Installing a Slave Sensor Logging to an existing Master MySQL Sensor

How to Install a Windows Intrusion Detection System (WinIDS)

Installing a Slave Sensor Logging to an existing Master MySQL Sensor

Windows 10 / 11 / 2016 SE / 2019 SE / 2022 SE / 2025 SE

Last Date Revised: July 22, 2023

Written by: Michael E. Steele

Introduction

Take Note: Winsnort has phased out support for the 32bit architecture.

During my research and development for the past 20 plus years I've found a lot of tutorials, including blogs describing the installation process for the UNIX environment, but nothing specifically detailed for setting up an intrusion detection system in a Windows environment.

In order to setup distributed sensors one of the standalone, all inclusive, Windows Intrusion Detection Systems (WinIDS) listed below must be installed and converted into a MASTER sensor. There must also be an open network connection from the SLAVE sensor to the MASTER sensor.

This tutorial gives all the basic instructions on how to create a distributed Windows Intrusion Detection System (WinIDS) SLAVE sensor.

This tutorial will be converting an existing standalone, all inclusive Windows Intrusion Detection System (WinIDS) into a MASTER sensor capable of receiving events from any distributed SLAVE sensor anywhere in the world.

The goal of these tutorials was not just to create a Windows Intrusion Detection System (WinIDS) using the most advanced intrusion detection engine known as Snort, but to understand how all the parts work together and to get a deeper understanding of all the components so that troubleshooting and modifying the Windows Intrusion Detection System (WinIDS) can be completed with confidence.

If there are any doubts which tutorial should be used, there is a posted topic HERE that will provide the basics so an informed decision can be made based on which combination of software packages are best suited for the installation.

Copyright Notice

This document is Copyright © 2003-2025 Michael Steele. All rights reserved. Permission to distribute this document is hereby granted providing that distribution is electronic, in it's original form, no money is involved and this copyright notice is maintained. Other requests for distribution will be considered.

Use the information in this document at your own risk. Michael Steele disavows any potential liability of this document. Use of the concepts, examples and/or other content of this document are entirely at your own risk.

This tutorial is written in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose.

All copyrights are owned by their owners, unless specifically noted otherwise. Third party trademarks or brand names are the property of their owners. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements.

Get Support

All general support questions related to a specific tutorial MUST be directed to the specific forum for that particular tutorial. If there is any confusion just click on the 'Get Community Support' button at the top of each tutorial to get transported to the correct forum!

There is a Client Only Lounge where all advanced questions/problems should be posted not related to the general installation of any of the tutorials.

By request, there is a premium fee service available for one on one support, including remote installs.

If this tutorial has not been directly acquired from the winsnort.com website, then is most likely not the latest revision of this tutorial!

This is a basic Windows Intrusion Detection System (WinIDS) deployment for a SLAVE Sensor

Microsoft's Windows operating systems are used exclusively for these tutorials.

It is highly recommended to start with a fresh install of one of the supported Windows operating systems listed below.

If this is a commercial installation and Windows 10 or Windows 11 is a requirement, it is recommended that Windows Enterprise LTSC (Long Term Servicing Channel) version is used.

With the LTSC servicing model, customers can delay receiving feature updates and instead only receive monthly quality updates on devices. Features that could be updated with new functionality, including Edge. Make note that all in-box Universal Windows apps are not included in the LTSC channel updates. Feature updates are offered in new LTSC releases every 2–3 years instead of every 6 months and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle. Microsoft is committed to providing bug fixes and security patches for each LTSC release during this 10 year period.

The Long Term Servicing Channel is not intended for deployment on most or all the PCs in an organization. The LTSC edition of Windows provides customers with access to a deployment option for their special-purpose devices and environments. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. These devices are also typically not heavily dependent on support from external apps and tools. Since the feature set for LTSC does not change for the lifetime of the release, over time there might be some external tools that do not continue to provide legacy support.

See LTSC: What is it and when it should be used.

Windows x64 10 Professional / LTSC
Windows x64 11 Professional / LTSC
Windows x64 Server 2016 Standard Edition
Windows x64 Server 2019 Standard Edition
Windows x64 Server 2022 Standard Edition
Windows x64 Server 2025 Standard Edition

All the operating systems listed above have been tested using this tutorial. However, any another Windows operating system listed above, under the same framework will most likely work.

Major support programs used in this install

Npcap allows 3rd party applications such as Snort to capture and transmit network packets bypassing the protocol stack.
Snort performs real-time traffic analysis and network packet logging on Internet Protocol (IP) networks data streams.
Barnyard2 is a dedicated spooler for Snort's unified2 binary output format and on-forwarding to a MASTER MySQL database.
Pulledpork automates the rule updating process.
Strawberry Perl is everything needed to run perl scripts (.pl) and applications such as PulledPork.
NSSM is the Non-Sucking Service Manager used to start Barnyard2 as a service.

