#1: Original Line(s): var SO_RULE_PATH ../so_rules
Change to: # var SO_RULE_PATH ../so_rules

This is not actually a change, since the two lines are identical. Presumably it's supposed to be 'd:\winids\Snort\so_rules'. Is that right?

#2: Original Line(s): dynamicdetection directory /usr/local/lib/snort_dynamicrules
Change to: # dynamicdetection directory /usr/local/lib/snort_dynamicrules

This is not actually a change, since the two lines are identical. And when I run the Snort test, I get this fatal error: 'ERROR: f:\winids\snort\etc\snort.conf(258) Could not stat dynamic module path "/usr/local/lib/snort_dynamicrules": No such file or directory.'

I was going to change the path to 'f:\winids\snort\lib\snort_dynamicrules', bu that directory doesn't exist. Any ideas?
 

At this point there are two commands, the point of which seems to be to clear the blacklist and whitelist files that are included with Snort. Here's the first one:

'type NUL > d:\winids\snort\rules\black_list.rules'

This actually creates a *new* file called 'black_list.rules', with no content (size zero).

I think perhaps the intention was to clear the contents of the existing file, which is actually named 'blacklist.rules'.

I don't see 'white_list.rules' or 'whitelist.rules', so the other command just creates an empty 'white_list.rules'.

Hello WinIDS community - again,

Went through the  Installing a slave client logging events to a remote MySQL Database tutorial. My remote WinIDS is running on server 2008 R2 and I have verified connectivity to Ubuntu server MySQL running 5.7.16 listening on port 3306. My hope is to use Snorby frontend running on the ubuntu 16.04 to read the mysql after Barnyard2 dumps the pcaps from snort into the DB.

This is a change from the previous issues I was having to get the WINIDS / snort install working - As a general FYI I have validated that the referenced tutorial has been completed with the necessary modifications to my environment - i.e. Linux database / snorby  instead of Windows MySQL / Base. the Snort and Barnyard2 applications are configured to run as services from startup per instructions and Barnyard2 is able to communicate with the MySQL database Snorby on the Ubuntu server. The snorby front end is also functional from the perspective that one can login to the website and browse the settings and menu options.

Issue: I'm running this configuration in a set of Amazon AWS EC2 instances. AWS does not allow networks connecting EC2 instances to run packet sniffing functions - i.e. promiscuous mode NIDS type of functions - to this end I'm ok if I can just capture traffic going to/from the box where snort is installed and pass that data via barnyard to the mysql db. 

** First configuration - Snort cmd - this was before running with -p to disable promiscuous mode

c:\IDS\Snort\bin\snort -c c:\IDS\Snort\etc\snort.conf -l c:\IDS\Snort\log -i1

result - snort was listening but nothing was being dumped to the log files - merged,log-[timestamp] = 0 kb

Barnyard2 is not reading or getting any of this data and is not sending the data to mysql db

Went through the  Installing a slave client logging events to a remote MySQL Database tutorial. My remote WinIDS is running on server 2008 R2 and I have verified connectivity to Ubuntu server MySQL running 5.7.16 listening on port 3306. My hope is to use Snorby frontend running on the ubuntu 16.04 to read the mysql after Barnyard2 dumps the pcaps from snort into the DB.

I run the snort validation cmd: c:\IDS\Snort\bin\snort -c c:\IDS\Snort\etc\snort.conf -l c:\IDS\snort\log -i1 -T

Output says it can't find the whitelist / blacklist entries Reputation Preprocessor disabled.

312 out of 1024 flowbits in use. 

Snort successfully validated the configuration!

Snort Exiting.

Snort is running as a service (delayed auto-start)

Next applied the Reg file "auto-remote-barnyard2.reg" no files have been installed to the c:\IDS\Snort\log directory

Run as administrator - "c:\IDS\activators\by2-test.bat"

Warning invalid reference spec 'url,'. Ignored x9

INFO database: Defaulting Reconnect sleep time to 5 second..... (3 mins later)

Unable to open waldo file C:\IDS\Snort\log\barnyard.waldo (no such file or directory)

Waiting for new spool file.......(& waiting & waiting....)

Process terminated by user because he screwed up somewhere.

I'm assuming I have been careful about keeping the path reference changes adjusted for the modder.vbs and the Reg file 

my SQL DB has a slightly different config: grant all on snorby.* to 'snorby'@'10.0.0.44'IDENTIFIED BY '**************';

MySQL config has bind-address set to Master IDS server IP. Both master and slave have 1 NIC each.

Based on a configuration I saw from a linux tutorial for running Snort I disabled the TCP Large Receive Offload on the Remote NIC.

I really hope this doesn't matter, but they are EC2 instances on Amazon AWS.

Not sure what to try next except throw away the VMs and start again.

Any thoughts to help get me in the right direction would be awesome. Thanks & take care.

snort.conf

barnyard2.conf

database mysql_error: Can't connect to MySQL server on '10.250.254.253' (111)
Barnyard2 exiting
database: Closing connection to database "snort"

My barnyard.conf file looks like this:

output database: log, mysql, user=snort password=l0gg3r dbname=snort host=10.250.254.253 port=3306 sensor_name=WinIDS-Madrid

My remote sensor ip address is 10.250.253.253

I have read where remote access to MYSQL is off by default,  could this be the reason for the error and if so,  how might I enable remote access??