Morpheus

Following requests for enhanced event management, the DB-Maintenance Utility has been updated to include a time-based purge feature. Administrators can now automatically clear database events older than (X) days.

Happy WinSnorting...

This is the execution log output for the Automated Installation Framework of a WinSnort Windows Intrusion Detection System (WinIDS) configured as a remote node sensor. The deployment process is virtually identical for Windows Workstation or Windows Server environments.

MySQL-Output.log PGSQL-Output.log

Opening the Master sensor will display the total number of connected nodes. If a node is missing, it simply means it hasn’t connected yet—this process can take a few minutes.

(Note: MySQL handles this initial connection noticeably faster than PostgreSQL.)

This is the execution log output for the Automated Installation Framework of a WinSnort Windows Intrusion Detection System (WinIDS) configured as a Master/Standalone sensor. The deployment process is virtually identical for Windows Workstation or Windows Server environments, with the exception that Server architecture requires a distinct Internet Information Services (IIS) feature provisioning step.

Output.log

This is the execution log output for the Automated Installation Framework of a WinSnort Windows Intrusion Detection System (WinIDS) configured as a Master/Standalone sensor. The deployment process is virtually identical for Windows Workstation or Windows Server environments, with the exception that Server architecture requires a distinct Internet Information Services (IIS) feature provisioning step.

Output.log

This is the execution log output for the Automated Installation Framework of a WinSnort Windows Intrusion Detection System (WinIDS) configured as a Master/Standalone sensor. The deployment process is virtually identical for Windows Workstation or Windows Server environments, with the exception that Server architecture requires a distinct Internet Information Services (IIS) feature provisioning step.

Output.log

This is the execution log output for the Automated Installation Framework of a WinSnort Windows Intrusion Detection System (WinIDS) configured as a Master/Standalone sensor. The deployment process is virtually identical for Windows Workstation or Windows Server environments, with the exception that Server architecture requires a distinct Internet Information Services (IIS) feature provisioning step.

output.log

WinSnort.com is a premier resource dedicated to the advancement of network security through the WinIDS (Windows Intrusion Detection System) stack. Our mission is to provide the security community with the tools, documentation, and automation necessary to deploy professional-grade intrusion detection and prevention systems on Windows platforms.

At the core of our platform is the WinIDS Automated Deployment Framework, a comprehensive suite designed to streamline the installation and configuration of industry-standard security tools. We focus on the seamless integration of:

• Snort: The world's most widely deployed IDS/IPS engine.

• Barnyard2: For efficient spooling and processing of security event data.

• Database Integration: Optimized configurations for MySQL and PostgreSQL backends.

• PulledPork: Automated rule management and synchronization.

• Web Consoles: Professional deployment of Apache2 and IIS environments for real-time monitoring.

Our Mission

We believe in empowering security administrators and researchers with automated, reliable, and high-performance security solutions. By moving away from complex manual setups, WinSnort allows users to focus on what matters most: identifying threats and securing their network infrastructure.

The WinIDS Framework

Our latest project, WinIDS v4.1, represents a ground-up rewrite of our deployment scripts, utilizing PowerShell and advanced automation to ensure a "plug-and-play" experience for complex security environments. From local sensor management to remote node initialization, we provide the technical blueprints for a robust defense-in-depth strategy.

Community & Innovation

Beyond software, WinSnort.com serves as a hub for tutorials, technical documentation, and community support. Whether you are a seasoned systems administrator or a security enthusiast, our resources are crafted to help you master the intricacies of the Snort ecosystem.

The WinIDS installation includes a Rules Updater utility (located in the WinSnort group in the Start Menu). By default, this utility performs a standard rule sync with Sourcefire and applies updates automatically.

For administrators who require remote monitoring, the utility includes an optional Email Utility. When activated, it sends a status report to a designated email address, confirming whether rules were updated, already current, or if a validation error occurred.

Configuration Procedure

To activate and configure the email notification system, follow these steps:

1. Open the Script for Editing

Navigate to your WinIDS installation directory and locate the PowerShell script:

• Path: \scripts\rules-update.ps1
• Action: Right-click the file and select Edit (or open it with Notepad/VS Code).

