Sign in to follow this  
Followers 0

Installing a Slave Sensor Logging to an existing Master MySQL Sensor


How to Install a Windows Intrusion Detection System (WinIDS)

ids.gif

Installing a Slave Sensor Logging to an existing Master MySQL Sensor

Windows 7 / 8.x / 10 / 2008 R2 SE / 2012 R2 SE / 2016 SE / 2019 SE

Written by: Michael E. Steele



Introduction

During my research, and development I've found a lot of tutorials, and blogs describing the installation process for the UNIX environment. Yet, none of them specifically detailed setting this up in a Windows environment. I've been working on, and updating these tutorials for the past 12 plus years, and managed to get through the complete process in the Windows environment.

For this tutorial one of the two stand alone Windows Intrusion Detection Systems (WinIDS) listed below MUST already be installed. This tutorial gives all the basic instructions on how to create a functioning Windows Intrusion Detection System (WinIDS) SLAVE Sensor. It will also be converting an existing stand alone Windows Intrusion Detection System (WinIDS) into a MASTER Windows Intrusion Detection System (WinIDS).

Advanced problems not related to the basic install should not be posted to the forum where the tutorial resides, and where general help is available for problems during the initial tutorial set-up.

If there are any doubts which tutorial that should be used, there is a posted topic HERE that will provide the basics so an informed decision can be made based on which combination of software packages are best suited for the installation.

Copyright Notice

This document is Copyright © 2002-2019 Michael Steele. All rights reserved. Permission to distribute this document is hereby granted providing that distribution is electronic, in it's original form, no money is involved, and this copyright notice is maintained. Other requests for distribution will be considered.

Use the information in this document at your own risk. Michael Steele disavows any potential liability of this document. Use of the concepts, examples, and/or other content of this document are entirely at your own risk.

This tutorial is written in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose.

All copyrights are owned by their owners, unless specifically noted otherwise. Third party trademarks or brand names are the property of their owners. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements.

Support Questions and Help

All support questions related to this specific tutorial MUST be directed to the specific forum for which this Windows Intrusion Detection System (WinIDS) tutorial resides!

By request, there is a premium fee service available for one on one support.

If you have not acquired this tutorial directly from the winsnort.com website, then you most likely do not have the latest revision of this tutorial!

This is a basic Windows Intrusion Detection System (WinIDS) deployment for a SLAVE Sensor

  • Microsoft's Windows operating systems are used exclusively for these tutorials.
It is highly recommended to start with a fresh install of one of the supported 32bit or 64bit Windows operating systems listed below.
  • Windows 7 Professional
  • Windows 8.x Professional
  • Windows 10 Professional
  • Windows Server 2008 R2 Standard Edition
  • Windows Server 2012 R2 Standard Edition
  • Windows Server 2016 Standard Edition
  • Windows Server 2019 Standard Edition
All the operating systems listed above have been tested using both the 32bit, and 64bit architecture for this tutorial. However, any another Windows operating system listed above, under the same framework will most likely work.

Major support programs used in this install

  • Npcap allows 3rd party applications such as Snort to capture and transmit network packets bypassing the protocol stack.
  • Snort performs real-time traffic analysis and network packet logging on Internet Protocol (IP) networks data streams.
  • Barnyard2 is a dedicated spooler for Snort's unified2 binary output format, and on-forwarding to a MASTER MySQL database.
  • Strawberry Perl is everything needed to run perl scripts (.pl), and applications such as PulledPork.

How this Hardware and Software was prepped for this Windows Intrusion Detection System (WinIDS) tutorial

  • A fresh install of any 32/64bit Version of Windows listed above in will do.
  • All available Service Packs and updates MUST be applied from the Microsoft Download Center.
  • For these tutorials there are two partitions: C: (System) with 300GB, and D: (WinIDS) with 1TB.
  • Installed memory should be no less than 4GB (more is always better).
The Windows Intrusion Detection System (WinIDS) will fail if the default installation path is not Implemented correctly!

The default installation path noted above is hard coded into this tutorial, and is also hard coded into some of the install scripts. Installers will need to make the appropriate changes in both places if the default installation path is anything other then 'd:\winids', or the support files are located anywhere other than the 'd:\temp' folder.

The Windows Intrusion Detection System (WinIDS) will fail if the default installation path is not Implemented correctly!


