Sign in to follow this  
Followers 0

Installing Master Sensor Rule Management using PulledPork


Windows Intrusion Detection System - Companion Add-On Tutorial

ids.gif

Installing Master Sensor Rule Management Using PulledPork

Written by: Michael E. Steele



Introduction

This tutorial is a simple to understand, step-by-step tutorial for adding automated rule management using the PulledPork into an existing Windows Intrusion Detection System (WinIDS).

Copyright Notice

This document is Copyright © 2002-2019 Michael Steele. All rights reserved. Permission to distribute this document is hereby granted providing that distribution is electronic, in it's original form, no money is involved, and this copyright notice is maintained. Other requests for distribution will be considered.

Use the information in this document at your own risk. Michael Steele disavows any potential liability of this document. Use of the concepts, examples, and/or other content of this document are entirely at your own risk.

This guide is written in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose.

All copyrights are owned by their owners, unless specifically noted otherwise. Third party trademarks or brand names are the property of their owners. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements.

Support Questions and Help

All support questions related to this specific tutorial MUST be directed to the specific forum for which this Windows Intrusion Detection System (WinIDS) tutorial resides!

By request, there is a premium fee service available for one on one support.

If you have not acquired this tutorial directly from the winsnort.com website, then you most likely do not have the latest revision of this tutorial!

Operating System and Configuration Setup

All existing Windows Intrusion Detection Systems (WinIDS are supported.

This is how I've setup and tested Pulledpork into my Windows Intrusion Detection System (WinIDS). Make sure that all the necessary changes are made if you configuration is different. Failure to make the appropriate changes will most likely cause a failure.
  • Internet access to the outside.
  • Install into any existing Windows Intrusion Detection System (WinIDS).
  • I'm installing the Pulledpork rule management solution logged on as user 'Operator' with 'Administrator' privileges.
  • I'm installing the Pulledpork rule management solution into the existing 'd:\winids' folder.
The Windows Intrusion Detection System (WinIDS) will fail if the default installation path is not Implemented correctly!

The default installation path noted above is hard coded into this tutorial, and is also hard coded into some of the install scripts. Installers will need to make the appropriate changes in both places if the default installation path is anything other then 'd:\winids', or the support files are located anywhere other than the 'd:\temp' folder.

The Windows Intrusion Detection System (WinIDS) will fail if the default installation path is not Implemented correctly!

Prepping for the Windows Intrusion Detection System (WinIDS) Tutorial


Downloading and extracting the WinIDS Companion Software Development Pack

This tutorial assumes one of the Windows Intrusion Detection System (WinIDS) tutorials were used to create the Windows Intrusion Detection System (WinIDS) that this tutorial is being implemented into. The files from the original Windows Intrusion Detection System (WinIDS) tutorial may be required for this tutorial.
It is imperative to only use the files included in the 'WinIDS Companion Software Development Pack' below. These files have been thoroughly tested, and found compatible with all the supported Windows Intrusion Detection Systems (WinIDS) tutorials.
dload.png Windows All: Download and save the 'WinIDS Companion Software Development Pack' to a temporary location.

Open File Explore and navigate to the location of the 'winids-csdp.zip' file, right-click the 'winids-csdp.zip' file, highlight and left-click 'Extract all...', in the 'Files will be extracted to this folder:' dialog box type 'd:\temp' (less the outside quotes), left-click and uncheck the 'Show extracted files when complete' radio box, left-click extract, in the 'Password:' dialog box type 'w1nsn03t.c0m' (less the outside quotes), left-click 'OK', and eXit File Explorer..

It is important when asked to 'Open a CMD window with Administrator privileges' it is done, or the install will fail.

It is also important when asked to 'Close a CMD window' it is done, or the install will fail.

Note: The user installing this tutorial MUST be a member of the Administrators group.

Note: If the User Account Control dialog box appears at ANY time during this install ALWAYS left-click 'Yes' to continue, or the install will fail.

Instructions on starting a command prompt as an Administrator

In the Windows Search box, type cmd, and then press CTRL+SHIFT+ENTER.