How this Hardware and Software was prepped for this Windows Intrusion Detection System (WinIDS) tutorial

A fresh install of any version of Windows listed above is highly recommended.
All available Service Packs and updates MUST be applied from the Microsoft Download Center.
For this tutorial there are two disks: C:/ (Disk1 - System) with 300GB and D:/ (Disk2 - WinIDS) with 1TB.
Installed memory should be no less than 4GB (more is always better).

For this tutorial there are two disks being used.

Disk1: This is where the Windows operating system will be installed into and should not require more that 100GB of space.

Disk2: This is where The Windows Intrusion detection System will be installed and will require at least 1TB of space as a starting point.

Note: For Disk2 more space is always recommended for future growth.

The default installation paths are hard coded into this tutorial and is also hard coded into some of the install scripts. If the default installation path for the Windows Intrusion Detection System is anything other then 'd:\winids', or the support files are located anywhere other than the 'd:\temp' folder then the appropriate changes will need to be made to this tutorial and possibly any script that might need to be ran in order to accommodate the non-standard folder locations.

The Windows Intrusion Detection System (WinIDS) will fail if the default installation path is not Implemented correctly!

Prepping for the Windows Intrusion Detection System (WinIDS) SLAVE Sensor Tutorial

Downloading and extracting the core Windows Intrusion Detection System (WinIDS) Software Support Pack

It is imperative to only use the files included in the 'WinIDS - Core Software Support Pack' below. These files have been thoroughly tested and compatible with this particular Windows Intrusion Detection System (WinIDS) tutorial.

Download and save the 'WinIDS - Core Software Support Pack'.

Open File Explore and navigate to the location of the 'winids-core.zip' file, right-click the 'winids-core.zip' file, highlight and left-click 'Extract all...', in the 'Files will be extracted to this folder:' dialog box type 'd:\temp' (less the outside quotes), left-click and uncheck the 'Show extracted files when complete' radio box, left-click extract, in the 'Password:' dialog box type 'w1nsn03t.c0m' (less the outside quotes), left-click 'OK' and eXit File Explorer..

Downloading additional and required support files for this tutorial

It is imperative to only use the files downloaded from the URL links below. All the files have been verified as compatible with this particular Windows Intrusion Detection System (WinIDS) tutorial. All the files below will need to be downloaded into the folder (d:\temp) that was created when the files from the above 'WinIDS - Core Software Support Pack' were extracted.

npcap-1.86: Download and save the file to the d:\temp folder.

Snort 2.9.20: Download and save the file to the d:\temp folder.

There are two items that are mandatory and requires access to a registered account on the snort.org website. Without these two items the Windows Intrusion Detection System (WinIDS) will fail.

Item 1: Open a browser, navigate to the snort.org website and either create an account or Sign into an account that has already been created. Once signed in, on the left menu there is an 'Oinkcode' button and select that and a Window opens displaying the Oinkcode that is linked to the signed in account. Either write that code down exactly as displayed or copy and paste it somewhere for later retrieval. That same code will be displayed every time the account is signed into. There is a regenerate button and if selected will remove the old Oinkcode and be replaced with the new Oinkcode. If a new Oinkcode is generated then it must be changed in the Pulledpork.conf file in order to continue getting new rules.

Item 2: Sign into the snort.org website if not signed in. Minimize the Browser to the task bar but do not sign out. Continue to the next download (snortrules-snapshot-29200). Once the download is complete the browser can be closed.

Note: If the account is not signed into and active from the same place the download is initiated, the download will fail.

snortrules-snapshot-29200: Download and save the file to the d:\temp folder.

Pulledpork 8.0: Download and save the file to the d:\temp folder.

Strawberry Perl 5.42.0.1: Download and save the file to the d:\temp folder.

nssm 2.24: Download and save the file to the d:\temp folder.

Installing the Modder files

The modder file preforms several tasks:

Disables Universal Access Control (UAC)
Installs Microsoft Visual C++ x86/x64 (VS18) 2017-2026
Installs Notepad2
Installs scripts and Tools
Installs 7zip
Inserts 'winids' hostname into hosts file
Inserts 'IGMP and SCTP' into the protocol file for Snort rules
Inserts 'Nodosfilewarning' into User ENV to suppress CYGWIN warning message when starting Barnyard2
Exclude '.rules' in Defender (seen as a virus)
Sets TCP/IPv4 as the default protocal
Sets Show File Extensions
Reboots system

At the Windows Desktop press Win + R to open the Run dialog box. In the Run dialog box type 'cmd' (less the outside quotes) and then press CTRL+SHIFT+ENTER to open a command window as Administrator.

At the CMD prompt type 'd:\temp\modder.bat' (less the outside quotes) and tap the 'Enter' key.

Allow the script to automatically reboot the system! DO NOT INTERVENE!

Configuring the Windows Intrusion Detection System (WinIDS) Master MySQL Sensor

For this section of the tutorial the installer MUST be logged into the existing MASTER Windows Intrusion Detection System (WinIDS) with Administrative privileges.

