Windows Intrusion Detection System - Companion Add-On Tutorial
Logging Events to a Local Syslog Server
Written by: Michael E. Steele
Introduction
This tutorial is a simple to understand, step-by-step tutorial for logging events to a local Syslog Server running the Windows Intrusion Detection System (WinIDS).Copyright Notice
This document is Copyright © 2002-2024 Michael Steele. All rights reserved. Permission to distribute this document is hereby granted providing that distribution is electronic, no money is involved, and this copyright notice is maintained. Other requests for distribution will be considered.Use the information in this document at your own risk. Michael Steele disavows any potential liability of this document. Use of the concepts, examples, and/or other content of this document are entirely at your own risk.
This guide is written in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose.
All copyrights are owned by their owners, unless specifically noted otherwise. Third party trademarks or brand names are the property of their owners. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements.
Support Questions and Help
By request, there is a premium fee service available for one on one support.
If you have not acquired this tutorial directly from the winsnort.com website, then you most likely do not have the latest revision of this tutorial!
How to use this guide
This installation is based on the installer being logged on with 'Administrator' privileges for the entire installation.The default installation path noted above is hard coded into this tutorial, and is also hard coded into some of the install scripts. Installers will need to make the appropriate changes in both places if the default installation path is anything other then 'd:\winids', or the support files are located anywhere other than the 'd:\temp' folder.
- An existing Windows Intrusion Detection System (WinIDS) using one of the tutorials, either a stand alone Windows Intrusion Detection System (WinIDS), or a remote Windows Intrusion Detection System (WinIDS).
It is important when asked to 'Open a CMD window with Administrator privileges' it is done, or the install will fail.
It is also important when asked to 'Close a CMD window' it is done, or the install will fail.
Note: The user installing this tutorial MUST be a member of the Administrators group.
Note: If the User Account Control dialog box appears at ANY time during this install ALWAYS left-click 'Yes' to continue, or the install will fail.
Instructions on starting a command prompt as an Administrator
In the Windows Search box, type cmd, and then press CTRL+SHIFT+ENTER.
It is also important when asked to 'Close a CMD window' it is done, or the install will fail.
Note: The user installing this tutorial MUST be a member of the Administrators group.
Note: If the User Account Control dialog box appears at ANY time during this install ALWAYS left-click 'Yes' to continue, or the install will fail.
Instructions on starting a command prompt as an Administrator
In the Windows Search box, type cmd, and then press CTRL+SHIFT+ENTER.
Prepping for the Windows Intrusion Detection System (WinIDS) Tutorial
Downloading the Visual Syslog Server software on the local Windows Intrusion Detection System (WinIDS)
It is imperative to only use the files downloaded from the URL links below. All the files have been verified as compatible with this particular Windows Intrusion Detection Systems (WinIDS) tutorial. All the files below will need to be downloaded into the folder (d:\temp) that was created when the files from the above 'WinIDS - Software Support Pack' were extracted.
Visual Syslog Server for Windows: Download and save the file to the d:\temp folder.
Installing the VisualSyslog Server software on the local Windows Intrusion Detection System (WinIDS)
Open a CMD window with Administrator privileges and type 'd:\temp\visualsyslog_setup.exe' (less the outside quotes), and tap 'Enter' key.The 'Welcome to the Visual Syslog Server Setup Wizard' starts, and left-click 'Next'.
The 'Select Destination Location. screen opens. In the change destination location dialog box type 'd:\winids\visualsyslog' (less the outside quotes), and left-click 'Next'.
The 'Select Start Menu Folder' screen appears, left-click 'Next'.
The 'Select Additional Tasks' screen appears, left-click 'Next' to add an exception to the firewall opening port 514.
The 'Ready to install' screen appears, left-click 'Install' allowing the install to complete.
The 'Completing the Visual Syslog Server Setup Wizard' screen appears, left-click 'Finish' to complete the install.
Configuring the Visual Syslog Server software on the local Windows Intrusion Detection System (WinIDS)
The Visual Syslog Server application should have atomically started.In the upper left side left-click the 'Setup' icon and the 'Setup' windows appears.
