

All copyrights are owned by their owners, unless specifically noted otherwise. Third party trademarks or brand names are the property of their owners. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements.

Get Support

All general support questions related to a specific tutorial MUST be directed to the specific forum for that particular tutorial. If there is any confusion just click on the 'Get Community Support' button at the top of each tutorial to get transported to the correct forum!

There is a Client Only Lounge where all advanced questions/problems should be posted not related to the general installation of any of the tutorials.

By request, there is a premium fee service available for one on one support, including remote installs.

If this tutorial has not been directly acquired from the winsnort.com website, then is most likely not the latest revision of this tutorial!

This is a basic Windows Intrusion Detection System (WinIDS) deployment

Microsoft's Windows operating systems are used exclusively for these tutorials.

It is highly recommended to start with a fresh install of one of the supported Windows operating systems listed below.

If this is a commercial installation and Windows 10 or Windows 11 is a requirement, it is recommended that Windows Enterprise LTSC (Long Term Servicing Channel) version is used.

With the LTSC servicing model, customers can delay receiving feature updates and instead only receive monthly quality updates on devices. Features that could be updated with new functionality, including Edge. Make note that all in-box Universal Windows apps are not included in the LTSC channel updates. Feature updates are offered in new LTSC releases every 2–3 years instead of every 6 months and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle. Microsoft is committed to providing bug fixes and security patches for each LTSC release during this 10 year period.

The Long Term Servicing Channel is not intended for deployment on most or all the PCs in an organization. The LTSC edition of Windows provides customers with access to a deployment option for their special-purpose devices and environments. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. These devices are also typically not heavily dependent on support from external apps and tools. Since the feature set for LTSC does not change for the lifetime of the release, over time there might be some external tools that do not continue to provide legacy support.

See LTSC: What is it and when it should be used.

Windows x64 10 Professional / LTSC
Windows x64 11 Professional / LTSC
Windows x64 Server 2016 Standard Edition
Windows x64 Server 2019 Standard Edition
Windows x64 Server 2022 Standard Edition
Windows x64 Server 2025 Standard Edition

All the operating systems listed above have been tested using this tutorial. However, any another Windows operating system listed above, under the same framework will most likely work.

Major support programs used in this install

Npcap allows 3rd party applications such as Snort to capture and transmit network packets bypassing the protocol stack.
Snort performs real-time traffic analysis and network packet logging on Internet Protocol (IP) networks data streams.
Barnyard2 is a dedicated spooler for Snort's unified2 binary output format and on-forwarding to a MySQL database.
Pulledpork automates the rule updating process.
Strawberry Perl is everything needed to run perl scripts (.pl) and applications such as PulledPork.
ADOdb allows the same code to be used when accessing a wide range of databases.
MySQL-driven database stores processed events from Barnyard2 for analysis.
Apache2 will drive the web based Windows Intrusion Detection Systems (WinIDS) GUI security console.
BASE serves as the Windows Intrusion Detection Systems (WinIDS) web based GUI security console.
NSSM is the Non-Sucking Service Manager used to start Barnyard2 as a service.

How this Hardware and Software was prepped for this Windows Intrusion Detection System (WinIDS) tutorial

A fresh install of any version of Windows listed above is highly recommended.
All available Service Packs and updates MUST be applied from the Microsoft Download Center.
For this tutorial there are two disks: C:/ (Disk1 - System) with 300GB and D:/ (Disk2 - WinIDS) with 1TB.
Installed memory should be no less than 4GB (more is always better).

For this tutorial there are two disks being used.

Disk1: This is where the Windows operating system will be installed into and should not require more that 100GB of space.

Disk2: This is where The Windows Intrusion detection System will be installed and will require at least 1TB of space as a starting point.

Note: For Disk2 more space is always recommended for future growth.

The default installation paths are hard coded into this tutorial and is also hard coded into some of the install scripts. If the default installation path for the Windows Intrusion Detection System is anything other then 'd:\winids', or the support files are located anywhere other than the 'd:\temp' folder then the appropriate changes will need to be made to this tutorial and possibly any script that might need to be ran in order to accommodate the non-standard folder locations.

The Windows Intrusion Detection System (WinIDS) will fail if the default installation path is not Implemented correctly!

Prepping for the Windows Intrusion Detection System (WinIDS) Tutorial

Downloading and extracting the core Windows Intrusion Detection Systems (WinIDS) Software Support Pack

It is imperative to only use the files included in the 'WinIDS - Core Software Support Pack' below. These files have been thoroughly tested and compatible with this particular Windows Intrusion Detection Systems (WinIDS) tutorial.

Download the 'WinIDS - Core Software Support Pack'.

Open File Explore and navigate to the location of the 'winids-core.zip' file, right-click the 'winids-core.zip' file, highlight and left-click 'Extract all...', in the 'Files will be extracted to this folder:' dialog box type 'd:\temp' (less the outside quotes), left-click and uncheck the 'Show extracted files when complete' radio box, left-click extract, in the 'Password:' dialog box type 'w1nsn03t.c0m' (less the outside quotes), left-click 'OK' and eXit File Explorer.

Downloading additional and required support files for this tutorial

It is imperative to only use the files downloaded from the URL links below. All the files have been verified as compatible with this particular Windows Intrusion Detection Systems (WinIDS) tutorial. All the files below will need to be downloaded into the folder (d:\temp) that was created when the files from the above 'WinIDS - Core Software Support Pack' were extracted.

npcap-1.86: Download and save the file to the d:\temp folder.

Snort 2.9.20: Download and save the file to the d:\temp folder.

There are two items that are mandatory and requires access to a registered account on the snort.org website. Without these two items the Windows Intrusion Detection System (WinIDS) will fail.

Item 1: Open a browser, navigate to the snort.org website and either create an account or Sign into an account that has already been created. Once signed in, on the left menu there is an 'Oinkcode' button and select that and a Window opens displaying the Oinkcode that is linked to the signed in account. Either write that code down exactly as displayed or copy and paste it somewhere for later retrieval. That same code will be displayed every time the account is signed into. There is a regenerate button and if selected will remove the old Oinkcode and be replaced with the new Oinkcode. If a new Oinkcode is generated then it must be changed in the Pulledpork.conf file in order to continue getting new rules.

Item 2: Sign into the snort.org website if not signed in. Minimize the Browser to the task bar but do not sign out. Continue to the next download (snortrules-snapshot-29200). Once the download is complete the browser can be closed.