Prepping for the Pulledpork Tutorial


Backing up the current Snort Installation

Open a CMD window with Administrator privileges and type 'xcopy /E /I d:\winids\snort d:\winids\snort-old' (less the outside quotes), and tap the 'Enter' key.

The above procedure will create a backup of the original installation.

Acquiring your unique Oinkcode

In order for PulledPork to work you MUST; open an account on the snort.org web-site, and acquire a unique Oinkcode.

Once an account has been setup, 'Sign In' to the account, left-click your user login in the top right, Under 'Accounts' left-click 'Oinkcode', in the center under 'Oinkcode' your unique 'Oinkcode is in red, and you will need this exact code to complete this tutorial, so write it down somewhere as it will need to be entered in later on, and you can close the browser.

Installing PulledPork for Automatic Rule Updating


Installing PulledPork

During this updating procedure the Windows Intrusion Detection System (WinIDS) will continue to monitor the network.
At the CMD prompt type 'unzip -oq d:\temp\pulledpork-0.7.4.zip -d d:\winids\pulledpork' (less the outside quotes), and tap the 'Enter' key.

Installing Perl Pre-Requisites

At the CMD prompt type 'cpan install Sys::Syslog' (less the outside quotes), and tap the 'Enter' key.

It could take several minutes to install the Syslog module.

Configuring the existing Windows Intrusion Detection System (WinIDS)

Prepping the Rules
At the CMD prompt type 'del d:\winids\snort\rules\*.* /Q' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'rd d:\winids\snort\so_rules /S /Q' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'rd d:\winids\snort\preproc_rules /S /Q' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'xcopy d:\winids\snort-old\rules\*_list.* d:\winids\snort\rules /Q /Y' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'xcopy d:\winids\snort-old\rules\local.* d:\winids\snort\rules /Q /Y' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'xcopy d:\winids\snort-old\rules\experimental.* d:\winids\snort\rules /Q /Y' (less the outside quotes), and tap the 'Enter' key.

Prepping the Configuration File
At the CMD prompt type 'notepad2 d:\winids\snort\etc\snort.conf' (less the outside quotes), and tap the 'Enter' key.

Use the Replace option in Notepad2 to Find and Replace the following sections below.
Original: var PREPROC_RULE_PATH d:\winids\snort\preproc_rules
Change to: # var PREPROC_RULE_PATH d:\winids\snort\preproc_rules

In Step #7 replace ALL the 'include $RULE_PATH/...' lines with the next 3 lines below.
include $RULE_PATH/experimental.rules
include $RULE_PATH/local.rules
include $RULE_PATH/winids.rules
Use the Find in Notepad2 to locate and change the variables below.
Original Line(s):
include $PREPROC_RULE_PATH/preprocessor.rules
include $PREPROC_RULE_PATH/decoder.rules
include $PREPROC_RULE_PATH/sensitive-data.rules
Change to:
# include $PREPROC_RULE_PATH/preprocessor.rules
# include $PREPROC_RULE_PATH/decoder.rules
# include $PREPROC_RULE_PATH/sensitive-data.rules
Save the file, and eXit Notepad2.

Configuring PulledPork

At the CMD prompt type 'mkdir d:\winids\pulledpork\temp' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'notepad2 d:\winids\pulledpork\etc\pulledpork.conf' (less the outside quotes), and tap the 'Enter' key.

Use the Find option in Notepad2 to locate and change the variables below.
Original Line(s): rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode>
Change to: rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|insert your unique oinkcode

Original Line(s): rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community
Change to: # rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community

Original Line(s): rule_url=https://snort.org/downloads/community/|opensource.gz|Opensource
Change to: # rule_url=https://snort.org/downloads/community/|opensource.gz|Opensource

Original Line(s): temp_path=/tmp
Change to: temp_path=d:\winids\pulledpork\temp

Original Line(s): rule_path=/usr/local/etc/snort/rules/snort.rules
Change to: rule_path=d:\winids\snort\rules\winids.rules

Original Line(s): local_rules=/usr/local/etc/snort/rules/local.rules
Change to: local_rules=d:\winids\snort\rules\local.rules