Open a CMD window and type 'notepad2 d:\winids\mysql\my.ini' (less the outside quotes) and tap the 'Enter' key.

Use the Find option in Notepad2 to locate and change the variables below.

Original Line(s): bind-address=127.0.0.1
Change to: bind-address=0.0.0.0

Note: The above allows multiple connections from different sources to the database as long as the connection gets authenticated.

Save the file and eXit Notepad2.

At the CMD prompt type 'mysql -u root -pd1ngd0ng' (less the outside quotes) and tap the 'Enter' key to be dropped into the MySQL CMD prompt as Administrator.

At the mysql CMD prompt type 'grant INSERT,SELECT,UPDATE on snort.* to snort@'%' identified WITH mysql_native_password BY 'l0gg3r';' (less the outside quotes) and tap the 'Enter' key.

Note: In the above, the IP has been set to '%' in order for multiple remote locations has access the master sensor database using the same account.

At the mysql CMD prompt type 'quit;' (less the outside quotes) and tap the 'Enter' key.

At the CMD prompt type 'net stop mysql & net start mysql' (less the outside quotes) and tap the 'Enter' key.

Do not proceed until the MySQL Database has successfully restarted!

At the CMD prompt type 'exit' (less the outside quotes) and tap the 'Enter' key.

Verifying there is an open MySQL port between the SLAVE and MASTER sensor

For the remaining tutorial the installer MUST be logged back into the SLAVE sensor with Administrative privileges.

There MUST be an open MySQL database listening port on the MASTER Sensor and the SLAVE Sensor MUST be able to connect.

Open a CMD window and type 'portqry.exe -n x.x.x.x -e pppp' (less the outside quotes) and tap the 'Enter' key.

x.x.x.x is the MASTER MySQL Database Servers IP address.
pppp is the MASTER MySQL Database Servers listening port (default = 3306).

The following is a confirmation that the port is listening.

TCP port 3306 (unknown service): LISTENING

Do not proceed until the port status shows LISTENING

Installing the Windows Intrusion Detection System (WinIDS) SLAVE Sensor

Installing Npcap

Open a CMD window and type 'd:\temp\npcap-1.86.exe' (less the outside quotes) and tap the 'Enter' key.

The 'License Agreement' window opens and left-click 'I Agree'.

The 'Installation Options' window opens, make sure the only checked select box is 'Install Npcap in WinPcap API-compatible Mode' and left-click 'Install'.

The 'Installation Complete' window opens and left-click 'Next'.

The 'Finished' window opens and left-click 'Finish'.

Installing Snort, the Traffic Detection and Inspection Engine

At the CMD prompt type 'd:\temp\Snort_2_9_20_Installer.x64.exe' (less the outside quotes) and tap the 'Enter' key.

The 'License Agreement' window opens and left-click 'I Agree'.

The 'Choose Components' window opens and left-click 'Next'.

The 'Choose Install Location' window opens, in the 'Destination Folder' dialog box, type 'd:\winids\snort' (less the outside quotes), left-click 'Next'.

The install completes with 'Completed' and left-click 'Close'.

The install finishes with 'Snort has been successfully installed.' and left-click 'OK'.

Installing Strawberry Perl

At the CMD prompt type 'd:\temp\strawberry-perl-5.42.0.1-64bit.msi' (less the outside quotes) and tap the 'Enter' key.

The 'Welcome to the Setup Wizard for Strawberry Perl...' window opens and left-click 'Next'.

The 'End-User License Agreement' window opens, left-click checking the 'I accept the terms...' check box and left-click 'Next'.

The 'Destination Folder' window opens, in the 'Install Strawberry Perl to:' dialog box type 'd:\winids\strawberry\' (less the outside quotes) and left-click 'Next'.

The 'Ready to install Strawberry Perl..' window opens, left-click 'Install'.

The 'Install Strawberry Perl..' window opens, allow the install to complete and left-click 'Next'.

The 'Completed the Strawberry Perl...' window opens, uncheck the 'Read README file.' check box and left-click 'Finish'.

At the CMD prompt type 'exit' (less the outside quotes) and tap the 'Enter' key.

Open a CMD window and type 'cpan install Sys::Syslog' (less the outside quotes) and tap the 'Enter' key.

Installing Pulledpork

At the CMD prompt type '7z x d:\temp\pulledpork-master.zip -od:\winids\' (less the outside quotes) and tap the 'Enter' key.

At the CMD prompt type 'ren d:\winids\pulledpork-master pulledpork' (less the outside quotes) and tap the 'Enter' key.

At the CMD prompt type 'mkdir d:\winids\pulledpork\temp' (less the outside quotes) and tap the 'Enter' key.

Installing Barnyard2

At the CMD prompt type '7z x d:\temp\barnyard2-2.1.14-b337.zip -od:\winids\barnyard2' (less the outside quotes) and tap the 'Enter' key.