Note: If the account is not signed into and active from the same place the download is initiated, the download will fail.

snortrules-snapshot-29200: Download and save the file to the d:\temp folder.

Pulledpork 8.0: Download and save the file to the d:\temp folder.

Strawberry Perl 5.42.0.1: Download and save the file to the d:\temp folder.

Apache2 2.4.66 (VS18): Download and save the file to the d:\temp folder.

Apache2 FastCGI module 2.3.10 (VS18): Download and save the file to the d:\temp folder.

MySQL Database 8.0.44.0: Download and save the file to the d:\temp folder.

PHP 8.5.1 TS (VS17): Download and save the file to the d:\temp folder.

ADOdb 5.22.11: Download and save the file to the d:\temp folder.

nssm 2.24: Download and save the file to the d:\temp folder.

Installing the Modder files

The modder file preforms several tasks:

Disables Universal Access Control (UAC)
Installs Microsoft Visual C++ x86/x64 (VS18) 2017-2026
Installs Notepad2
Installs scripts and Tools
Installs 7zip
Inserts 'winids' hostname into hosts file
Inserts 'IGMP and SCTP' into the protocol file for Snort rules
Inserts 'Nodosfilewarning' into User ENV to suppress CYGWIN warning message when starting Barnyard2
Exclude '.rules' in Defender (seen as a virus)
Sets TCP/IPv4 as the default protocal
Sets Show File Extensions
Reboots system

At the Windows Desktop press Win + R to open the Run dialog box. In the Run dialog box type 'cmd' (less the outside quotes) and then press CTRL+SHIFT+ENTER to open a command window as Administrator.

At the CMD prompt type 'd:\temp\modder.bat' (less the outside quotes) and tap the 'Enter' key.

Allow the script to automatically reboot the system! DO NOT INTERVENE!

Installing the Windows Intrusion Detection System (WinIDS)

Installing Npcap

Open a CMD window and type 'd:\temp\npcap-1.86.exe' (less the outside quotes) and tap the 'Enter' key.

The 'License Agreement' window opens and left-click 'I Agree'.

The 'Installation Options' window opens, make sure the only checked select box is 'Install Npcap in WinPcap API-compatible Mode' and left-click 'Install'.

The 'Installation Complete' window opens and left-click 'Next'.

The 'Finished' window opens and left-click 'Finish'.

Installing Snort, the Traffic Detection and Inspection Engine

At the CMD prompt type 'd:\temp\Snort_2_9_20_Installer.x64.exe' (less the outside quotes) and tap the 'Enter' key.

The 'License Agreement' window opens and left-click 'I Agree'.

The 'Choose Components' window opens and left-click 'Next'.

The 'Choose Install Location' window opens, in the 'Destination Folder' dialog box, type 'd:\winids\snort' (less the outside quotes), left-click 'Next'.

The install completes with 'Completed' and left-click 'Close'.

The install finishes with 'Snort has been successfully installed.' and left-click 'OK'.

Installing Strawberry Perl

At the CMD prompt type 'd:\temp\strawberry-perl-5.42.0.1-64bit.msi' (less the outside quotes) and tap the 'Enter' key.

The 'Welcome to the Setup Wizard for Strawberry Perl...' window opens and left-click 'Next'.

The 'End-User License Agreement' window opens, left-click checking the 'I accept the terms...' check box and left-click 'Next'.

The 'Destination Folder' window opens, in the 'Install Strawberry Perl to:' dialog box type 'd:\winids\strawberry\' (less the outside quotes) and left-click 'Next'.

The 'Ready to install Strawberry Perl..' window opens, left-click 'Install'.

The 'Install Strawberry Perl..' window opens, allow the install to complete and left-click 'Next'.

The 'Completed the Strawberry Perl...' window opens, uncheck the 'Read README file.' check box and left-click 'Finish'.

At the CMD prompt type 'exit' (less the outside quotes) and tap the 'Enter' key.

Open a CMD window and type 'cpan install Sys::Syslog' (less the outside quotes) and tap the 'Enter' key.

Installing Pulledpork

At the CMD prompt type '7z x d:\temp\pulledpork-master.zip -od:\winids\' (less the outside quotes) and tap the 'Enter' key.

At the CMD prompt type 'ren d:\winids\pulledpork-master pulledpork' (less the outside quotes) and tap the 'Enter' key.

At the CMD prompt type 'mkdir d:\winids\pulledpork\temp' (less the outside quotes) and tap the 'Enter' key.

Installing PHP

At the CMD prompt type '7z x d:\temp\php-8.5.1-Win32-vs17-x64.zip -od:\winids\php' (less the outside quotes) and tap the 'Enter' key.

Installing the Apache2 Web-Server

At the CMD prompt type '7z x d:\temp\httpd-2.4.66-260131-Win64-VS18.zip -od:\winids' (less the outside quotes) and tap the 'Enter' key.

Installing the FastCGI ASF support module and configuration file for Apache2

At the CMD prompt type '7z e d:\temp\mod_fcgid-2.3.10-win64-VS18.zip -od:\winids\Apache24\modules *.so' (less the outside quotes) and tap the 'Enter' key.

Installing BASE, the Windows Intrusion Detection Systems (WinIDS) Security Console

At the CMD prompt type '7z x d:\temp\base.zip -od:\winids\apache24\htdocs\base' (less the outside quotes) and tap the 'Enter' key.

Installing Barnyard2

At the CMD prompt type '7z x d:\temp\barnyard2-2.1.14-b337.zip -od:\winids\barnyard2' (less the outside quotes) and tap the 'Enter' key.

Installing the MySQL Database Server

At the CMD prompt type 'd:\temp\mysql-installer-community-8.0.44.0.msi' (less the outside quotes) and tap the 'Enter' key.

The MySQL installer 'Choosing a Setup Type' window opens. Left-click selecting the 'Custom' radio button and left-click 'Next'.

The MySQL installer 'Select Products' window opens.

Under 'Available Products:' left-click expanding 'MySQL Servers', left-click expanding 'MySQL Server', left-click expanding 'MySQL Servers 8.0', left-click highlighting 'MySQL Server 8.0.44 - X64' and left click the green arrow pointing to the right moving the 'MySql Server 8.0.44 - X64' to the 'Products To Be Installed:' section.

Under 'Products To Be Installed:' left-click highlighting 'MySql Server 8.0.44 - X64'.