Original Line(s): sid_msg=/usr/local/etc/snort/sid-msg.map
Change to: sid_msg=d:\winids\snort\etc\sid-msg.map

Original Line(s): sid_changelog=/var/log/sid_changes.log
Change to: sid_changelog=d:\winids\snort\log\sid_changes.log

Original Line(s): black_list=/usr/local/etc/snort/rules/iplists/default.blacklist
Change to: # black_list=/usr/local/etc/snort/rules/iplists/default.blacklist

Original Line(s): IPRVersion=/usr/local/etc/snort/rules/iplists
Change to: # IPRVersion=/usr/local/etc/snort/rules/iplists

Original Line(s): snort_control=/usr/local/bin/snort_control
Change to: # snort_control=/usr/local/bin/snort_control

Original Line(s): # docs=/path/to/base/www
IIS install change to: docs=d:\winids\inetpub\wwwroot\base\signatures\
Apache install change to: docs=d:\winids\Apache24\htdocs\base\signatures\

Original Line(s): # snort_version=2.9.11.0
Change to: snort_version=x.x.x.x

For this to work correctly; Snort version and the rule set version MUST be in sync. If the Windows Intrusion Detection System is running Snort version 2_9_11_0, then the above must be 'snort_version=2.9.11.0'.
There are two 'Official Snort Rule sets' available for download:
  • Subscriber Release: There is an annual fee associated with this type of account. Paid Subscribers are privy to the very latest in new and modified rules (Zero Day).
  • Registered User Release: There is no annual fee associated with this type of account. Registered Users are always 30 days behind in modified and new rules (no Zero Day).
Updating the rules is crucial for both of the above groups. However, there is a definite plus to becoming a 'Subscriber' (paid user). As a 'Subscriber' (paid user) the update process can be executed once every minute. For 'Registered' (non-paid) users the update process can only be ran once every 15 minutes. Once the update session reaches the update server your session is logged, and for whatever reason the update session ends before the new rule set is downloaded 'Registered' (non-paid) users MUST wait 15 minutes before another session can be started.

Your unique Oinkcode tells the rule set repository which group you belong too, pushes the correct rule set for that group, and timestamps the access.

By no means is this a lesson in rule updating. I can't state how IMPORTANT it is to read the documentation for PulledPork, and Snort. It is also IMPORTANT to join the Snort-users list, and the PulledPork-users list. The rules are the life blood of the Windows Intrusion Detection System (WinIDS).

Original Line(s):
# enablesid=/usr/local/etc/snort/enablesid.conf
# dropsid=/usr/local/etc/snort/dropsid.conf
# disablesid=/usr/local/etc/snort/disablesid.conf
# modifysid=/usr/local/etc/snort/modifysid.conf
Change to:
enablesid=d:\winids\pulledpork\etc\enablesid.conf
dropsid=d:\winids\pulledpork\etc\dropsid.conf
disablesid=d:\winids\pulledpork\etc\disablesid.conf
modifysid=d:\winids\pulledpork\etc\modifysid.conf
Original Line(s): # ips_policy=security
Change to: ips_policy=security

In the above, the 'ips_policy' switch is set to 'security'. There are three pre-configured policies (connectivity, balanced, and security) that can be used. Change the above to your specific needs. Each policy has the Sourcefire recommended rules applied, and the 'ips_policy' switch is only an option. By placing a hash '#' (less the outside quotes) mark in front of the 'ips_policy' switch PulledPork will process the stock rules as they are.
  • Connectivity: Means "Connectivity over Security". Meaning this is a speedy policy for people that insist on blocking only the really known bad with no false positives.

  • Balanced: Means "Balanced between Connectivity and Security". Meaning that this is a good starter policy for everyone. It's quick, has a good base coverage level, and covers the latest threats of the day. The policy contains everything that is in Connectivity.

  • Security: Means "Security over Connectivity". Meaning that this is a stringent policy that everyone should strive to get to through tuning. It's quick, but has some policy-type rules in it. Rules that will alert on Flash contained within an Excel file and things like that. This policy contains everything that is in Connectivity, and Balanced.
Save the file, and eXit Notepad2.