Prepping for configuring Snort, the Heart of the Windows Intrusion Detection System (WinIDS)

At the CMD prompt type '7z x d:\temp\snortrules-snapshot-29200.tar.gz -od:\temp' (less the outside quotes) and tap the 'Enter' key.

At the CMD prompt type '7z e d:\temp\snortrules-snapshot-29200.tar -aoa -od:\winids\snort\etc etc\*.*' (less the outside quotes) and tap the 'Enter' key.

At the CMD prompt type 'del d:\temp\snortrules-snapshot-29200.tar /Q' (less the outside quotes) and tap the 'Enter' key.

At the CMD prompt type 'perl -pi -e "s/include \$RULE\_PATH/# include \$RULE\_PATH/" d:\winids\snort\etc\snort.conf' (less the outside quotes) and tap the 'Enter' key.

At the CMD prompt type 'type NUL > d:\winids\snort\rules\white_list.rules' (less the outside quotes) and tap the 'Enter' key.

At the CMD prompt type 'type NUL > d:\winids\snort\rules\black_list.rules' (less the outside quotes) and tap the 'Enter' key.

At the CMD prompt type 'type NUL > d:\winids\snort\rules\winids.rules' (less the outside quotes) and tap the 'Enter' key.

At the CMD prompt type 'rd d:\winids\snort\preproc_rules /S /Q' (less the outside quotes) and tap the 'Enter' key.

At the CMD prompt type 'copy d:\winids\scripts\local.rules d:\winids\snort\rules\local.rules' (less the outside quotes) and tap the 'Enter' key.

Verifying Snort is detecting Network traffic

Snort monitors traffic on a specific NIC and Npcap assigns Index numbers to every NIC. This procedure will determine which Index number Snort is attached too, so write it down as it will be needed several times for testing and final configuration!

At the CMD prompt type 'd:\winids\snort\bin\snort -W' (less the outside quotes) and tap the 'Enter' key.

The following is a partial example of what might be listed as valid Network Interface Cards.

Index   Physical Address        IP Address                              Device Name                                             Description
-----   ----------------        ----------                              -----------                                             -----------
    1   20:41:53:59:4E:FF       disabled                                \Device\NPF_{78032B7E-4968-42D3-9F37-287EA86C0AAA}      RAS Async Adapter
    2   00:0C:29:27:2C:1F       0000:0000:fe80:0000:0000:0000:e0ef:e77d \Device\NPF_{A5EB8922-B7D4-49A8-A30D-E0C8863F1B2D}      Intel(R) PRO/1000 MT Network Connection
    3   00:00:00:00:00:00       disabled                                \Device\NPF_Loopback                                    Adapter for loopback traffic capture

Note: There may be several Network Interface Cards listed. Snort needs to know which Index number is attached to the NIC that is monitoring the network traffic.

At the CMD prompt type 'd:\winids\snort\bin\snort -v -ix' (less the outside quotes) and tap the 'Enter' key.

Note: In the interface switch above (-ix), the x will be substituted for the Index number of the monitoring NIC.

There should now be multiple packets passing through he CMD window (example packet below). If there is no traffic passing through, then open a web browser and generate some web traffic. If there is still no traffic passing through, then activate the CMD window, press the CRTL/C to stop the Snort process and try another Index number.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
10/08-12:12:32.131826 10.0.0.29:1068 -> 65.55.121.241:80
TCP TTL:128 TOS:0x0 ID:1586 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x7430B82E Ack: 0x1850214F Win: 0xFAF0 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

If all Index numbers have been exhausted then there could be a couple of issues:

No Internet connection
NIC not compatible
NIC drivers need updating
Configuring wrong (snort -v -ix)

Note: In the interface switch above (-ix), the x will be substituted for the Index number of the monitoring NIC.

After verifying the Index number, eXit the web-browser, activate the CMD window and press the CTRL/C keys to stop the Snort process exiting back to the CMD prompt.

Do not proceed until network traffic is being displayed in the CMD window.

Processing task dependencies pre Snort configuration

At the CMD prompt type 'notepad2 d:\winids\snort\etc\snort.conf' (less the outside quotes) and tap the 'Enter' key.

Use the Find option in Notepad2 to locate and change the variables below.

Original Line(s): ipvar HOME_NET any
Change to: ipvar HOME_NET 192.168.1.0/24

In the above HOME_NET example (192.168.1.0/24), using a CIDR of 24 the Windows Intrusion Detection System (WinIDS) will monitor addresses 192.168.1.1 - 192.168.1.254.

It is important to specify the correct internal IP segment or segments of the Windows Intrusion Detection System (WinIDS) network that needs monitoring and to set the correct CIDR/S.