Left-click the 'Main' tab.
In the 'UDP Syslog server' section, in the 'UDP listener interface port' left-click the pull-down and select the IP address of the local Syslog Server, and the default port should already be populated with 514.
In the 'TCP Syslog server' section, in the 'TCP listener interface port' left-click the pull-down and select the IP address of the local Syslog Server, and the default port should already be populated with 514.
Left-click 'OK' to close the setup configuration window, and eXit the Visual Syslog Server application.
The Visual Syslog Server will continue to run in the system task bar as a Windows service.
Testing for an open listening port on the local Syslog Server
From the Windows Intrusion Detection System (WinIDS) go to the 'You Get Signal' website. The local IP address should already be populated in the 'Remote Address' dialog box. In the 'Port Number' dialog box type 514, and left-click 'Check'.
*** If the above response is CLOSED then do not proceed until the status is OPEN. ***
Configuring the Windows Intrusion Detection System (WinIDS) for Local Syslog logging
Configuring Snort to include Syslog logging
At the CMD prompt type 'notepad2 d:\winids\snort\etc\snort.conf' (less the outside quotes), and tap 'Enter' key.
Use the Find in Notepad2 to locate and change the variables below.
Original Line(s): # output alert_syslog: LOG_AUTH LOG_ALERT
Change to: output alert_syslog: host=SYSLOG_SVR_IP_ADDR:PORT, LOG_AUTH LOG_ALERT
Make SURE the SYSLOG_SVR_IP_ADDR above reflects the IP Address of the local Syslog server, and the PORT above reflects the listening port of the local Syslog Server.
Now save the file and eXit Notepad2.
Testing the Snort configuration file
At the CMD prompt type 'd:\winids\snort\bin\snort -W' (less the outside quotes), and tap the 'Enter' key.
The following is a partial example of what might be listed as valid Network Interface Cards.
The switch for the Network Interface Card will always be '-ix' (less the outside quotes), and the 'x' (less the outside quotes) will always represent the 'Index' number of Network Interface Card that will be monitoring the Windows Intrusion Detection System (WinIDS).
At the CMD prompt type 'd:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix -T' (less the outside quotes), and tap the 'Enter' key.
Index Physical Address IP Address
----- ---------------- ----------
1 00:0C:29:25:B4:96 0000:0000:fe80:0000:0000:0000:ad63:31cf
In the above list, the 'Index' number is important, and will need to be remembered for later use in this tutorial. There may be several Network Interface Cards listed, and it will be up to the installer to determine the correct Network Interface Card (Index number) that will be monitoring the Windows Intrusion Detection System (WinIDS).
The switch for the Network Interface Card will always be '-ix' (less the outside quotes), and the 'x' (less the outside quotes) will always represent the 'Index' number of Network Interface Card that will be monitoring the Windows Intrusion Detection System (WinIDS).
The above run line will require the 'Index' number of the monitoring Network Interface Card added to the 'x' above.
This will start Snort in self-test mode for configuration and rule file testing, and depending on the resources used, and/or available, it could take several minutes to run the self-test mode.
If all the tests are passed, the following is a confirmation that the Snort configuration file and rules have tested good.
This will start Snort in self-test mode for configuration and rule file testing, and depending on the resources used, and/or available, it could take several minutes to run the self-test mode.
If all the tests are passed, the following is a confirmation that the Snort configuration file and rules have tested good.
Snort successfully validated the configuration! Snort exiting
Do not proceed until 'Snort successfully validated the configuration!'
Configuring the Snort service run line for the Syslog Server logging
At the CMD prompt type 'net stop snort' (less the outside quotes), and tap 'Enter' key.At the CMD prompt type 'cd /d d:\winids\snort\bin' (less the outside quotes), and tap 'Enter' key.
At the CMD prompt type 'snort /SERVICE /SHOW' (less the outside quotes), and tap 'Enter' key.
The output display will be the full run line that Snort uses in the startup, and might look like the below:
At the CMD prompt type 'snort /SERVICE /UNINSTALL' (less the outside quotes), and tap 'Enter' key.
