Morpheus

Can you attach your snort.con as a file? Don't post it in a replay because the editor strips things out.

It appears that Sorcefire has added some items that will need additional configuring in the OS. For now edit the snort.conf to the below: Original Line(s): decompress_swf { deflate lzma } \ Change to: # decompress_swf { deflate lzma } \ The decompression fault for SWF files requires an additional library (LZMA). I have made a request to the development team to look into this problem, and they are looking into it.

Try this config file. snort.conf

What OS are you installing this on?

I have no idea where you got that snort.conf because it's not matching the one included in the current rules tarball, which is the one that must be used. You need to go back to the tutorial and start over, as there are numerous omissions in the snort.conf file.

How are you running snort?

It looks like it's not reading the snort.conf file. I'm guessing you are using something: d:\winids\snort\bin\snort -v -i1 Try: d:\winids\snort\bin\snort -v -c d:\winids\snort\config\snort.config -i1 The above line may need to be tailored to you specific needs? Note: Those WARNING: signs are usually only informational.

Some find it easier to copy and past the password from the tutorial, or the download page. They are identical passwords.

You are typing the wrong password. Go back and look again.

You need to mirror all the ports to the WinIDS, so you will need a managed switch. You could also connect a "Throwing Star LAN Tap" from greatscottgadgets.com into the connection.

The problem you are having is with the OS. I'm not sure why Visual C++ is failing to install, but is a requirement of Apache. This is the first time that problem has been reported. You might try a clean install of the OS and give it another try.

I completed a fresh install using Server 2008 R2 and when I preform the test for Barnyard2, I get the below: --== Initializing Barnyard2 ==-- Initializing Input Plugins! Initializing Output Plugins! Parsing config file "d:\winids\barnyard2\etc\barnyard2.conf" +[ Signature Suppress list ]+ ---------------------------- +[No entry in Signature Suppress List]+ ---------------------------- +[ Signature Suppress list ]+ WARNING: invalid Reference spec 'url,'. Ignored WARNING: invalid Reference spec 'url,'. Ignored WARNING: invalid Reference spec 'url,'. Ignored WARNING: invalid Reference spec 'url,'. Ignored WARNING: invalid Reference spec 'url,'. Ignored WARNING: invalid Reference spec 'url,'. Ignored WARNING: invalid Reference spec 'url,'. Ignored WARNING: invalid Reference spec 'url,'. Ignored Barnyard2 spooler: Event cache size set to [32768] INFO database: Defaulting Reconnect/Transaction Error limit to 10 INFO database: Defaulting Reconnect sleep time to 5 second ERROR database: postgresql_error: ERROR: operator does not exist: ` integer LINE 1: SELECT `ref_system_id`, ref_system_name FROM reference_syste... ^ HINT: No operator matches the given name and argument type(s). You might need to add explicit type casts. [CacheSynchronize()]:, SystemCacheSyncronize() call failed. ERROR: database [DatabaseInitFinalize()]: CacheSynchronize() call failed ... Fatal Error, Quitting.. Barnyard2 exiting database: Closing connection to database "snort" Attached is build 336 and it works. Your existing config file will work. I have a note in the Barnyard2 users group about this problem. barnyard2-2.1.14-build336.zip

If Snort is setup correctly queries to the log folder are defaulted to the snort folder.

It appears you have some sort of problem with the log folder (permission, etc...).

Make sure there is a log folder in the snort folder This looks odd: ERROR: Portscan log file 'log/\portscan.log' could not be opened: No such file or directory. Try this: preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } logfile { portscan.log }

Try this one... snort.conf

Attach your snort.conf

You should have already set up the switch for the correct interface, and you shouldn't be guessing at this point in the tutorial. The correct format, and has been fixed: 'include $RULE_PATH/test.rules' At this point there have been so many problems that my suggestion it wipe the drive and start over fresh and follow the tutorial verbatim.

It is normal for Barnyard2 to stop at waiting for data. There needs to be events triggered to move past that. To namually trigger events try this.

Did you go to the section titled Testing IIS, and the PHP installation and complete? Did the test.php display the PHP summary?

Go to the section titled Configuring IIS for PHP, and the Windows Intrusion Detection Systems security console and complete. Go to the section titled Testing IIS, and the PHP installation and complete. To manually start Barnyard2: Open a CMD window with Administrator privileges and type 'd:\winids\activators\start.bat' (less the outside quotes), and tap the 'Enter' key. Closing the window will close Barnyard2. Shrink the Barnyard2 window to the task bar for normal operations.

Make SURE barnyard2 is not running, but it shouldn't be. Uninstall the PostgreSQL server. You might be able to do this simply by running the PostgreSQL server install again, and choosing to uninstall. Remove everything the uninstall will allow. You can also go to the Add/Remove programs to uninstall. After uninstall go to the d:/winids folder and delete the PostgreSQL folder, and reboot. Go to the section titled Installing the PostgreSQL Database Server and complete. Go to the section titled Configuring the PostgreSQL Database Server and complete. At the CMD prompt type 'd:\winids\postgresql\bin\pg_ctl restart -w -t 10 -D d:\winids\postgresql\data\ -m f' (less the outside quotes), and tap the 'Enter' key. Go to the section titled Configuring Barnyard2 checking to make sure Barnyard2 was correctly configured, and continue to complete tutorial.