Prepping for the Windows Intrusion Detection System (WinIDS) SLAVE Sensor Tutorial


Downloading and extracting the core 'Windows Intrusion Detection Systems (WinIDS)' Software Support Pack

It is imperative to only use the files included in the 'WinIDS - (32/64bit) Software Support Packs' below. These files have been thoroughly tested and compatible with this particular Windows Intrusion Detection Systems (WinIDS) tutorial.
Depending on the processors architecture, download the appropriate support file below!
dload.png 32bit Windows All: Download and save the 'WinIDS - 32bit Core Software Support Pack' to a temporary location.

Open File Explore and navigate to the location of the 'winids-cssp-x32.zip' file, right-click the 'winids-cssp-x32.zip' file, highlight and left-click 'Extract all...', in the 'Files will be extracted to this folder:' dialog box type 'd:\temp' (less the outside quotes), left-click and uncheck the 'Show extracted files when complete' radio box, left-click extract, in the 'Password:' dialog box type 'w1nsn03t.c0m' (less the outside quotes), left-click 'OK', and eXit File Explorer..

dload.png 64bit Windows All: Download and save the 'WinIDS - 64bit Core Software Support Pack' to a temporary location.

Open File Explore and navigate to the location of the 'winids-cssp-x64.zip' file, right-click the 'winids-cssp-x64.zip' file, highlight and left-click 'Extract all...', in the 'Files will be extracted to this folder:' dialog box type 'd:\temp' (less the outside quotes), left-click and uncheck the 'Show extracted files when complete' radio box, left-click extract, in the 'Password:' dialog box type 'w1nsn03t.c0m' (less the outside quotes), left-click 'OK', and eXit File Explorer..

Downloading additional, and required support files for all supported Windows operating systems

It is imperative to only use the files downloaded from the URL links below. All the files have been verified as compatible with this particular Windows Intrusion Detection Systems (WinIDS) tutorial. All the files below will need to be downloaded into the folder (d:\temp) that was created when the files from the above 'WinIDS - (32/64bit) Software Support Pack' were extracted.
dload.png npcap-0.996: Download and save the file to the d:\temp folder.

In some instances after downloading the Snort executable below, the '.exe' extension might be missing. After downloading, navigate to the location of the Snort executable, and if the '.exe' extension is missing, add '.exe' (less the outside quotes) to the end of the filename.
dload.png Snort 2_9_13: Download and save the file to the d:\temp folder.

The next download requires the installer to be a registered user on the snort.org website, and logged in.

Navigate to the snort.org website and either login or create a new account. While still being logged into the snort.org web site return to the Windows Intrusion Detection Systems (WinIDS) tutorial, and initiate the next download.

Note: If the installer is not logged into the snort.org website prior to initiating the next download, the installer will be re-directed to the snort.org website. At that point either create a new account or login. While still being logged into the snort.org website return to the Windows Intrusion Detection Systems (WinIDS) tutorial, and initiate the next download.
dload.png snortrules-snapshot-29130: Download and save the file to the d:\temp folder.

Downloading additional support files based on a specific Operating Systems Hardware Architecture

There are several additional files listed under two groups below. Download only, and all the files listed under the appropriate processors architecture group that the Windows Intrusion Detection System (WinIDS) will be installed on.
32bit Windows All: Required additional downloads for the 32bit architecture install!

dload.png Strawberry Perl 5.30.0.1: Download and save the file to the d:\temp folder.


64bit Windows All: Required additional downloads for the 64bit architecture install!

dload.png Strawberry Perl 5.30.0.1: Download and save the file to the d:\temp folder.

Installing the core support files, and making basic configuration changes

It is important when asked to 'Open a CMD window with Administrator privileges' it is done, or the install will fail.

It is also important when asked to 'Close a CMD window' it is done, or the install will fail.

Note: The user installing this tutorial MUST be a member of the Administrators group.

Note: If the User Account Control dialog box appears at ANY time during this install ALWAYS left-click 'Yes' to continue, or the install will fail.

Instructions on starting a command prompt as an Administrator

In the Windows Search box, type cmd, and then press CTRL+SHIFT+ENTER.
Open a CMD window with Administrator privileges and type 'd:\temp\modder.vbs' (less the outside quotes), and tap the 'Enter' key.