Just above the 'Cancel' button left-click 'Advanced Options' and the 'Advanced Options for MySQL Server 8.0.44' opens.

In the 'Install Directory:' dialog box type 'D:\winids\mysql' (less the outside quotes).

In the 'Data Directory:' dialog box type 'D:\winids\mysql' (less the outside quotes), left-click 'OK' and left-click 'Next'.

The MySQL installer 'Installation' window opens. Left-click 'Execute' allowing the MySQL to 'Complete' the install and left-click 'Next'.

The MySQL installer 'Product Configuration' window opens and left-click 'Next'.

The MySQL installer 'Type and Networking' window opens. Under 'Server Configuration Type' left-click the 'Config Type:", left-click selecting 'Server Computer' and left-click 'Next'.

The MySQL installer 'Authentication Method' window opens. To the left of 'Use Legacy Authentication Method...' left-click selecting the radio button and left-click 'Next'.

The MySQL installer 'Accounts and Roles' window opens. In the 'MySQL Root Password:' dialog box type 'd1ngd0ng' (less the outside quotes) and tap the 'Tab' key.

In the 'Repeat Password:' dialog box type 'd1ngd0ng' (less the outside quotes), tap the 'Tab' key and left-click 'Next'.

The MySQL installer 'Windows Service' window opens. In the 'Windows Service Name:' dialog box type 'MySQL' (less the outside quotes) and left-click 'Next'.

The MySQL installer 'Server File Permissions' window opens and left-click 'Next'.

The MySQL installer 'Apply Configuration' window opens. Left-click 'Execute' allowing the configuration for MySQL Server to succeed and left-click 'Finish'.

The MySQL installer 'Product Configuration' window opens and left-click 'Next'.

The MySQL installer 'Installation Complete' window opens. Left-click 'Finish' to complete the MySQL Database installation.

At the CMD prompt type 'copy d:\winids\mysql\lib\libmysql.dll c:\windows\system32' (less the outside quotes) and tap the 'Enter' key.

Should display '1 file(s) copied.' and return to the command prompt.

Installing ADODB

At the CMD prompt type '7z x d:\temp\adodb-5.22.11.zip -od:\winids\' (less the outside quotes) and tap the 'Enter' key.

At the CMD prompt type 'ren d:\winids\adodb-5.22.11 adobd5' (less the outside quotes) and tap the 'Enter' key.

Verifying Snort is detecting Network traffic

Snort monitors traffic on a specific NIC and Npcap assigns Index numbers to every NIC. This procedure will determine which Index number Snort is attached too, so write it down as it will be needed several times for testing and final configuration!

At the CMD prompt type 'd:\winids\snort\bin\snort -W' (less the outside quotes) and tap the 'Enter' key.

The following is a partial example of what might be listed as valid Network Interface Cards.

Index   Physical Address        IP Address                              Device Name                                             Description
-----   ----------------        ----------                              -----------                                             -----------
    1   20:41:53:59:4E:FF       disabled                                \Device\NPF_{78032B7E-4968-42D3-9F37-287EA86C0AAA}      RAS Async Adapter
    2   00:0C:29:27:2C:1F       0000:0000:fe80:0000:0000:0000:e0ef:e77d \Device\NPF_{A5EB8922-B7D4-49A8-A30D-E0C8863F1B2D}      Intel(R) PRO/1000 MT Network Connection
    3   00:00:00:00:00:00       disabled                                \Device\NPF_Loopback                                    Adapter for loopback traffic capture

Note: There may be several Network Interface Cards listed. Snort needs to know which Index number is attached to the NIC that is monitoring the network traffic.

At the CMD prompt type 'd:\winids\snort\bin\snort -v -ix' (less the outside quotes) and tap the 'Enter' key.

Note: In the interface switch above (-ix), the x will be substituted for the Index number of the monitoring NIC.

There should now be multiple packets passing through he CMD window (example packet below). If there is no traffic passing through, then open a web browser and generate some web traffic. If there is still no traffic passing through, then activate the CMD window, press the CRTL/C to stop the Snort process and try another Index number.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
10/08-12:12:32.131826 10.0.0.29:1068 -> 65.55.121.241:80
TCP TTL:128 TOS:0x0 ID:1586 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x7430B82E Ack: 0x1850214F Win: 0xFAF0 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

If all Index numbers have been exhausted then there could be a couple of issues:

No Internet connection
NIC not compatible
NIC drivers need updating
Configuring wrong (snort -v -ix)

Note: In the interface switch above (-ix), the x will be substituted for the Index number of the monitoring NIC.

After verifying the Index number, eXit the web-browser, activate the CMD window and press the CTRL/C keys to stop the Snort process exiting back to the CMD prompt.

Do not proceed until network traffic is being displayed in the CMD window.

Processing task dependencies pre Snort configuration

At the CMD prompt type '7z x d:\temp\snortrules-snapshot-29200.tar.gz -od:\temp' (less the outside quotes) and tap the 'Enter' key.

At the CMD prompt type '7z e d:\temp\snortrules-snapshot-29200.tar -aoa -od:\winids\snort\etc etc\*.*' (less the outside quotes) and tap the 'Enter' key.

At the CMD prompt type 'del d:\temp\snortrules-snapshot-29200.tar /Q' (less the outside quotes) and tap the 'Enter' key.

At the CMD prompt type 'perl -pi -e "s/include \$RULE\_PATH/# include \$RULE\_PATH/" d:\winids\snort\etc\snort.conf' (less the outside quotes) and tap the 'Enter' key.

At the CMD prompt type 'type NUL > d:\winids\snort\rules\white_list.rules' (less the outside quotes) and tap the 'Enter' key.

At the CMD prompt type 'type NUL > d:\winids\snort\rules\black_list.rules' (less the outside quotes) and tap the 'Enter' key.

At the CMD prompt type 'type NUL > d:\winids\snort\rules\winids.rules' (less the outside quotes) and tap the 'Enter' key.

At the CMD prompt type 'rd d:\winids\snort\preproc_rules /S /Q' (less the outside quotes) and tap the 'Enter' key.

At the CMD prompt type 'copy d:\winids\scripts\local.rules d:\winids\snort\rules\local.rules' (less the outside quotes) and tap the 'Enter' key.

Configuring Snort, the Heart of the Windows Intrusion Detection System (WinIDS)

At the CMD prompt type 'notepad2 d:\winids\snort\etc\snort.conf' (less the outside quotes) and tap the 'Enter' key.

