In the tutorial, it shows this:

If all the tests are passed, the following is a confirmation that the Barnyard2 configuration file is good.

Barnyard2 successfully loaded configuration file!

Snort exiting

database: Closing connection to database "snort"

*********************

 I ran the test.

Barnyard2 spooler: Event cache size set to [32768]

INFO database: Defaulting Reconnect/Transaction Error limit to 10

INFO database: Defaulting Reconnect sleep time to 5 second

database: compiled support for (postgresql)

database: configured to use postgresql

database: schema version = 107

database:           host = winids

database:           user = snort

database:  database name = snort

database:    sensor name = WinIDS-Home

database:      sensor id = 1

database:     sensor cid = 1

database:  data encoding = hex

database:   detail level = full

database:     ignore_bpf = no

database: using the "log" facility

        --== Initialization Complete ==--

  ______   -*> Barnyard2 <*-

/ ,,_  \  Version 2.1.14 (Build 337)

|o"  )~|  By Ian Firns (SecurixLive): http://www.securixlive.com/

+ '''' +  (C) Copyright 2008-2013 Ian Firns <firnsy@securixlive.com>

This is what my configuration showed at the end of test.

Barnyard2 successfully loaded configuration file!

Barnyard2 exiting

database: Closing connection to database "snort"

Thanks for your help,

Bob

I had the same issue as in this thread.  I was going to comment there but the forum said to start a new thread rather than reviving that one.

The issue seems to be that when the Windows service is created the path is set as;

d:\winids\snort\bin\snort /SERVICE

But it should be;

d:\winids\snort\bin\snort.exe /SERVICE

In the registry go to HKLM\SYSTEM\CurrentControlSet\Services\SnortSvc then edit the ImagePath entry to change the path

'output database: log, postgresql, user=snort password=l0gg3r dbname=snort host=winids sensor_name=WinIDS-Home'

The Barnyard2 configuration test fails with the following result-

ERROR: database Connection to database 'snort' failed

Fatal Error, exiting database: Closing connection to database "snort"

Any suggestions for resolving would be appreciated.

I'm going through the installation tutorial and everything has gone great until I got to the by2-test. I get the attached error and am looking for what I have done wrong.

Thanks

BY2Error.txt

(OK, this time, I'm pretty sure I have not forgotten any step)

I am on Windows 8.1.

When I type 'http://winids/temp.php' in the address bar of a web browser (IE or Firefox), I get a 502.2 error. Apparently, it's due to the REDIRECT_STATUS CGI variable not being set in php.ini. But according to the php website, this variable is not set for security reasons...

I tried to do the previous steps again to make sure I had not forgotten anything, to no avail.

If I change this variable, will it solve the problem? Is it safe to do so? Is there another way to solve this issue? Am I completely off-track?

Thank you in advance for your answer.

It's been a good 10 minutes so far.... I'll keep waiting, but I suspect that there is an issue reading the snort log file.
I did take a look at the log file, but it seems to be in binary... is this an issue?

I have followed everything in the tutorial, but have changed from d:\winids to c:\winids

Anybody have any ideas?

However when I try to verify the Barnyard2 configuration by running d:\winids\activators\by2-test , I saw the following error in postgres log file:

2016-06-24 16:21:57 EDT LOG:  statement: SELECT `ref_system_id`, ref_system_name FROM reference_system;
2016-06-24 16:21:57 EDT DEBUG:  reaping dead processes
2016-06-24 16:21:57 EDT DEBUG:  server process (PID 804) exited with exit code 0
2016-06-24 16:21:57 EDT DEBUG:  attempting to remove WAL segments older than log file 000000000000000000000000
2016-06-24 16:21:57 EDT DEBUG:  SlruScanDirectory invoking callback on pg_subtrans/0000
2016-06-24 16:21:57 EDT ERROR:  operator does not exist: ` integer at character 8
2016-06-24 16:21:57 EDT HINT:  No operator matches the given name and argument type(s). You might need to add explicit type casts.
2016-06-24 16:21:57 EDT STATEMENT:  SELECT `ref_system_id`, ref_system_name FROM reference_system;
2016-06-24 16:21:57 EDT DEBUG:  forked new backend, pid=4056 socket=1320
2016-06-24 16:21:57 EDT DEBUG:  postgres child[4056]: starting with (
2016-06-24 16:21:57 EDT DEBUG:      postgres
2016-06-24 16:21:57 EDT DEBUG:  )
2016-06-24 16:21:57 EDT DEBUG:  InitPostgres
2016-06-24 16:21:57 EDT DEBUG:  my backend ID is 3
2016-06-24 16:21:57 EDT DEBUG:  StartTransaction
2016-06-24 16:21:57 EDT DEBUG:  name: unnamed; blockState:       DEFAULT; state: INPROGR, xid/subid/cid: 0/1/0, nestlvl: 1, children:
2016-06-24 16:21:57 EDT DEBUG:  shmem_exit(0): 1 before_shmem_exit callbacks to make

It looks like it's expecting a column called " `ref_system_id` " in the table reference_system, while the column is just "ref_system_id" based on the script in D:\winids\barnyard2\schemas\create_postgres. Can you please advise what could have gone wrong here?

Thanks,

Sally

ERROR database:postgresql_error: ERROR: relations "schema" does not exist

LINE 1: SELECT vseq FROM schema

ERROR database: executing Select() with Query [SELECT vseq FROM schema]

ERROR: database problems with schema version, bailing...