Allow the script to automatically reboot the system! DO NOT INTERVENE! This background process could take several minutes to complete.
The modder.vbs file preforms several tasks:
  • Installs Microsoft Visual C++ 2012/2013/2017
  • Installs 'Notepad2' to Windows\System32
  • Installs 'unzip' to Windows\System32
  • Installs 'tartool' to Windows\System32
  • Installs the DejaVuSans font for BASE graphing
  • Inserts 'winids' hostname into hosts file
  • Inserts 'IGMP and SCTP' into the protocol file for Snort rules
  • Inserts 'Nodosfilewarning' into User ENV to suppress CYGWIN warning message when starting Barnyard2
  • Sets 'Show File Extensions' as on in registry
  • Reboots system
After the reboot it is strongly advise that the Microsoft Baseline Security Analyzer (MBSA) be used to identify and correct common security miss configurations. Each issue should be resolved prior to starting this tutorial.

Configuring remote access to the MASTER MySQL Database server

For this section of the tutorial the installer MUST be logged into the existing MASTER Windows Intrusion Detection Server (WinIDS) sensor with Administrative privileges.
Open a CMD window with Administrator privileges and type 'notepad2 d:\winids\mysql\my.ini' (less the outside quotes), and tap the 'Enter' key.

Use the find and locate the line '[mysqld]' (less the outside quotes), and just below remove the next line.
bind-address=127.0.0.1
Save the file, and eXit Notepad2.

At the CMD prompt type 'mysql -u root -pd1ngd0ng' (less the outside quotes), and tap the 'Enter' key.

You will be dropped into the MySQL administration console CMD prompt.
At the mysql CMD prompt type 'grant INSERT,SELECT,UPDATE on snort.* to snort@x.x.x.x identified by "l0gg3r";' (less the outside quotes), and tap the 'Enter' key.

Make SURE the x.x.x.x reflects the IP address of the SLAVE sensor.
At the mysql CMD prompt type 'quit;' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'shutdown /r /t 10' (less the outside quotes), and tap the 'Enter' key to reboot.

Do not proceed until the Windows Intrusion Detection System (WinIDS) has completely restarted.

Verifying there is an open MySQL port between the SLAVE and MASTER sensor

For the remaining tutorial the installer MUST be logged back into the SLAVE sensor with Administrative privileges.

There MUST be an open MySQL database listening port on the MASTER Sensor, and the SLAVE Sensor MUST be able to connect.
Open a CMD window with Administrator privileges and type 'd:\temp\portqry.exe -n x.x.x.x -e pppp' (less the outside quotes), and tap the 'Enter' key.

x.x.x.x is the MASTER MySQL Database Servers IP address.
pppp is the MASTER MySQL Database Servers listening port (default = 3306).

The following is a confirmation that the port is listening.
TCP port (redacted) (unknown service): LISTENING
Do not proceed until the port status shows LISTENING

Installing the Windows Intrusion Detection System (WinIDS) SLAVE Sensor


Installing Npcap

At the CMD prompt type 'd:\temp\npcap-0.996.exe' (less the outside quotes), and tap the 'Enter' key.

The 'License Agreement' window opens, left-click 'I Agree'.

The 'Installation Options' window opens, uncheck everything except 'Automatically start the Npcap driver at boot time' and 'Install Npcap in WinPcap API-compatible Mode' (bypass any ghosted selections), left-click 'Install'.

The 'Installing' window opens allowing the install to complete.

The 'Installation Complete' window opens, left-click 'Next'.

The 'Finished' window opens, left-click 'Finish'.

Installing Snort, the Traffic Detection and Inspection Engine

At the CMD prompt type 'd:\temp\Snort_2_9_13_Installer.exe' (less the outside quotes), and tap the 'Enter' key.

The 'License Agreement' window opens, left-click 'I Agree'.

The 'Choose Components' window opens, left-click 'Next'.

The 'Choose Install Location' window opens, in the 'Destination Folder' dialog box, type 'd:\winids\snort' (less the outside quotes), left-click 'Next' allowing the install to complete.

The 'Snort has been successfully installed' window opens, left-click 'OK'.

Testing the Windows Intrusion Detection System (WinIDS) for network traffic

At the CMD prompt type 'd:\winids\snort\bin\snort -W' (less the outside quotes), and tap the 'Enter' key.