Use the Find option in Notepad2 to locate and change the variables below.

Original Line(s): ipvar HOME_NET any
Change to: ipvar HOME_NET 192.168.1.0/24

In the above HOME_NET example (192.168.1.0/24), using a CIDR of 24 the Windows Intrusion Detection System (WinIDS) will monitor addresses 192.168.1.1 - 192.168.1.254.

It is important to specify the correct internal IP segment or segments of the Windows Intrusion Detection System (WinIDS) network that needs monitoring and to set the correct CIDR/S.

Original Line(s): var RULE_PATH ../rules
Change to: var RULE_PATH d:\winids\snort\rules

Original Line(s): var SO_RULE_PATH ../so_rules
Change to: # var SO_RULE_PATH ../so_rules

Original Line(s): var PREPROC_RULE_PATH ../preproc_rules
Change to: # var PREPROC_RULE_PATH ../preproc_rules

Original Line(s): var WHITE_LIST_PATH ../rules
Change to: var WHITE_LIST_PATH d:\winids\snort\rules

Original Line(s): var BLACK_LIST_PATH ../rules
Change to: var BLACK_LIST_PATH d:\winids\snort\rules

Original Line(s): dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
Change to: dynamicpreprocessor directory d:\winids\snort\lib\snort_dynamicpreprocessor

Original Line(s): dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
Change to: dynamicengine d:\winids\snort\lib\snort_dynamicengine\sf_engine.dll

Original Line(s): decompress_swf { deflate lzma } \
Change to: decompress_swf { deflate } \

Original Line(s): # preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low }
Change to: preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } logfile { portscan.log }

Original Line(s): # output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
Change to: output unified2: filename merged.log, limit 128

Original Line(s): # include $RULE_PATH/local.rules
Change to: include $RULE_PATH/local.rules

Just below the line 'include $RULE_PATH/local.rules', add the next three line.

include $RULE_PATH/winids.rules
include $RULE_PATH/white_list.rules
include $RULE_PATH/black_list.rules

Save the file and eXit Notepad2.

Testing the Snort configuration file

At the CMD prompt type 'd:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix -T' (less the outside quotes) and tap the 'Enter' key.

Note: In the interface switch above (-ix), the x will be substituted for the Index number of the monitoring NIC.

This will test the Snort configuration and depending on the resources used and/or available, it could take several minutes to run the self-test mode.

If all the tests are passed, the following is a confirmation that the Snort configuration file and rules have tested good.

Snort successfully validated the configuration!
Snort exiting

Do not proceed until 'Snort successfully validated the configuration!'

Now to test a rule. Scrolling up through the output from the Snort configuration test in the CMD window should show 1 Snort rules read as shown in the example below.

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
1 Snort rules read
    1 detection rules
    0 decoder rules
    0 preprocessor rules
1 Option Chains linked into 1 Chain Headers
+++++++++++++++++++++++++++++++++++++++++++++++++++

At the CMD prompt type 'd:\winids\snort\bin\snort -A console -q -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix' (less the outside quotes) and tap the 'Enter' key.

Note: In the interface switch above (-ix), the x will be substituted for the Index number of the monitoring NIC.

Once Snort has started with the above command, go to another computer or open another CMD window and ping the IP of the interface that Snort is listening on.

Output similar to the below should appear in the CMD window if the ping was successful.

02/02-14:25:23.413383  [**] [1:10000001:1] ICMP test detected [**] [Classification: Generic ICMP event] [Priority: 3] {ICMP} 192.168.1.3 -> 192.168.1.26
02/02-14:25:28.037797  [**] [1:10000001:1] ICMP test detected [**] [Classification: Generic ICMP event] [Priority: 3] {ICMP} 192.168.1.3 -> 192.168.1.26
02/02-14:25:33.038644  [**] [1:10000001:1] ICMP test detected [**] [Classification: Generic ICMP event] [Priority: 3] {ICMP} 192.168.1.3 -> 192.168.1.26
02/02-14:25:38.041163  [**] [1:10000001:1] ICMP test detected [**] [Classification: Generic ICMP event] [Priority: 3] {ICMP} 192.168.1.3 -> 192.168.1.26
*** Caught Int-Signal

Note: If the ping is not successful, check the HOME_NET setting in the snort.conf file to make sure it has been configured correctly.

Do not proceed until the ping has been detected!'

Activate the CMD window and press CTRL/C to exit back to the CMD prompt.

Note: After the above ping test was successful the rule that generated the events must be disabled. If the rule is not disabled the database will fill up with millions of useless events.

At the CMD prompt type 'perl -pi -e "s/include \$RULE\_PATH\/local.rules/# include \$RULE\_PATH\/local.rules/" d:\winids\snort\etc\snort.conf' (less the outside quotes) and tap the 'Enter' key.

Configuring Pulledpork

At the CMD prompt type 'notepad2 d:\winids\pulledpork\etc\pulledpork.conf' (less the outside quotes) and tap the 'Enter' key.

Use the Find option in Notepad2 to locate and change the variables below.

Original Line(s): rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode>
Change to: rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|x

Note: Insert your unique Oinkcode into the x position above.

Original Line(s): rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community
Change to: # rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community

Original Line(s): temp_path=/tmp
Change to: temp_path=d:/winids/pulledpork/temp

Original Line(s): rule_path=/usr/local/etc/snort/rules/snort.rules
Change to: rule_path=d:/winids/snort/rules/winids.rules

Original Line(s): local_rules=/usr/local/etc/snort/rules/local.rules
Change to: local_rules=d:/winids/snort/rules/local.rules

Original Line(s): sid_msg=/usr/local/etc/snort/sid-msg.map
Change to: sid_msg=d:/winids/snort/etc/sid-msg.map

Original Line(s): sid_changelog=/var/log/sid_changes.log
Change to: sid_changelog=d:/winids/snort/log/sid_changes.log

Original Line(s): block_list=/usr/local/etc/snort/rules/iplists/default.blocklist
Change to: # block_list=/usr/local/etc/snort/rules/iplists/default.blocklist

Original Line(s): IPRVersion=/usr/local/etc/snort/rules/iplists
Change to: # IPRVersion=/usr/local/etc/snort/rules/iplists

Original Line(s): snort_control=/usr/local/bin/snort_control
Change to: # snort_control=/usr/local/bin/snort_control