Original Line(s): var RULE_PATH ../rules
Change to: var RULE_PATH d:\winids\snort\rules

Original Line(s): var SO_RULE_PATH ../so_rules
Change to: # var SO_RULE_PATH ../so_rules

Original Line(s): var PREPROC_RULE_PATH ../preproc_rules
Change to: # var PREPROC_RULE_PATH ../preproc_rules

Original Line(s): var WHITE_LIST_PATH ../rules
Change to: var WHITE_LIST_PATH d:\winids\snort\rules

Original Line(s): var BLACK_LIST_PATH ../rules
Change to: var BLACK_LIST_PATH d:\winids\snort\rules

Original Line(s): dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
Change to: dynamicpreprocessor directory d:\winids\snort\lib\snort_dynamicpreprocessor

Original Line(s): dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
Change to: dynamicengine d:\winids\snort\lib\snort_dynamicengine\sf_engine.dll

Original Line(s): decompress_swf { deflate lzma } \
Change to: decompress_swf { deflate } \

Original Line(s): # preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low }
Change to: preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low }

Original Line(s): # output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
Change to: output unified2: filename merged.log, limit 128

Original Line(s): # include $RULE_PATH/local.rules
Change to: include $RULE_PATH/local.rules

Just below the line 'include $RULE_PATH/local.rules', add the next three line.

include $RULE_PATH/winids.rules
include $RULE_PATH/white_list.rules
include $RULE_PATH/black_list.rules

Save the file and eXit Notepad2.

Testing the Snort configuration file

At the CMD prompt type 'd:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix -T' (less the outside quotes) and tap the 'Enter' key.

Note: In the interface switch above (-ix), the x will be substituted for the Index number of the monitoring NIC.

This will test the Snort configuration and depending on the resources used and/or available, it could take several minutes to run the self-test mode.

If all the tests are passed, the following is a confirmation that the Snort configuration file and rules have tested good.

Snort successfully validated the configuration!
Snort exiting

Do not proceed until 'Snort successfully validated the configuration!'

Now to test a rule. Scrolling up through the output from the Snort configuration test in the CMD window should show 1 Snort rules read as shown in the example below.

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
1 Snort rules read
    1 detection rules
    0 decoder rules
    0 preprocessor rules
1 Option Chains linked into 1 Chain Headers
+++++++++++++++++++++++++++++++++++++++++++++++++++

At the CMD prompt type 'd:\winids\snort\bin\snort -A console -q -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix' (less the outside quotes) and tap the 'Enter' key.

Note: In the interface switch above (-ix), the x will be substituted for the Index number of the monitoring NIC.

Once Snort has started with the above command, go to another computer or open another CMD window and ping the IP of the interface that Snort is listening on.

Output similar to the below should appear in the CMD window if the ping was successful.

02/02-14:25:23.413383  [**] [1:10000001:1] ICMP test detected [**] [Classification: Generic ICMP event] [Priority: 3] {ICMP} 192.168.1.3 -> 192.168.1.26
02/02-14:25:28.037797  [**] [1:10000001:1] ICMP test detected [**] [Classification: Generic ICMP event] [Priority: 3] {ICMP} 192.168.1.3 -> 192.168.1.26
02/02-14:25:33.038644  [**] [1:10000001:1] ICMP test detected [**] [Classification: Generic ICMP event] [Priority: 3] {ICMP} 192.168.1.3 -> 192.168.1.26
02/02-14:25:38.041163  [**] [1:10000001:1] ICMP test detected [**] [Classification: Generic ICMP event] [Priority: 3] {ICMP} 192.168.1.3 -> 192.168.1.26
*** Caught Int-Signal

Note: If the ping is not successful, check the HOME_NET setting in the snort.conf file to make sure it has been configured correctly.

Do not proceed until the ping has been detected!'

Activate the CMD window and press CTRL/C to exit back to the CMD prompt.

Note: After the above ping test was successful the rule that generated the events must be disabled. If the rule is not disabled the database will fill up with millions of useless events.

At the CMD prompt type 'perl -pi -e "s/include \$RULE\_PATH\/local.rules/# include \$RULE\_PATH\/local.rules/" d:\winids\snort\etc\snort.conf' (less the outside quotes) and tap the 'Enter' key.

Configuring Pulledpork

At the CMD prompt type 'notepad2 d:\winids\pulledpork\etc\pulledpork.conf' (less the outside quotes) and tap the 'Enter' key.

Use the Find option in Notepad2 to locate and change the variables below.

Original Line(s): rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode>
Change to: rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|x

Note: Insert your unique Oinkcode into the x position above.

Original Line(s): rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community
Change to: # rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community

Original Line(s): temp_path=/tmp
Change to: temp_path=d:/winids/pulledpork/temp

Original Line(s): rule_path=/usr/local/etc/snort/rules/snort.rules
Change to: rule_path=d:\winids\snort\rules\winids.rules

Original Line(s): local_rules=/usr/local/etc/snort/rules/local.rules
Change to: local_rules=d:\winids\snort\rules\local.rules

Original Line(s): sid_msg=/usr/local/etc/snort/sid-msg.map
Change to: sid_msg=d:\winids\snort\etc\sid-msg.map

Original Line(s): sid_changelog=/var/log/sid_changes.log
Change to: sid_changelog=d:\winids\snort\log\sid_changes.log