If the Windows Intrusion Detection System (WinIDS) was monitoring prior to starting this tutorial, it should still be monitoring while Pulledpork is updating the rules.
At the CMD prompt type 'perl d:\winids\pulledpork\pulledpork.pl -c d:\winids\pulledpork\etc\pulledpork.conf -T' (less the outside quotes), and tap the 'Enter' key.

The above procedure could take 15-45 minutes to complete depending on available resources.

The signature file (opensource.gz) contains in excess of 24,000 files, and Perl is painfully slow to process. To verify progress right-click the signature folder and select properties. Notice the file count in the row titled 'Contains:'. After a few seconds, preform the same procedure again. The file count should be climbing.

The below is displayed in the terminal window after a successful update.
Done
Please review d:\winids\snort\log\sid_changes.log for additional details
Fly Piggy Fly!
Do not continue or intervene until 'Fly Piggy Fly!' is displayed in the terminal window.

Testing the Snort configuration and rules

At the CMD prompt type 'd:\winids\snort\bin\snort /service /show' (less the outside quotes), and tap the 'Enter' key.

The current Snort run line will be displayed as an example below.
Snort is currently configured to run as a Windows service using the following command-line parameters:
     -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -i1
The above run line will need to be replaced in the procedure outlined below in red. Be SURE to use your own unique run line as the above is only an example.
At the CMD prompt type 'd:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -i1 -T' (less the outside quotes), and tap the 'Enter' key.

The above command will cause Snort to start up in self-test mode, checking all the supplied command line switches and rules that are passed to it and indicating that everything is ready to proceed.

If all the tests are passed, the following is a confirmation that the snort configuration file is good.
Snort successfully validated the configuration!
Snort exiting
Do not continue until 'Snort successfully validated the configuration!'
At the CMD prompt type 'net stop snort & net start snort' (less the outside quotes), and tap the 'Enter' key.

The above run line stops and starts the Snort Windows services. Restarting the Snort service will allow Snort to drop the old ruleset, and grab the new ruleset. Barnyard2 will detect the disconnect of the logfile after Snort restarts and will automatically reconnect after several minutes.

The following is a confirmation that the Snort service were successfully stopped and started.
The Snort service was stopped successfully.
The Snort service was started successfully.
Do not proceed until the Snort service has been successfully started.
At the CMD prompt type 'exit' (less the outside quotes), and tap the 'Enter' key.

It may take several minutes for events to start showing up in the Windows Intrusion Detection Systems (WinIDS) Security Console. If no events start to show up in a reasonable length of time, come visit the forums for help on manually generating events.

An emergency backup was mirrored to 'd:\winids\snort-old'. If this add-on was a complete failure all that is needed to revert back to the original Snort installation is to delete the new 'd:\winids\snort' folder, rename the 'd:\winids\snort-old' to 'd:\winids\snort', return to the section labeled 'Testing the Snort configuration file', and complete.

If the updating process has been successful and the backup is no longer needed the below process will scrub the backup folder
Open a CMD window with Administrator privileges and type 'rd d:\winids\snort-old /S /Q' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'exit' (less the outside quotes), and tap the 'Enter' key.

In conclusion

Congratulations, you have just completed setting up your Windows Intrusion Detection System(WinIDS) to automatically update the rules, and signatures. I hope this tutorial has been of great assistance.

Windows Intrusion Detection System (WinIDS) - Future Updating


Updating the rules and signatures

The rules should be updated frequently. New and modified rules are being added to the Subscriber's (paid) rule set, and rules are being moved from the Subscriber's rule set to the Registered rule set hourly or daily. It's important to keep the rule set updated to minimize exposure to inside/outside threats to your network.

During this updating procedure the Windows Intrusion Detection System (WinIDS) will continue to monitor the network using the existing set of rules, as long as The Windows Intrusion System continues to run.

On the initial execution PulledPork downloadeds the latest rules, latest signatures, and two MD5 files. On future updating pulledPork first retrieves the latest MD5 file for the rules, then compares that MD5 checksum with the existing rules tarball, and if the MD5 check sum does not match the new rules file is downloaded and processed. This works the same way for the signatures.