The following is a partial example of what might be listed as valid Network Interface Cards.
Index	Physical Address	IP Address
-----	----------------	----------
    1	00:0C:29:25:B4:96	0000:0000:fe80:0000:0000:0000:ad63:31cf
There may be several Network Interface Cards listed, and it will be up to the installer to determine the correct Network Interface Card (Index number) that will be monitoring the Windows Intrusion Detection System (WinIDS).

The switch for the Network Interface Card will always be '-ix' (less the outside quotes), and the 'x' (less the outside quotes) will always represent the 'Index' number of Network Interface Card that will be monitoring the Windows Intrusion Detection System (WinIDS).
At the CMD prompt type 'd:\winids\snort\bin\snort -v -ix' (less the outside quotes), and tap the 'Enter' key.

The above run line will require the 'Index' number of the monitoring Network Interface Card inserted in the place of the 'x' position above. This will start Snort in verbose mode, verifying there is network traffic on interface 'x'.
Open any web-browser and generate some traffic.

There should now be multiple packets passing through the CMD window, and something similar to the following output is a confirmation indicating that everything is ready to proceed.
10/08-12:12:32.131826 10.0.0.29:1068 -> 65.55.121.241:80
TCP TTL:128 TOS:0x0 ID:1586 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x7430B82E Ack: 0x1850214F Win: 0xFAF0 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Note: If no traffic is passing through the CMD window, try another 'Index' number.
After verifying active network traffic, eXit the web-browser, activate the CMD window, and press the 'CTRL/C' keys to stop the Snort process.

Do not proceed until network traffic is being displayed in the CMD window.

Installing the Latest Rule Set

At the CMD prompt type 'tartool d:\temp\snortrules-snapshot-29130.tar.gz d:\winids\snort' (less the outside quotes), and tap the 'Enter' key.

Installing Strawberry Perl

Depending on the processors architecture, install the appropriate support file below!
32bit Windows All: At the CMD prompt type 'd:\temp\strawberry-perl-5.30.0.1-32bit.msi' (less the outside quotes), and tap the 'Enter' key.

64bit Windows All: At the CMD prompt type 'd:\temp\strawberry-perl-5.30.0.1-64bit.msi' (less the outside quotes), and tap the 'Enter' key.

The 'Welcome to the Setup Wizard for Strawberry Perl...' window opens, left-click 'Next'.

The 'End-User License Agreement' window opens, left-click checking the 'I accept the terms...' radio button, and left-click 'Next'.

The 'Destination Folder' window opens, in the 'Install Strawberry Perl to:' dialog box type 'd:\winids\strawberry\' (less the outside quotes), and left-click 'Next'.

The 'Ready to install Strawberry Perl..' window opens, left-click 'Install'.

The 'Install Strawberry Perl..' window opens, allow the install to complete, and left-click 'Next'.

The 'Completed the Strawberry Perl...' window opens, uncheck the 'Read README file.' radio box, and left-click 'Finish'.

At the CMD prompt type 'exit' (less the outside quotes), and tap the 'Enter' key.

Installing Barnyard2

Depending on the processors architecture, install the appropriate support file below!
32bit Windows All: At the CMD prompt type 'unzip -oqq d:\temp\barnyard2-x86-2.1.14-build337.zip -d d:\winids\barnyard2' (less the outside quotes), and tap the 'Enter' key.

64bit Windows All: At the CMD prompt type 'unzip -oqq d:\temp\barnyard2-x64-2.1.14-build337.zip -d d:\winids\barnyard2' (less the outside quotes), and tap the 'Enter' key.

Updating the 'sid-msg.map' file

At the CMD prompt type 'unzip -oqq d:\temp\activators.zip -d d:\winids\activators' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'unzip -oqq d:\temp\create-sidmap.zip -d d:\winids\create-sidmap' (less the outside quotes), and tap the 'Enter' key.

The 'sid-msg.map' file essentially maps the Rule MSG alert name to the sid number assigned to the rule.

This really comes into play when the output method from Snort is in unified2 format, taking that output, and reading it with Barnyard2 for input into the database.

Since the rule msg is not stored in the unified2 file format, it's necessary for Barnyard2 to read the sid-msg.map file to correctly input the names of the events into the database when associated with an alert by sid.