Original Line(s): block_list=/usr/local/etc/snort/rules/iplists/default.blocklist
Change to: # block_list=/usr/local/etc/snort/rules/iplists/default.blocklist

Original Line(s): IPRVersion=/usr/local/etc/snort/rules/iplists
Change to: # IPRVersion=/usr/local/etc/snort/rules/iplists

Original Line(s): snort_control=/usr/local/bin/snort_control
Change to: # snort_control=/usr/local/bin/snort_control

Original Line(s): # snort_version=2.9.0.0
Change to: snort_version=2.9.20.0

Original Line(s):

# enablesid=/usr/local/etc/snort/enablesid.conf
# dropsid=/usr/local/etc/snort/dropsid.conf
# disablesid=/usr/local/etc/snort/disablesid.conf
# modifysid=/usr/local/etc/snort/modifysid.conf

Change to:

enablesid=d:\winids\pulledpork\etc\enablesid.conf
dropsid=d:\winids\pulledpork\etc\dropsid.conf
disablesid=d:\winids\pulledpork\etc\disablesid.conf
modifysid=d:\winids\pulledpork\etc\modifysid.conf

Original Line(s): # ips_policy=security
Change to: ips_policy=security

In the above, the 'ips_policy' switch is set to 'security'. There are three pre-configured policies (connectivity, balanced and security) that can be used. Change the above to your specific needs. Each policy has the Sourcefire recommended rules applied and the 'ips_policy' switch is only an option. By placing a hash '#' (less the outside quotes) mark in front of the 'ips_policy' switch Pulledpork will process the stock rules as they are.

Connectivity: Means "Connectivity over Security". Meaning this is a speedy policy for people that insist on blocking only the really known bad with no false positives.

Balanced: Means "Balanced between Connectivity and Security". Meaning that this is a good starter policy for everyone. It's quick, has a good base coverage level and covers the latest threats of the day. The policy contains everything that is in Connectivity.

Security: Means "Security over Connectivity". Meaning that this is a stringent policy that everyone should strive to get to through tuning. It's quick, but has some policy-type rules in it. Rules that will alert on Flash contained within an Excel file and things like that. This policy contains everything that is in Connectivity and Balanced.

Save the file and eXit Notepad2.

Rule activation and testing with Pulledpork

At the CMD prompt type 'perl d:\winids\pulledpork\pulledpork.pl -c d:\winids\pulledpork\etc\pulledpork.conf -T' (less the outside quotes) and tap the 'Enter' key.

This will not only test the Pulledpork configuration file, but will install the latest ruleset. Depending on the resources used and/or available, it could take several minutes to process.

If the test passed, the following is a confirmation that the Pulledpork configuration file passed and the rules were successfully installed.

Please review d:\winids\snort\log\sid_changes.log for additional details
Fly Piggy Fly!

Do not proceed until 'Fly Piggy Fly!' has appeared

Testing the Snort configuration file

At the CMD prompt type 'd:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix -T' (less the outside quotes) and tap the 'Enter' key.

Note: In the interface switch above (-ix), the x will be substituted for the Index number of the monitoring NIC.

Pulledpork modified/added new rules and Snort will need to test the new rules to verify there are no errors.

The following is a confirmation that the Snort configuration file and rules have tested good.

Snort successfully validated the configuration!
Snort exiting

Do not proceed until 'Snort successfully validated the configuration!'

Adding Snort to the Windows Services Database

At the CMD prompt type 'cd /d d:\winids\snort\bin' (less the outside quotes) and tap the 'Enter' key.

At the CMD prompt type 'snort /SERVICE /INSTALL -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix' (less the outside quotes) and tap the 'Enter' key.

Note: In the interface switch above (-ix), the x will be substituted for the Index number of the monitoring NIC.

This will install Snort into the Windows Services Database and the below is a confirmation that the Snort service was successfully added to the Windows Services Database.

 [SNORT_SERVICE] Attempting to install the Snort service.
 [SNORT_SERVICE] The full path to the Snort binary appears to be:
    D:\winids\snort\bin\snort /SERVICE
 [SNORT_SERVICE] Successfully added registry keys to:
    \HKEY_LOCAL_MACHINE\SOFTWARE\Snort\
 [SNORT_SERVICE] Successfully added the Snort service to the Windows Services Database.

Do not proceed until the Snort service has been successfully added to the Windows Services Database.

At the CMD prompt type 'sc config snortsvc start= auto' (less the outside quotes) and tap the 'Enter' key.

The following is a confirmation that the Snort auto-start service has been successfully activated.

[SC] ChangeServiceConfig SUCCESS

Do not proceed until the Snort auto-start service has been SUCCESSfully activated.

Configuring Barnyard2

At the CMD prompt type 'notepad2 d:\winids\barnyard2\etc\barnyard2.conf' (less the outside quotes) and tap the 'Enter' key.

Use the Find option in Notepad2 to locate and change the variables below.