Original Line(s): # snort_version=2.9.0.0
Change to: snort_version=2.9.20.0

Original Line(s):

# enablesid=/usr/local/etc/snort/enablesid.conf
# dropsid=/usr/local/etc/snort/dropsid.conf
# disablesid=/usr/local/etc/snort/disablesid.conf
# modifysid=/usr/local/etc/snort/modifysid.conf

Change to:

enablesid=d:/winids/pulledpork/etc/enablesid.conf
dropsid=d:/winids/pulledpork/etc/dropsid.conf
disablesid=d:/winids/pulledpork/etc/disablesid.conf
modifysid=d:/winids/pulledpork/etc/modifysid.conf

Original Line(s): # ips_policy=security
Change to: ips_policy=security

In the above, the 'ips_policy' switch is set to 'security'. There are three pre-configured policies (connectivity, balanced and security) that can be used. Change the above to your specific needs. Each policy has the Sourcefire recommended rules applied and the 'ips_policy' switch is only an option. By placing a hash '#' (less the outside quotes) mark in front of the 'ips_policy' switch Pulledpork will process the stock rules as they are.

Connectivity: Means "Connectivity over Security". Meaning this is a speedy policy for people that insist on blocking only the really known bad with no false positives.

Balanced: Means "Balanced between Connectivity and Security". Meaning that this is a good starter policy for everyone. It's quick, has a good base coverage level and covers the latest threats of the day. The policy contains everything that is in Connectivity.

Security: Means "Security over Connectivity". Meaning that this is a stringent policy that everyone should strive to get to through tuning. It's quick, but has some policy-type rules in it. Rules that will alert on Flash contained within an Excel file and things like that. This policy contains everything that is in Connectivity and Balanced.

Save the file and eXit Notepad2.

Rule activation and testing with Pulledpork

At the CMD prompt type 'perl d:\winids\pulledpork\pulledpork.pl -c d:\winids\pulledpork\etc\pulledpork.conf -T' (less the outside quotes) and tap the 'Enter' key.

This will not only test the Pulledpork configuration file, but will install the latest ruleset. Depending on the resources used and/or available, it could take several minutes to process.

If the test passed, the following is a confirmation that the Pulledpork configuration file passed and the rules were successfully installed.

Please review d:\winids\snort\log\sid_changes.log for additional details
Fly Piggy Fly!

Do not proceed until 'Fly Piggy Fly!' has appeared

Testing the Snort configuration file

At the CMD prompt type 'd:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix -T' (less the outside quotes) and tap the 'Enter' key.

Note: In the interface switch above (-ix), the x will be substituted for the Index number of the monitoring NIC.

Pulledpork modified/added new rules and Snort will need to test the new rules to verify there are no errors.

The following is a confirmation that the Snort configuration file and rules have tested good.

Snort successfully validated the configuration!
Snort exiting

Do not proceed until 'Snort successfully validated the configuration!'

Configuring PHP

At the CMD prompt type 'mkdir d:\winids\php\logs' (less the outside quotes) and tap the 'Enter' key.

At the CMD prompt type 'copy d:\winids\php\php.ini-production d:\winids\php\php.ini' (less the outside quotes) and tap the 'Enter' key.

Should display '1 file(s) copied.' and return to the CMD prompt.

At the CMD prompt type 'notepad2 d:\winids\php\php.ini' (less the outside quotes) and tap the 'Enter' key.

Use the Find option in Notepad2 to locate and change the variables below.

Original Line(s): max_execution_time = 30
Change to: max_execution_time = 60

Original Line(s): ;error_log = php_errors.log
Change to: error_log = d:\winids\php\logs\php_errors.log

Original Line(s): ;include_path = ".;c:\php\includes"
Change to: include_path = "d:\winids\php"

Original Line(s): ;extension_dir = "ext"
Change to: extension_dir = "d:\winids\php\ext"

Original Line(s): ;extension=gd
Change to: extension=gd

Original Line(s): ;extension=gmp
Change to: extension=gmp

Original Line(s): ;extension=mysqli
Change to: extension=mysqli

Original Line(s): ;date.timezone =
Change to: date.timezone = America/New_York

In the above date.timezone setting, America/New_York is only the default. Inserting the correct Timezone setting where the Windows Intrusion Detection System (WinIDS) will be located is essential.

Check out the PHP website for the List of Supported Timezones.

Original Line(s): ;session.save_path = "/tmp"
Change to: session.save_path = "c:\windows\temp"

Save the file and eXit Notepad2.

Configuring the Apache2 Web-Server

At the CMD prompt type 'notepad2 d:\winids\apache24\conf\httpd.conf' (less the outside quotes) and tap the 'Enter' key.

Use the Find option in Notepad2 to locate and change the variables below.

Original Line(s): ServerRoot "C:/Apache24-64"
Change to: ServerRoot "d:/winids/Apache24"

Original Line(s): Listen 80
Change to: Listen winids:80

Original Line(s): #ServerName www.example.com:80
Change to: ServerName winids:80

Original Line(s): DocumentRoot "C:/Apache24-64/htdocs"
Change to: DocumentRoot "d:/winids/Apache24/htdocs/base"

Original Line(s): <Directory "C:/Apache24-64/htdocs>
Change to: <Directory "d:/winids/Apache24/htdocs/base">

Original Line(s): Options Indexes FollowSymLinks
Change to: Options -Indexes

Original Line(s): DirectoryIndex index.html
Change to: DirectoryIndex index.php

Original Line(s): #ErrorDocument 500 "The server made a boo boo."
Change to: ErrorDocument 500 /base_error.php

Scroll all the way to the bottom of the file and insert the next 11 lines of code:

LoadModule fcgid_module modules/mod_fcgid.so
<IfModule fcgid_module>
   FcgidInitialEnv PHPRC "d:/winids/php"
    FcgidInitialEnv PATH "d:/winids/php;c:/Windows/system32;c:/Windows;c:/Windows/System32/Wbem;"
    FcgidIOTimeout 120
    <Files ~ "\.php$">
        Options +ExecCGI
        AddHandler fcgid-script .php
        FcgidWrapper "d:/winids/php/php-cgi.exe" .php
    </Files>
</IfModule>

Save the file and eXit Notepad2.

Testing the Apache2 configuration file

At the CMD prompt type 'd:\winids\Apache24\bin\httpd.exe -t' (less the outside quotes) and tap the 'Enter' key.