Fatal Error,Quitting

barnyard2 exiting

ERROR database: database: postgresql_error: ERROR:   relations "sensor" does not exist

LINE 1: UPDATE sensor SET last_cid = 4294967295 WHERE sid = 0;

database: closing connection to database "snort"

I just installed snort_2.9.8.0 on my 64bit windows 2008 r2 server.Before that I already installed .Net framework3.5 and  WinPcap_4_1_3 on the same server.

However,when I start the snort programme using " d:\winids\snort\bin\snort –W ",the system reflect with an error as the information below:

C:\Users\Operator>d:\winids\snort\bin\snort –W
Running in packet dump mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Snort BPF option: –W
pcap DAQ configured to passive.
The DAQ version does not support reload.
Acquiring network traffic from "\Device\NPF_{F2C3B9BA-92A1-44DC-B5A1-3F12E26623F
E}".
ERROR: Can't set DAQ BPF filter to '–W' (@P)!
Fatal Error, Quitting..

anyone can help me solve this problem?

thank you very much

CPU is at 100% split between Barnyard and DB. I am guessing that it is running or configuring and I do not want to kill.

Recommendations appreciated.

Never mind it finally finished. I guess the answer is a while. Thanks

When I run the php test I get : http error 500.19 0x80070021

module: iis web core

notification beginrequest

config error: This configuration section cannot b e used at this path. this happens when the section is locked at a parent level. locking is either by default  (overrideModeDefault=Deny"), or set explicitly by a location tag with overridemode="deny" or the legacy allowOverride="false"

config file: \\?d:\winids\inetpub\wwwroot.base\web.config

config source

8: </defaultDocument>

9: <handlers>

10:         <remove name="PHP" />

"Windows could not start the Snort service on Local Computer"

"Path to executable:"

"d:\winids\Snort\bin\snort /SERVICE"

There can be a couple of reasons why this Error: 403 Forbidden is being displayed.

1. The section titled Configuring IIS for PHP, and the Windows Intrusion Detection Systems security console was not correctly configured.
2. The section titled Configuring IIS for PHP, and the Windows Intrusion Detection Systems security console was correctly configured, but the PHP Handler Mappings did not propagate to the IIS Default Web Site.

It is recommended to go back to the section labeled Configuring IIS for PHP, and the Windows Intrusion Detection Systems security console, recheck all the settings to make sure they are correct, and then retest the section labeled Testing IIS, and the PHP installation. If the 'PHP' test is successful then continue on with the tutorial. If not come back and complete the below.

It's assumed that the Web Browser is still open, along with the terminal window. Close the Web Browser, and leave the terminal window open.

In the open terminal type 'c:\windows\system32\inetsrv\iis.msc' (less the outside quotes), tap the  'Enter' key, and the Internet Information Services (IIS) Manager opens.

Note: The Internet Information Services (IIS) Manager may opens and ask 'Do you want to get started with...' left-click 'No'.

On the left under 'Connections' the very top entry expand '<server name>', under <server name> expand 'Sites', left-click 'Default Web Site', in the center window titled 'Default Web Site Name' in the section labeled 'IIS', left-click highlighting 'Handler Mappings', on the right under 'Actions' and left-click 'Open Feature'.

In the center window titled 'Handler Mappings' there may be or may not be a 'PHP' entry listed under the 'Name' column. Scroll down the window and if there is a 'PHP' entry under the 'Name' column then left-click highlighting the 'PHP' entry, on the right under 'Actions' left-click 'X Remove', a 'Confirm Remove' message appears, and left-click 'Yes'.

On the right under 'Actions' left-click 'Add Script Map...', in the 'Request Path:' dialog box type '*.php' (less the outside quotes), in the 'Executable:' dialog box type 'd:\winids\php\php-cgi.exe' (less the outside quotes), in the 'Name:' dialog box type 'PHP' (less the outside quotes), left-click 'OK', the 'Add Script Map' notification message appears, left-click 'Yes', and exit the Internet Information Services (IIS) Manager.

 At the CMD prompt type 'iisreset /restart' (less the outside quotes), and tap the 'Enter' key.

 Go back to the section labeled Testing IIS, and the PHP installation and continue.

or try to run any of the other \i commands under the install tutorial heading of "Creating the Windows Intrusion Detection System Database Tables "

the result is always "d:: Permission denied"

I've tried many things to try and get around this blockage but I've not been successful.  Any suggestions would be appreciated.

First let me thank you for the awesome resources that you have provided, your tutorials are really good.

I have just configured my winids to receive it rule updates using pulled pork as described in your tutorial. I followed all the steps and passed all the tests, however when I restarted the computer the barnyard window is stuck waiting for new data, when I run snort itself I get the following messages

WARNING: No preprocessors configured for policy 0.
05/06-13:17:32.947576 10.58.3.86:56494 -> x.x.x.x:x
TCP TTL:128 TOS:0x0 ID:17032 IpLen:20 DgmLen:76 DF
***A**** Seq: 0xF428D7BA  Ack: 0x85718FD9  Win: 0x347  TcpLen: 56
TCP Options (3) => NOP NOP Sack: 34161@58605
 

any help would be greatly appreciated.

I have troubles extracting winids-cssp-x32.zip file, password w1nsn03t.c0m is not accepted, and my WinRar refuses to extract files :/

Please Help!