Without the 'sid-msg.map' being read by barnyard2, the events in the database will show up only as gid:sid. (1:2133 for example). Also, updating the rules and not updating the 'sid-msg.map' will also show events from all new rules as gid:sid. (1:2133 for example).
At the CMD prompt type 'perl d:\winids\create-sidmap\create-sidmap.pl d:\winids\snort\rules\ > d:\winids\snort\etc\sid-msg.map' (less the outside quotes), and tap the 'Enter' key.

Configuring Snort, the Heart of the Windows Intrusion Detection System (WinIDS)

At the CMD prompt type 'type NUL > d:\winids\snort\rules\white_list.rules' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'type NUL > d:\winids\snort\rules\black_list.rules' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'notepad2 d:\winids\snort\etc\snort.conf' (less the outside quotes), and tap the 'Enter' key.

Use the Find option in Notepad2 to locate and change the variables below.
Original Line(s): ipvar HOME_NET any
Change to: ipvar HOME_NET 192.168.1.0/24

In the above HOME_NET example (192.168.1.0/24), using a CIDR of 24 the Windows Intrusion Detection System (WinIDS) will monitor addresses 192.168.1.1 - 192.168.1.254. It is important to specify the correct internal IP segment of the Windows Intrusion Detection System (WinIDS) network that needs monitoring, and to set the correct CIDR.
Original Line(s): var RULE_PATH ../rules
Change to: var RULE_PATH d:\winids\snort\rules

Original Line(s): var SO_RULE_PATH ../so_rules
Change to: # var SO_RULE_PATH ../so_rules

Original Line(s): var PREPROC_RULE_PATH ../preproc_rules
Change to: var PREPROC_RULE_PATH d:\winids\snort\preproc_rules

Original Line(s): var WHITE_LIST_PATH ../rules
Change to: var WHITE_LIST_PATH d:\winids\snort\rules

Original Line(s): var BLACK_LIST_PATH ../rules
Change to: var BLACK_LIST_PATH d:\winids\snort\rules

Original Line(s): dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
Change to: dynamicpreprocessor directory d:\winids\snort\lib\snort_dynamicpreprocessor

Original Line(s): dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
Change to: dynamicengine d:\winids\snort\lib\snort_dynamicengine\sf_engine.dll

Original Line(s): decompress_swf { deflate lzma } \
Change to: decompress_swf { deflate } \

Original Line(s): # preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low }
Change to: preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low }

Original Line(s): # output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
Change to: output unified2: filename merged.log, limit 128

Original Line(s):
# include $PREPROC_RULE_PATH/preprocessor.rules
# include $PREPROC_RULE_PATH/decoder.rules
# include $PREPROC_RULE_PATH/sensitive-data.rules
Change to:
include $PREPROC_RULE_PATH/preprocessor.rules
include $PREPROC_RULE_PATH/decoder.rules
include $PREPROC_RULE_PATH/sensitive-data.rules

Save the file, and eXit Notepad2.

Testing the Snort configuration file

At the CMD prompt type 'd:\winids\snort\bin\snort -W' (less the outside quotes), and tap the 'Enter' key.

The following is a partial example of what might be listed as valid Network Interface Cards.
Index	Physical Address	IP Address
-----	----------------	----------
    1	00:0C:29:25:B4:96	0000:0000:fe80:0000:0000:0000:ad63:31cf
There may be several Network Interface Cards listed, and it will be up to the installer to determine the correct Network Interface Card (Index number) that will be monitoring the Windows Intrusion Detection System (WinIDS).

The switch for the Network Interface Card will always be '-ix' (less the outside quotes), and the 'x' (less the outside quotes) will always represent the 'Index' number of Network Interface Card that will be monitoring the Windows Intrusion Detection System (WinIDS).
At the CMD prompt type 'd:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix -T' (less the outside quotes), and tap the 'Enter' key.

The above run line will require the 'Index' number of the monitoring Network Interface Card added to the 'x' above.

This will start Snort in self-test mode for configuration and rule file testing, and depending on the resources used, and/or available, it could take several minutes to run the self-test mode.

If all the tests are passed, the following is a confirmation that the Snort configuration file and rules have tested good.
Snort successfully validated the configuration!
Snort exiting
Do not proceed until 'Snort successfully validated the configuration!'

Adding Snort to the Windows Services Database

At the CMD prompt type 'cd /d d:\winids\snort\bin' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'd:\winids\snort\bin\snort -W' (less the outside quotes), and tap the 'Enter' key.