Original Line(s):

config reference_file:      /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file:            /etc/snort/gen-msg.map
config sid_file:            /etc/snort/sid-msg.map

Change to:

config reference_file:      d:\winids\snort\etc\reference.config
config classification_file: d:\winids\snort\etc\classification.config
config gen_file:            d:\winids\snort\etc\gen-msg.map
config sid_file:            d:\winids\snort\etc\sid-msg.map

Original Line(s): # config event_cache_size: 4096
Change to: config event_cache_size: 32768

Original Line(s): #output database: log, mysql, user=root password=test dbname=db host=localhost
Change to: output database: log, mysql, user=snort password=l0gg3r dbname=snort host=x.x.x.x port=yyyy sensor_name=Rome

'user=snort' snort is the user name that will be used to access the MASTER MySQL database.
The 'password=l0gg3r' l0gg3r is the password associated with the 'user=snort' that is accessing the MASTER Windows Intrusion Detection System (WinIDS) MySQL database.
The 'dbname=snort' snort will be the name of the MASTER MySQL database where all the events will be shuttled to.
The 'host=x.x.x.x' x.x.x.x will be the IP Address of the MASTER Windows Intrusion Detection System sensor.
The 'port=yyyy' yyyy will be the listening port of the MASTER MySQL database server.
The 'sensor_name=Rome' Rome will be displayed in the Windows Intrusion Detection Security Console along with the event generated from that particular SLAVE Sensor.

Rome is only an example. The SLAVE sensor could be anywhere in the world, so make the appropriate change as needed. This is important because if there are several SLAVE sensors reporting to the same database, this is the only way to tell where the event was generated from.

Save the file and eXit Notepad2.

Testing the Barnyard2 configuration file

At the CMD prompt type 'd:\winids\scripts\by2-test.bat' (less the outside quotes) and tap the 'Enter' key.

This will start Barnyard2 in self-test mode for configuration testing and depending on the resources used and/or available it could take from 10 minutes to 1 hour to run the self-test mode.

If all the tests are passed, the following is a confirmation that the Barnyard2 configuration file is good.

Barnyard2 successfully loaded configuration file!
Barnyard2 exiting
database: Closing connection to database "snort"

Do not proceed until Barnyard2 has successfully loaded the configuration file, eXited Barnyard2 and closed the connection to the Snort database!

Installing the Non-Sucking Service Manager (nssm)

At the CMD prompt type '7z e d:\temp\nssm-2.24.zip nssm-2.24\win64\nssm.exe -od:\winids\tools' (less the outside quotes) and tap the 'Enter' key.

Adding Barnyard2 to the Windows Services Database using nssm

At the CMD prompt type 'd:\winids\scripts\by2-service.bat' (less the outside quotes) and tap the 'Enter' key.

The following is a confirmation that the Barnyard2 auto-start service has been successfully activated.

Service "Barnyard2" installed successfully!
Set parameter "Start" for service "Barnyard2".
Barnyard2 service installed and started with auto-start.

Do not proceed until the 'Barnyard2 service installed and started with auto-start' is displayed.

At the CMD prompt type 'sc config Barnyard2 start= delayed-auto' (less the outside quotes) and tap the 'Enter' key.

The following is a confirmation that the Barnyard2 delayed auto-start service has been successfully activated.

[SC] ChangeServiceConfig SUCCESS

Do not proceed until the Barnyard2 auto-start service has been successfully activated.

Adding the Rules Updater to the Desktop

At the CMD prompt type 'd:\winids\scripts\sc-create.bat' (less the outside quotes) and tap the 'Enter' key.

Note: A "Rules Update" shortcut has been added to the desktop for manually initiating a Rules update. For a simple rule update just right-click the desktop icon and select 'Run as Administrator'.

The Rules updater can be scheduled
The Rules Updater can run silent
The Rules Updater can Email results to a valid SMTP server

Note: There is a tutorial located HERE to detail the above options.

At the CMD prompt type 'shutdown /r /t 10' (less the outside quotes) and tap the 'Enter' key to reboot.

Verifying Barnyard2 and Snort is running as a process

After rebooting it could take several minutes for the Barnyard2 process to start as it is on a delayed start.

After the reboot Open a CMD window and type 'taskmgr.exe' (less the outside quotes) and tap the 'Enter' key to start the Windows Task Manager.

Left-click the 'Processes' tab.

At the bottom, left-click 'Show processes from all users' or 'More Details' to view all running processes.

In the 'Name' or 'Image Name' column 'snort.exe' and 'Barnyard2.exe' should be listed.

Do not proceed until both processes shows to be running!

eXit the 'Task Manager'.

At the CMD prompt type 'exit' (less the outside quotes) and tap the 'Enter' key.

Verifying events are being added from the remote Windows Intrusion Detection Sensor (WinIDS)

Note: It is not necessary to reboot or restart any of the services on the master sensor. The master sensor database will automatically accept the connection from the slave sensor as long as the slave sensor is configured correctly.