It only takes about 10-15 seconds to process the rules. However, if the signatures needs to be updated it could take 15-45 minutes to complete the update depending on available resources. The Windows Intrusion Detection System (WinIDS) is still monitoring under the old rules. At the end of the update it will take about 10 seconds to recycle the Windows Intrusion Detection System (WinIDS) in order to drop the old rules, and pick-up the new rules.
If the Windows Intrusion Detection System (WinIDS) was monitoring prior to starting this tutorial, it should still be monitoring while Pulledpork is updating the rules.
Open a CMD window with Administrator privileges and type 'xcopy /E /I d:\winids\snort d:\winids\snort-old' (less the outside quotes), and tap the 'Enter' key.

The above procedure will create a backup of the original installation.
At the CMD prompt type 'perl d:\winids\pulledpork\pulledpork.pl -c d:\winids\pulledpork\etc\pulledpork.conf -T' (less the outside quotes), and tap the 'Enter' key.

The above procedure could take 2-45 minutes to complete depending on available resources.

The update procedure only takes a couple of minutes to process a new ruleset change, or no change if it is current. If the signature file (opensource.gz) needs updating the process could take up to 45 minutes depending on available resources. The signature file contains in excess of 24,000 files and Perl is painfully slow to process. To verify progress right-click the signature folder and select properties. Notice the file count in the row titled 'Contains:'. After a few seconds, preform the same procedure again. The file count should be climbing.

The below is displayed in the terminal window after a successful update.
Done
Please review d:\winids\snort\log\sid_changes.log for additional details
Fly Piggy Fly!
Do not continue or intervene until 'Fly Piggy Fly!' is displayed in the terminal window.

If there was no update the CMD window can be closed, and this tutorial can be exited!
Subscribers (paid) can check for rule set updates once every minute but Registered users are limited to once every 15 minutes. If you are a registered user and your rule set update fails instantly, there will be a 15 minutes wait before the update can be ran again.
At the CMD prompt type 'net stop snort & net start snort' (less the outside quotes), and tap the 'Enter' key.

The above run line stops and starts the Snort Windows services. Restarting the Snort service will allow Snort to drop the old ruleset, and grab the new ruleset. Barnyard2 will detect the disconnect of the logfile after Snort restarts and will automatically reconnect after several minutes.

The following is a confirmation that the Snort service were successfully stopped and started.
The Snort service was stopped successfully.
The Snort service was started successfully.
Do not proceed until the Snort service has been successfully started.
At the CMD prompt type 'exit' (less the outside quotes), and tap the 'Enter' key.

It may take several minutes for events to start showing up in the Windows Intrusion Detection Systems (WinIDS) Security Console. If no events start to show up in a reasonable length of time, come visit the forums for help on manually generating events.
An emergency backup was mirrored to 'd:\winids\snort-old'. If this add-on was a complete failure all that is needed to revert back to the original Snort installation is to delete the new 'd:\winids\snort' folder, rename the 'd:\winids\snort-old' to 'd:\winids\snort', return to the section labeled 'Testing the Snort configuration file', and complete.

If the updating process has been successful and the backup is no longer needed the below process will scrub the backup folder
Open a CMD window with Administrator privileges and type 'rd d:\winids\snort-old /S /Q' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'exit' (less the outside quotes), and tap the 'Enter' key.

In conclusion

Congratulations, you have just completed updating the rule and signatures of the Windows Intrusion Detection System (WinIDS). I hope this tutorial has been of great assistance.

Optional Companion Documents

Be SURE to check out the available 'Companion Add-on Documents' to enhance the Windows Intrusion Detection System (WinIDS) experience.

Updating the Windows Intrusion Detection Systems (WinIDS) Major components


Debugging Installation errors

Check the Event Viewer as most of the support programs will throw FATAL errors into the Application log.

General problems

For general issues that pertain to this tutorial, left-click the support button at the top of this tutorial, or manually navigate to the correct support forum.

Michael E. Steele | Microsoft Certified System Engineer (MCSE)
Email Support: support@winsnort.com
Snort: Open Source Network IDS - www.snort.org