2. Enable the Mail Utility

Locate the User Configuration section at the top of the script. Change the $sendmail value from 0 to 1:

$sendmail = 1  # Activates the email reporting feature

3. Configure SMTP Settings

Input your mail server details between the quotes in the configuration block:

• $smtpServer: Your mail server address (e.g., smtp.gmail.com or internal relay IP).
• $smtpPort: Use 587 for SSL/TLS or 25 for standard internal relays.
• $smtpUser / $smtpPassword: Enter valid credentials if your server requires authentication.
• $from / $to: Enter the sender and recipient email addresses.

4. Save and Test

1. Save the file.
2. Open the Start Menu and navigate to the WinSnort group.
3. Click the Rules Updater link to execute the script.
4. Observe the console output. If successful, you will see:

An Email report of the Rules update has been sent...

Troubleshooting & Support

• Execution Policy: Ensure the script is run with Administrative privileges.
• Port Blocking: If using Port 25, ensure your antivirus or firewall is not blocking outbound SMTP traffic from PowerShell.
• Logs: Check the \pulledpork\log\ folder for detailed execution logs if an update fails.

Technical Support:

Issues during setup, please visit the WinSnort.com Forums under the Auto-Installer section for community-led support and troubleshooting tips.

You will need to bridge the two NIC's and in Windows 10 do it as below:

Bridging Your Internet Connections on Windows 10

Step 1: Go to your Control Panel from the Start menu.

Step 2: Navigate to Network Connections.

Step 3: Click on the first NIC that you want to bridge.

Step 4: Hold down the CTRL key while clicking on the second NIC that you want to bridge.

Step 5: Right-click on one of the selected NICs and click "Bridge Connections."

I have not tested the above on anything other than Windows 10.

To test the MySQL database server and authentications open a CMD window with Administrator access and type d:\activators\db_tools\test_mysql-php7.php

The problem is that it is not finding the base.php file, or possibly the base_conf.php file? It has to find the file first before trying to execute it.

Not sure if it could be the problem but make sure the config file is correctly named: base_conf.php

Maybe some sort of a permission problem with the files in the base folder?

Not sure how a permission problem could be the problem when the test.php file is working.

You are going to have issues with WinPcap and Npcap both installed. Use either one but not both.

Note: Uninstall both and then install the one you are going to use. Make sure Snort is not running when you uninstall.

Does this work: http://winids/base.php

I'm not sur but there appears to be a formatting error with the Apache config. Try the attached one.

Also try moving the test.php file to the base folder and then try http://winids/test.php

httpd.conf

On 11/25/2019 at 5:22 PM, 7rrivera7 said:

It turned out to be permissions to test.php. I had to grant permission to the DefaultAppPool from the top of the INETPUB folder

 

That is not normal?

The only thing I can tell is that it's not allowing you to access the test.php because you don't have sufficient permissions?

What happens if you remove the test.php file and try accessing it when it is missing. You should get the same error?

Do you have a space in the word base?

Look at your Physical Path - It appears you have a space in base -> ba se

All the files look good. Attached id my config for IIS, try it. You will need to stop IIS, replace the file, and then restart IIS.

applicationHost.config

Go back in and verify the PHP setting in IIS. For some reason the setting sometime does not save and the settings need to be re-applied. No need to reinstall because the same problem could come back.

I checked your setting and the php.ini file is good but the IIS files are for version 10 and I don't have that set of configs to match yours with. I would need to install IIS 10 to get it. What OS version are you running?

Go back to the section below and do over.

Configuring IIS for PHP, and the Windows Intrusion Detection Systems security console

If that fails then zip up all the files in the Windows\System32\inetsrv\config folder and attach. Also attach the php.ini file

No, you are supposed to enable the lines by removing the # (hash tags).

3 hours ago, FDids said:

Hi,

Thanks for replying that everything is fixed but:

I apologize for being dense, but I am not sure what to do next  to fix my barnyard2 installation so that snort does show exiting.  I downloaded the latest Winids Barnyard2 Software Development Pack,  winids-b2sdp.zip.  Do I unzip it and use the barnyard2.master.zip in place of the other builds?  Do I need to start over and redo my installation? Is there another file I should download? 

Thanks for all your help!

Bob

No you don't need to do anything. What you are seeing is correct. I made an error in the tutorial and have since corrected it. Check out the tutorial, and it should match your install.

All fixed, thanks...

What is the process you used and I'll check it on another build.

Did you just add the below to your local.rules file?

alert ( msg: "ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK"; sid: 4; gid: 112; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )

Did you use something to generate the alert?