On the master sensor open a web-browser and type 'http://winids' (less the outside quotes) into the URL Address box, tap the 'Enter' key and the master Windows Intrusion Detection System (WinIDS) security console opens.

Depending on the available resources and the active ruleset on the slave sensor it could take from 10-60 minutes for the database connect and the first event to arrive.

The number of sensors connected to the master sensor is displayed to the right of 'Sensors/Total:'. If the 'Sensors/Total:' is showing '1 / 1' then it is only seeing the master sensor. Keep refreshing the screen (F5) and the 'Sensors/Total:' should increase by 1 as the slave sensor/s are being detected. However that number will only increase with the first event being logged from the remote sensor/s.

If no events have been logged after a reasonable length of time then there is a topic here with detailed instruction on how to activate all the rules for testing purposes ONLY. The testing will need to be completed on the slave sensor in question. Failure to follow the instructions completely to the end after events have been successfully logged will result in millions of useless events being added to the database.

Once the slave sensor has been detected and added to the 'Sensor Total:' count, under 'Traffic Profile by Protocol' left-click one of the protocols to display the events related to that protocol. The 'ID' column contains the line number, the sensor number and the position in the MySQL event table.

Note: As an example the 'ID' might be '#4-(2-6)'. The #4 is line number as shown on the screen, the '2' is the actual sensor number where the event originated, and the '6' is the actual position where it was inserted into the database event table.

In order to find out which # is assigned to which slave sensor left-click the 'Search' option on the top left and the search window opens. Under 'Meta Criteria' and to the right of 'Sensor:' use the drop down box to see which # is assigned to which sensor_name.

Sensor #1 will always the master sensor. If the remote sensor_name is not listed then no events have yet been logged from that remote sensor.

To view the events for a particular sensor by most recent. Select the sensor #, go to the bottom of the screen, left-click timestamp (descend) and left-click 'Query DB'.

The Windows Intrusion Detection system (WinIDS) security console is pretty powerful in what it can do. The above was just a short tutorial in showing how to verify the connection from a remote Windows Intrusion Detection Sensor (WinIDS) to a master Windows Intrusion Detection System (WinIDS) and viewing the most recent events from a specific sensor.

In Conclusion

At this point the tutorial has been successfully completed, events should be arriving into the MASTER Windows Intrusion Detection Systems MySQL Database server and the Windows Intrusion Detection Systems Security Console should be showing events as they arrive. Each listed event will reflect the unique sensor # and opening the event will show the unique sensor_name from where the event originated.

I encourage some tweaks listed below to the post-installation to get a somewhat production-ready 'Windows Intrusion Detection System (WinIDS)'.

Tuning your rules and preprocessors.
Tuning Snort thresholds and limit values.
Adding user authentication to the Windows Intrusion Detection System (WinIDS) Security Console.
Securing your host (Maybe changing the default database user access, disabling unneeded services, etc.).
Become a subscriber (fee based) on snort.org to get access to zero day rules.
Scheduling a rules update (with the included Rules Updater).

Optional Companion Documents

Be SURE to check out the available 'Companion Add-on Documents' to enhance the Windows Intrusion Detection System (WinIDS) experience.

How to add Event Logging to a local Syslog Server.
This tutorial will show how to configure Snort to send events to a local Syslog Server, on an existing Windows Intrusion Detection System (WinIDS).

How to add Event Logging to a remote Syslog Server.
This tutorial will show how to configure Snort to send events to a remote Syslog Server from an existing Windows Intrusion Detection System (WinIDS).

How to add Email Alerting to an existing Windows Intrusion Detection System (WinIDS)
This tutorial will show how to email user defined priority events on an existing Windows Intrusion Detection System (WinIDS).

How to schedule automatic rules updating
This tutorial is a simple to understand process on how to schedule automatic rules updating.

How to compile Barnyard2 on Windows using Cygwin
This tutorial is a simple to understand, step-by-step guide for Compiling Barnyard2 on Windows using Cygwin (UNIX emulator).

How to build and deploy a passive Ethernet tap
This tutorial will show how to build and deploy a passive Ethernet tap.

Updating the Windows Intrusion Detection System (WinIDS) Major components

How to update the Snort Intrusion Detection Engine
This tutorial will show How to update the Snort Intrusion Detection Engine.

How to update the Windows Intrusion Detection Systems rules
This tutorial will show how to update the Windows Intrusion Detection Systems rules.

Debugging Installation errors

Check the Event Viewer as most of the support programs will throw FATAL errors into the Windows Application log or check the actual log file for the specific application.

General tutorial issues

For general problem issues that pertain to this specific tutorial, left-click the get community support button at the top of this tutorial, or manually navigate to the correct community support forum pertaining to this specific tutorial.

Feedback

I would love to get feedback on any recommendations, experiences or ideas for this tutorial. Please leave feedback HERE.

Michael E. Steele | Microsoft Certified System Engineer (MCSE)
Email Support: support@winsnort.com
Snort: Open Source Network IDS - www.snort.org