The following is a partial example of what might be listed as valid Network Interface Cards.
Index	Physical Address	IP Address
-----	----------------	----------
    1	00:0C:29:25:B4:96	0000:0000:fe80:0000:0000:0000:ad63:31cf
There may be several Network Interface Cards listed, and it will be up to the installer to determine the correct Network Interface Card (Index number) that will be monitoring the Windows Intrusion Detection System (WinIDS).

The switch for the Network Interface Card will always be '-ix' (less the outside quotes), and the 'x' (less the outside quotes) will always represent the 'Index' number of Network Interface Card that will be monitoring the Windows Intrusion Detection System (WinIDS).
At the CMD prompt type 'snort /SERVICE /INSTALL -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix' (less the outside quotes), and tap the 'Enter' key.

The above run line will require the 'Index' number of the monitoring Network Interface Card added to the 'x' above.

This will install Snort into the Windows Services Database.

The following is a confirmation that the Snort service was successfully added to the Windows Services Database.
 [SNORT_SERVICE] Attempting to install the Snort service.
 [SNORT_SERVICE] The full path to the Snort binary appears to be:
    D:\winids\snort\bin\snort /SERVICE
 [SNORT_SERVICE] Successfully added registry keys to:
    \HKEY_LOCAL_MACHINE\SOFTWARE\Snort\
 [SNORT_SERVICE] Successfully added the Snort service to the Windows Services Database.
Do not proceed until the Snort service has been successfully added to the Windows Services Database.
At the CMD prompt type 'sc config snortsvc start= auto' (less the outside quotes), and tap the 'Enter' key.

The following is a confirmation that the Snort auto-start service has been successfully activated.
[SC] ChangeServiceConfig SUCCESS
Do not proceed until the Snort auto-start service has been SUCCESSfully activated.

Configuring Barnyard2

At the CMD prompt type 'notepad2 d:\winids\barnyard2\etc\barnyard2.conf' (less the outside quotes), and tap the 'Enter' key.

Use the Find option in Notepad2 to locate and change the variables below.
Original Line(s):
config reference_file:      /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file:            /etc/snort/gen-msg.map
config sid_file:            /etc/snort/sid-msg.map
Change to:
config reference_file:      d:\winids\snort\etc\reference.config
config classification_file: d:\winids\snort\etc\classification.config
config gen_file:            d:\winids\snort\etc\gen-msg.map
config sid_file:            d:\winids\snort\etc\sid-msg.map

Original Line(s): # config event_cache_size: 4096
Change to: config event_cache_size: 32768

Original Line(s): #output database: log, mysql, user=root password=test dbname=db host=localhost
Change to: output database: log, mysql, user=snort password=l0gg3r dbname=snort host=x.x.x.x port=yyyy sensor_name=WinIDS-Madrid
  • 'user=snort' snort is the user name that will be used to access the MASTER MySQL database.
  • The 'password=l0gg3r' l0gg3r is the password associated with the 'user=snort' that is accessing the MASTER Windows Intrusion Detection Systems (WinIDS) MySQL database.
  • The 'dbname=snort' snort will be the name of the MASTER MySQL database where all the events will be shuttled to.
  • The 'host=x.x.x.x' x.x.x.x will be the IP Address of the MASTER Windows Intrusion Detection System sensor.
  • The 'port=yyyy' yyyy will be the listening port of the MASTER MySQL database server.
  • The 'sensor_name=WinIDS-Madrid' WinIDS-Madrid will be displayed in the Windows Intrusion Detection Security Console along with the alert generated from that particular SLAVE Sensor.
WinIDS-Madrid is only an example. The SLAVE sensor could be anywhere in the world, so make the appropriate change as needed. This is important because if there are several SLAVE sensors reporting to the same database, this is the only way to tell where the alert was generated from.
Save the file, and eXit Notepad2.

Testing the Barnyard2 configuration file

At the CMD prompt type 'd:\winids\activators\by2-test' (less the outside quotes), and tap the 'Enter' key.

This will start Barnyard2 in self-test mode for configuration testing, and depending on the resources used and/or available it could take up to 30 minutes to run the self-test mode.

If all the tests are passed, the following is a confirmation that the Barnyard2 configuration file is good.
Barnyard2 successfully loaded configuration file!
Barnyard2 exiting
database: Closing connection to database "snort"
Do not proceed until Barnyard2 has successfully loaded the configuration file, eXited Snort, and closed the connection to database!