Snort is currently configured to run as a Windows service using the following command-line parameters:
-c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -i1
The following is a confirmation that the Snort service was successfully removed from the services database.
[SNORT_SERVICE] Attempting to uninstall the Snort service.
[SNORT_SERVICE] Successfully removed registry keys from:
\HKEY_LOCAL_MACHINE\SOFTWARE\Snort\
[SNORT_SERVICE] Successfully removed the Snort service from the Services database.
The new Snort auto start configuration line needs to be added that contains the switch to turn on the option to log all events to the Syslog Server.
The Snort run line that should be entered in below should be exactly what was displayed when the snort /SERVICE /SHOW command was ran previously, except adding ' -s' (less the outside quotes) to the end.
At the CMD prompt type 'snort /SERVICE /INSTALL -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -i1 -s' (less the outside quotes), and tap the 'Enter' key.
The Snort run line that should be entered in below should be exactly what was displayed when the snort /SERVICE /SHOW command was ran previously, except adding ' -s' (less the outside quotes) to the end.
The following as a confirmation that the Snort service was successfully added to the services database.
At the CMD prompt type 'sc config snortsvc start= auto' (less the outside quotes), and tap the 'Enter' key.
[SNORT_SERVICE] Attempting to install the Snort service.
[SNORT_SERVICE] The full path to the Snort binary appears to be:
D:\winids\snort\bin\snort /SERVICE
[SNORT_SERVICE] Successfully added registry keys to:
\HKEY_LOCAL_MACHINE\SOFTWARE\Snort\
[SNORT_SERVICE] Successfully added the Snort service to the Services database.
The following as a confirmation that the Snort auto start service has been successfully activated.
At the CMD prompt type 'net start snort' (less the outside quotes), and tap the 'Enter' key.
[SC] ChangeServiceConfig SUCCESS
At the CMD prompt type 'exit' (less the outside quotes), and tap the 'Enter' key.
In Conclusion
At this point, it could take several minutes before seeing events arriving in the local Syslog Server.Optional Companion Documents
Be SURE to check out the available 'Companion Add-on Documents' to enhance the Windows Intrusion Detection System (WinIDS) experience.
- How to add Event Logging to a local Syslog Server.
This tutorial will show how to configure Snort to send events to a local Syslog Server, on an existing Windows Intrusion Detection System (WinIDS).
- How to add Event Logging to a remote Syslog Server.
This tutorial will show how to configure Snort to send events to a remote Syslog Server from an existing Windows Intrusion Detection System (WinIDS).
- How to add Email Alerting to an existing Windows Intrusion Detection System (WinIDS)
This tutorial will show how to email user defined priority events on an existing Windows Intrusion Detection System (WinIDS).
- How to configure Barnyard2 to run as a service
This tutorial is a simple to understand process on how to configure Barnyard2 to run as a service.
- How to compile Barnyard2 on Windows using Cygwin
This tutorial is a simple to understand, step-by-step guide for Compiling Barnyard2 on Windows using Cygwin (UNIX emulator).
- How to build and deploy a passive Ethernet tap
This tutorial will show how to build and deploy a passive Ethernet tap.
Updating the Windows Intrusion Detection Systems (WinIDS) Major components
- How to update the Snort Intrusion Detection Engine
This tutorial will show How to update the Snort Intrusion Detection Engine.
- How to update the Windows Intrusion Detection Systems rules
This tutorial will show how to update the Windows Intrusion Detection Systems rules.
Debugging Installation errors
Check the Event Viewer as most of the support programs will throw FATAL errors into the Windows Application log.General tutorial issues
For general problem issues that pertain to this specific tutorial, left-click the get community support button at the top of this tutorial, or manually navigate to the correct community support forum pertaining to this specific tutorial.Feedback
I would love to get feedback from you about this tutorial. Any recommendations, or ideas, please leave feedback HERE.Michael E. Steele | Microsoft Certified System Engineer (MCSE)
Email Support: support@winsnort.com
Snort: Open Source Network IDS - www.snort.org