This will test the Apache2 configuration file in self test mode.

If the Apache2 configuration file passed, the following will be a confirmation that the httpd.conf file has tested as good.

Syntax OK

Do not proceed until the Apache2.4 configuration file has been successfully tested as Syntax OK and all errors reported above have been corrected.

Adding Apache2 to the Windows Services Database

At the CMD prompt type 'd:\winids\apache24\bin\httpd.exe -k install' (less the outside quotes) and tap the 'Enter' key.

The 'User Alert Security' dialog box may appear requesting permission to allow the 'Apache HTTP Server' to communicate with the private internal network and left-click 'Allow access'.

The below is the confirmation that the Apache service has been successfully installed and the Apache configuration file has been tested.

Installing the Apache2.4 service
The Apache2.4 service is successfully installed.
Testing httpd.conf....
Errors reported here must be corrected before the service can be started.

Do not proceed until the Apache2.4 has been successfully installed and all errors reported above have been corrected.

At the CMD prompt type 'net start apache2.4' (less the outside quotes) and tap the 'Enter' key.

Testing Apache2 and the PHP installation

At the CMD prompt type 'copy d:\winids\scripts\test_php.php d:\winids\apache24\htdocs\base' (less the outside quotes) and tap the 'Enter' key.

Should display '1 file(s) copied.' and return to the CMD prompt.

Open a web-browser and type 'http://winids/test_php.php' (less the outside quotes) into the URL Address box and tap the 'Enter' key.

Several sections of information concerning the status and install of PHP should be displayed.

In the first section of information make SURE that the item labeled 'Server API' is pointing to 'CGI/FastCGI'.

In the first section of information make SURE that the item labeled 'Loaded Configuration File' is pointing to 'd:\winids\php\php.ini'.

In the section labeled 'Configuration - PHP Core' make SURE that the item labeled 'extension_dir' is pointing to 'd:\winids\php\ext' in columns 'Local Values' and 'Master Values'.

In the section labeled 'Configuration - PHP Core' make SURE that the item labeled 'include_path' is pointing to 'd:\winids\php' in columns 'Local Values' and 'Master Values'.

In the section labeled 'session' make SURE that the item labeled 'session.save_path' is pointing to 'c:\windows\temp' in columns 'Local Values' and 'Master Values'.

Do not proceed until all the above paths are correct!

eXit the web-browser.

At the CMD prompt type 'del d:\winids\apache24\htdocs\base\test_php.php' (less the outside quotes) and tap the 'Enter' key.

Adding Snort to the Windows Services Database

At the CMD prompt type 'cd /d d:\winids\snort\bin' (less the outside quotes) and tap the 'Enter' key.

At the CMD prompt type 'snort /SERVICE /INSTALL -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix' (less the outside quotes) and tap the 'Enter' key.

Note: In the interface switch above (-ix), the x will be substituted for the Index number of the monitoring NIC.

This will install Snort into the Windows Services Database and the below is a confirmation that the Snort service was successfully added to the Windows Services Database.

 [SNORT_SERVICE] Attempting to install the Snort service.
 [SNORT_SERVICE] The full path to the Snort binary appears to be:
    D:\winids\snort\bin\snort /SERVICE
 [SNORT_SERVICE] Successfully added registry keys to:
    \HKEY_LOCAL_MACHINE\SOFTWARE\Snort\
 [SNORT_SERVICE] Successfully added the Snort service to the Windows Services Database.

Do not proceed until the Snort service has been successfully added to the Windows Services Database.

At the CMD prompt type 'sc config snortsvc start= auto' (less the outside quotes) and tap the 'Enter' key.

The following is a confirmation that the Snort auto-start service has been successfully activated.

[SC] ChangeServiceConfig SUCCESS

Do not proceed until the Snort auto-start service has been SUCCESSfully activated.

Configuring the MySQL Database Server

Open a CMD window and type 'notepad2 d:\winids\mysql\my.ini' (less the outside quotes) and tap the 'Enter' key.

Use the find and locate the line '[mysqld]' (less the outside quotes) and just below add the next two lines.

character-set-server=utf8
bind-address=127.0.0.1

Save the file and eXit Notepad2.

Creating the Windows Intrusion Detection System Databases
At the CMD prompt type 'mysql -u root -pd1ngd0ng' (less the outside quotes) and tap the 'Enter' key to be dropped into the MySQL CMD prompt as Administrator.

At the mysql CMD prompt type 'create database snort;' (less the outside quotes) and tap the 'Enter' key.

It will display 'Query OK...' and drop back to the mysql prompt.

At the mysql CMD prompt type 'create database archive;' (less the outside quotes) and tap the 'Enter' key.

It will display 'Query OK...' and drop back to the mysql prompt.

At the mysql CMD prompt type 'show databases;' (less the outside quotes) and tap the 'Enter' key.

There should be several databases listed, 'information_schema', 'archive', 'mysql' and 'snort'.

Creating the Windows Intrusion Detection System Database Tables
At the mysql CMD prompt type 'connect snort;' (less the outside quotes) and tap the 'Enter' key.

It will display 'Current database: snort' and drop back to the mysql prompt.

At the mysql CMD prompt type 'source d:\winids\barnyard2\schemas\create_mysql' (less the outside quotes), and tap the 'Enter' key.

It will display multiple 'Query OK, 1 rows affected (0.0? sec)' entries and drop back to the mysql prompt.

At the mysql CMD prompt type 'source d:\winids\apache24\htdocs\base\sql\create_base_tbls_mysql.sql' (less the outside quotes) and tap the 'Enter' key.

The last entry to the screen should show 'Records: 4 Duplicates: 0 Warnings: 0' (less the outside quotes) and drop back to the mysql prompt.

At the mysql CMD prompt type 'show tables;' (less the outside quotes) and tap the 'Enter' key.

The last entry to the screen should show '22 rows in set (0.00 sec)' (less the outside quotes) and drop back to the mysql prompt.

At the mysql CMD prompt type 'connect archive;' (less the outside quotes) and tap the 'Enter' key.

It will display 'Current database: archive' and drop back to the mysql prompt.

At the mysql CMD prompt type 'source d:\winids\barnyard2\schemas\create_mysql' (less the outside quotes), and tap the 'Enter' key.

It will display multiple 'Query OK, 1 rows affected (0.0? sec)' entries and drop back to the mysql prompt.