Adding Barnyard2 to the Windows Services Database

At the CMD prompt type 'unzip -oqq d:\temp\service_files.zip -d c:\windows' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'cd /d c:\windows' (less the outside quotes), and tap the enter key.

At the CMD prompt type 'instsrv srvany c:\windows\srvany.exe' (less the outside quotes), and tap the enter key.

The following is a confirmation that 'srvany' was successfully added to the Windows Services Database.
The service was successfully added!
Do not proceed until the srvany service has been successfully added!
At the CMD prompt type 'instsrv Barnyard2 c:\windows\srvany.exe' (less the outside quotes), and tap the enter key.

The following is a confirmation that Barnyard2 was successfully added to the Windows Services Database.
The service was successfully added!
Do not proceed until the Barnyard2 service has been successfully added!
At the CMD window type 'd:\temp\auto-remote-barnyard2.reg' (less the outside quotes), and tap the 'Enter' key.

The Registry Editor selection box opens and asks; 'Are you sure you want to continue?', left-click 'Yes', and at the next input selection left-click 'OK'.

At the CMD prompt type 'sc config Barnyard2 start= delayed-auto' (less the outside quotes), and tap the 'Enter' key.

The following is a confirmation that the Barnyard2 auto-start service has been successfully activated.
[SC] ChangeServiceConfig SUCCESS
Do not proceed until the Barnyard2 auto-start service has been successfully activated.
At the CMD prompt type 'shutdown /r /t 10' (less the outside quotes), and tap the 'Enter' key to reboot.

Verifying Barnyard2, and Snort is running as a process after rebooting

It could take several minutes for the Barnyard2 process to display after rebooting as it is on a delayed start.
After the reboot open a CMD window and type 'taskmgr.exe' (less the outside quotes), and tap the 'Enter' key.

The 'Windows Task Manager' starts, in the bottom left-click and check 'Show processes from all users' or left click 'More Details', left-click the 'Details' tab, in the 'Status' column 'Barnyard2.exe', and 'Snort.exe' should be listed as running.

Do not proceed until both processes shows to be running!
eXit the 'Task Manager'.

At the CMD prompt type 'exit' (less the outside quotes), and tap the 'Enter' key.

In Conclusion

I hope this tutorial has been helpful to you. Please feel free to provide feedback, both issues you experienced and recommendations that you might have. The goal of this tutorial was not just for you to create a Windows Intrusion Detection System (WinIDS) SLAVE sensor using the most advanced intrusion detection engine known as Snort, but to understand how all the parts work together, and get a deeper understanding of all the components, so that you can troubleshoot and modify your Windows Intrusion Detection System (WinIDS) with confidence.

At this point you are done with this tutorial. Events should be arriving into the MASTER Windows Intrusion Detection Systems MySQL Database server, and the Windows Intrusion Detection Systems Security Console should be showing events as they arrive. Each event will reflect the unique sensor name from where the event originated.

I encourage you to perform some post-installation tasks needed to get a fully production-ready 'Windows Intrusion Detection System (WinIDS)'.

This includes:
  • Tuning your rules and preprocessors.
  • Tuning Snort thresholds and limit values.
  • Adding user authentication to the Windows Intrusion Detection Systems (WinIDS) Security Console.
  • Securing your host (Maybe changing the default database user access, disabling unneeded services, etc.).
  • Configure a system, such as PulledPork to auto-update the Windows Intrusion Detection Systems (WinIDS) rules and signatures.

Optional Companion Documents

Be SURE to check out the available 'Companion Add-on Documents' to enhance the Windows Intrusion Detection System (WinIDS) experience.

Updating the Windows Intrusion Detection Systems (WinIDS) Major components


Debugging Installation errors

Check the Event Viewer as most of the support programs will throw FATAL errors into the Windows Application log.

General tutorial issues

For general problem issues that pertain to this specific tutorial, left-click the get community support button at the top of this tutorial, or manually navigate to the correct community support forum pertaining to this specific tutorial.

Feedback

I would love to get feedback from you about this tutorial. Any recommendations, or ideas, please leave feedback HERE.

Michael E. Steele | Microsoft Certified System Engineer (MCSE)
Email Support: support@winsnort.com
Snort: Open Source Network IDS - www.snort.org