At the mysql CMD prompt type 'source d:\winids\apache24\htdocs\base\sql\create_base_tbls_mysql.sql' (less the outside quotes) and tap the 'Enter' key.

The last entry to the screen should show 'Records: 4 Duplicates: 0 Warnings: 0' (less the outside quotes) and drop back to the mysql prompt.

At the mysql CMD prompt type 'show tables;' (less the outside quotes) and tap the 'Enter' key.

The last entry to the screen should show '22 rows in set (0.00 sec)' (less the outside quotes) and drop back to the mysql prompt.

Creating the Windows Intrusion Detection System Database Access and Authenticated Users
At the mysql CMD prompt type 'CREATE USER 'snort' IDENTIFIED WITH mysql_native_password BY 'l0gg3r';' (less the outside quotes) and tap the 'Enter' key.

It will display 'Query OK' and drop back to the mysql prompt.

At the mysql CMD prompt type 'GRANT INSERT,SELECT,UPDATE ON snort.* TO 'snort';' (less the outside quotes) and tap the 'Enter' key.

It will display 'Query OK' and drop back to the mysql prompt.

At the mysql CMD prompt type 'CREATE USER 'base' IDENTIFIED WITH mysql_native_password BY 'an@l1st';' (less the outside quotes) and tap the 'Enter' key.

It will display 'Query OK' and drop back to the mysql prompt.

At the mysql CMD prompt type 'GRANT ALTER,CREATE,DELETE,INSERT,SELECT,UPDATE ON snort.* TO 'base';' (less the outside quotes) and tap the 'Enter' key.

It will display 'Query OK' and drop back to the mysql prompt.

At the mysql CMD prompt type 'GRANT ALTER,CREATE,DELETE,INSERT,SELECT,UPDATE ON archive.* TO 'base';' (less the outside quotes) and tap the 'Enter' key.

It will display 'Query OK' and drop back to the mysql prompt.

At the mysql CMD prompt type 'use mysql;' (less the outside quotes) and tap the 'Enter' key.

At the mysql CMD prompt type 'select user from user;' (less the outside quotes) and tap the 'Enter' key.

There should be several users listed, including base and snort

At the mysql CMD prompt type 'quit;' (less the outside quotes) and tap the 'Enter' key.

Confirming MySQL and Snort are operational

At the CMD prompt type 'net stop mysql & net start mysql & net start snort' (less the outside quotes) and tap the 'Enter' key.

Do not proceed until the MySQL Database has successfully restarted and Snort has successfully started!

At the CMD prompt type 'taskmgr.exe' (less the outside quotes) and tap the 'Enter' key to start the Windows Task Manager.

Left-click the 'Processes' tab.

At the bottom, left-click 'Show processes from all users' or 'More Details' to view all running processes.

In the 'Name' or 'Image Name' column 'snort.exe' and 'mysql.exe' should be listed.

Do not proceed until the processes above are running!

eXit the 'Task Manager'.

Configuring BASE the Windows Intrusion Detection Systems (WinIDS) Security Console

At the CMD prompt type 'copy d:\winids\apache24\htdocs\base\base_conf.php.dist d:\winids\apache24\htdocs\base\base_conf.php' (less the outside quotes) and tap the 'Enter' key.

Should display '1 file(s) copied.' and return to the CMD prompt.

At the CMD prompt type 'notepad2 d:\winids\apache24\htdocs\base\base_conf.php' (less the outside quotes) and tap the 'Enter' key.

Use the Find option in Notepad2 to locate and change the variables below.

Original Line(s): $DBlib_path = '';
Change to: $DBlib_path = 'd:\winids\adodb5';

Original Line(s): $DBtype = '?????';
Change to: $DBtype = 'mysql';

Original Line(s):

$alert_dbname   = 'snort_log';
$alert_host     = 'localhost';
$alert_port     = '';
$alert_user     = 'snort';
$alert_password = 'mypassword';

Change to:

$alert_dbname   = 'snort';
$alert_host     = 'winids';
$alert_port     = '';
$alert_user     = 'base';
$alert_password = 'an@l1st';

Original Line(s):

$archive_exists   = 0; # Set this to 1 if you have an archive DB
$archive_dbname   = 'snort_archive';
$archive_host     = 'localhost';
$archive_port     = '';
$archive_user     = 'snort';
$archive_password = 'mypassword';

Change to:

$archive_exists   = 1; # Set this to 1 if you have an archive DB
$archive_dbname   = 'archive';
$archive_host     = 'winids';
$archive_port     = '';
$archive_user     = 'base';
$archive_password = 'an@l1st';

Original Line(s): $resolve_IP = 0;
Change to: $resolve_IP = 1;

Original Line(s): $show_expanded_query = 0;
Change to: $show_expanded_query = 1;

Original Line(s): $portscan_file = '';
Change to: $portscan_file = 'd:\winids\snort\log\portscan.log';

Original Line(s): $colored_alerts = 0;
Change to: $colored_alerts = 1;

Save the file and eXit Notepad2.

Configuring Barnyard2

At the CMD prompt type 'notepad2 d:\winids\barnyard2\etc\barnyard2.conf' (less the outside quotes) and tap the 'Enter' key.

Use the Find option in Notepad2 to locate and change the variables below.

Original Line(s):

config reference_file:      /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file:            /etc/snort/gen-msg.map
config sid_file:            /etc/snort/sid-msg.map

Change to:

config reference_file:      d:\winids\snort\etc\reference.config
config classification_file: d:\winids\snort\etc\classification.config
config gen_file:            d:\winids\snort\etc\gen-msg.map
config sid_file:            d:\winids\snort\etc\sid-msg.map

Original Line(s): # config event_cache_size: 4096
Change to: config event_cache_size: 32768

Original Line(s): #output database: log, mysql, user=root password=test dbname=db host=localhost
Change to: output database: log, mysql, user=snort password=l0gg3r dbname=snort host=winids sensor_name=WinIDS_Master

Save the file and eXit Notepad2.

Testing the Barnyard2 configuration file

At the CMD prompt type 'd:\winids\scripts\by2-test.bat' (less the outside quotes) and tap the 'Enter' key.

This will start Barnyard2 in self-test mode for configuration testing and depending on the resources used and/or available it could take from 10 minutes to 1 hour to run the self-test mode.

If all the tests are passed, the following is a confirmation that the Barnyard2 configuration file is good.

Barnyard2 successfully loaded configuration file!
Barnyard2 exiting
database: Closing connection to database "snort"

Do not proceed until Barnyard2 has successfully loaded the configuration file, eXited Barnyard2 and closed the connection to the Snort database!

Installing the Non-Sucking Service Manager (nssm)

At the CMD prompt type '7z e d:\temp\nssm-2.24.zip nssm-2.24\win64\nssm.exe -od:\winids\tools' (less the outside quotes) and tap the 'Enter' key.

Adding Barnyard2 to the Windows Services Database using nssm

At the CMD prompt type 'd:\winids\scripts\by2-service.bat' (less the outside quotes) and tap the 'Enter' key.

The following is a confirmation that the Barnyard2 auto-start service has been successfully activated.

Service "Barnyard2" installed successfully!
Set parameter "Start" for service "Barnyard2".
Barnyard2 service installed and started with auto-start.

Do not proceed until the 'Barnyard2 service installed and started with auto-start' is displayed.

At the CMD prompt type 'sc config Barnyard2 start= delayed-auto' (less the outside quotes) and tap the 'Enter' key.

The following is a confirmation that the Barnyard2 delayed auto-start service has been successfully activated.

[SC] ChangeServiceConfig SUCCESS

Do not proceed until the Barnyard2 auto-start service has been successfully activated.

Adding the Rules Updater to the Desktop

At the CMD prompt type 'd:\winids\scripts\sc-create.bat' (less the outside quotes) and tap the 'Enter' key.

Note: A "Rules Update" shortcut has been added to the desktop for manually initiating a Rules update. For a simple rule update just right-click the desktop icon and select 'Run as Administrator'.

The Rules updater can be scheduled
The Rules Updater can run silent
The Rules Updater can Email results to a valid SMTP server

Note: There is a tutorial located HERE to detail the above options.

At the CMD prompt type 'shutdown /r /t 10' (less the outside quotes) and tap the 'Enter' key to reboot.

Verifying Barnyard2 and Snort is running as a process after rebooting

It could take several minutes for the Barnyard2 process to display after rebooting as it is on a delayed start.

After the reboot Open a CMD window and type 'taskmgr.exe' (less the outside quotes) and tap the 'Enter' key to start the Windows Task Manager.

Left-click the 'Processes' tab.

At the bottom, left-click 'Show processes from all users' or 'More Details' to view all running processes.

In the 'Name' or 'Image Name' column 'snort.exe' and 'Barnyard2.exe' should both be listed.

Do not proceed until both processes shows to be running!

eXit the 'Task Manager'.

At the CMD prompt type 'exit' (less the outside quotes) and tap the 'Enter' key.

Starting the Windows Intrusion Detection Systems (WinIDS) Security Console

Open a web-browser and type 'http://winids' (less the outside quotes) into the URL Address box and tap the 'Enter' key.

Note: The Windows Intrusion Detection Systems (WinIDS) Security Console is configured to auto refresh every three minutes. Manually refreshing the browser (F5) will show new events and restart the auto refresh counter. Depending on the available resources and the active ruleset, it could take from 10-60 minutes to see events being added to the Windows Intrusion Detection System (WinIDS) console.

If no events have been logged after a reasonable length of time then there is a topic here with detailed instruction on how to activate all the rules for testing purposes ONLY. Failure to follow the instructions completely to the end after events have been successfully logged will result in millions of useless events being added to the database.

In Conclusion

At this point the tutorial has been successfully completed. Events should be arriving into the Database and those events should be seen in the local Windows Intrusion Detection Systems (WinIDS) Security Console.

I encourage some tweaks listed below to the post-installation to get a somewhat production-ready 'Windows Intrusion Detection System (WinIDS)'.

Tuning your rules and preprocessors.
Tuning Snort thresholds and limit values.
Adding user authentication to the Windows Intrusion Detection Systems (WinIDS) Security Console.
Securing your host (Maybe changing the default database user access, disabling unneeded services, etc.).
Become a subscriber (fee based) on snort.org to get access to zero day rules.
Scheduling a rules update (with the included Rules Updater).

Security Issues

Lets review what has happens so far:

All support programs, including 'Apache2' have been installed to a separate partition, which closed a multitude of security holes.
The Windows Intrusion Detection Systems (WinIDS) Security Console can ONLY be accessed locally.
A desktop icon was installed to manually initiate a rules update using Pulledpork (rules updates can only be initiated every 15 minutes).

Optional Companion Documents

Be SURE to check out the available 'Companion Add-on Documents' to enhance the Windows Intrusion Detection System (WinIDS) experience.

How to add Event Logging to a local Syslog Server.
This tutorial will show how to configure Snort to send events to a local Syslog Server, on an existing Windows Intrusion Detection System (WinIDS).

How to add Event Logging to a remote Syslog Server.
This tutorial will show how to configure Snort to send events to a remote Syslog Server from an existing Windows Intrusion Detection System (WinIDS).

How to add Email Alerting to an existing Windows Intrusion Detection System (WinIDS)
This tutorial will show how to email user defined priority events on an existing Windows Intrusion Detection System (WinIDS).

How to schedule automatic rules updating
This tutorial is a simple to understand process on how to schedule automatic rules updating.

How to compile Barnyard2 on Windows using Cygwin
This tutorial is a simple to understand, step-by-step guide for Compiling Barnyard2 on Windows using Cygwin (UNIX emulator).

How to build and deploy a passive Ethernet tap
This tutorial will show how to build and deploy a passive Ethernet tap.

Updating the Windows Intrusion Detection Systems (WinIDS) Major components

How to update the Snort Intrusion Detection Engine
This tutorial will show How to update the Snort Intrusion Detection Engine.

How to update the Windows Intrusion Detection Systems rules
This tutorial will show how to update the Windows Intrusion Detection Systems rules.

Debugging Installation errors

Check the Event Viewer as most of the support programs will throw FATAL errors into the Windows Application log or check the actual log file for the specific application.

General tutorial issues

For general problem issues that pertain to this specific tutorial, left-click the get community support button at the top of this tutorial, or manually navigate to the correct community support forum pertaining to this specific tutorial.

Feedback

I would love to get feedback on any recommendations, experiences or ideas for this tutorial. Please leave feedback HERE.

Michael E. Steele | Microsoft Certified System Engineer (MCSE)
Email Support: support@winsnort.com
Snort: Open Source Network IDS - www.snort.org