Morpheus

I'm not real sure, but you could try opening a CMD window and typing cmd.exe /c chcp 1252 Let us know if this works...

The above is normal. If you are getting a connection error than it's most likely related to user authentication, or possibly the database is not running?

Never seen that screen before. Did you follow the tutorial and ONLY install what the tutorial instructed? Did you install Winpcap ? There are ONLY two thing that need to be installed to use the -W switch Snort Winpcap Must be a problem with one of those, but best guess would to remove Winpcap and install. There is a possibility Winpcap is not seeing any lagitamate Network Interface Cards, or there are no Network Interface Cards installed?

Go into the add and remove programs and make sure Microsoft Visual C++ 2012 is installed. Go back to the tutorial and complete the section labeled: Configuring IIS for PHP, and the Windows Intrusion Detection Systems security console

Winsnort.com only supports specific versions of Windows which are posted in each tutorial. If a non-supported version are used then there may be quirks. There is no way for Winsnort.com to verify this, but this error 500 could be related to other issues. DISM is available in Windows 10, as it is with Server 2016. Once the install is completed it is recommended to close any holes and setup whatever it takes to secure the Windows Intrusion Detection System (WinIDS). If you want to write up short tip in securing the Apache Webserver, and Barnyard2 I think it could be of use to some users. If you do and it's something a novice could do during the install. I could add it to the tutorials. I'm really trying to stay away from some of this advanced stuff because it does cause additional work, and problems.

You may want to activate all the rules just to make sure everything is working correctly after installing Pulledpork. The policy switch in Pulledpork tells Snort which rules to activate, but in general you may not be seeing any events for some time. This procedure will activate ALL the rules. Make SURE at the end of the test that you revert back to original policy setting or you may end up with millions of events that could bog down the Windows Intrusion Detection System (WinIDS). To activate all the rules bypassing the original policy setting Open a CMD window and type notepad2 d:\winids\script\etc\enablesid.conf and tap the Enter key. Scroll down find and change the line below: Original Line: # pcre:. Change to: pcre:. Save the file and exit. At the CMD prompt type perl d:\winids\script\pulledpork.pl -c d:\winids\script\etc\pulledpork.conf -nPT and tap the Enter key. Note: The added switches (nP) instructs Pulledpork to process the local rules bypassing the ips_policy switch setting, and this process should take about two minutes. The below is displayed in the terminal window after a successful update. Rule Stats... New:-------0 Deleted:---0 Enabled Rules:----27325 Dropped Rules:----0 Disabled Rules:---0 Total Rules:------27325 No IP Blacklist Changes Done Please review d:\winids\snort\log\sid_changes.log for additional details Fly Piggy Fly! Note: The verbose output above will display the Rule Stats, showing both enabled rule count, and disabled rule count should be 0. Do not continue or intervene until 'Fly Piggy Fly!' is displayed in the terminal window. At the CMD prompt type net stop snort & net start snort and tap the Enter key. Note: Allow a couple of minutes for Barnyard2 to reconnect to the event log file after cycling Snort. At the CMD prompt type exit and tap the Enter key. Note: Once the test is complete it is imperative to return and complete this tutorial or the end database fill up with millions of useless events. To revert back to the original policy setting Open a CMD window and type notepad2 d:\winids\script\etc\enablesid.conf and tap the Enter key. Scroll down find and change the line below: Original Line: pcre:. Change to: # pcre:. Save the file and exit. At the CMD prompt type perl d:\winids\script\pulledpork.pl -c d:\winids\script\etc\pulledpork.conf -nPT and tap the Enter key. Note: The added switches (nP) instructs Pulledpork to process the local rules using the ips_policy switch setting, and this process should take about two minutes. The below is displayed in the terminal window after a successful update. Rule Stats... New:-------0 Deleted:---0 Enabled Rules:----9853 Dropped Rules:----0 Disabled Rules:---17472 Total Rules:------27325 No IP Blacklist Changes Done Please review d:\winids\snort\log\sid_changes.log for additional details Fly Piggy Fly! Note: The verbose output above will display the Rule Stats, showing both enabled rule count, and disabled rule count. Do not continue or intervene until 'Fly Piggy Fly!' is displayed in the terminal window. At the CMD prompt type net stop snort & net start snort and tap the Enter key. Note: Allow a couple of minutes for Barnyard2 to reconnect to the event log file after cycling Snort. At the CMD prompt type exit and tap the Enter key.

The ips_policy switch has three settings: balanced connectivity security The default ips_policy switch is set to security. If at any time you want to change the ips_policy switch in the pulledpork.conf it will require an additional two switches added to the end of the Pulledpork run line to process the new ips_policy. Open a CMD prompt type as Administrator and type 'perl d:\winids\pulledpork\pulledpork.pl -c d:\winids\pulledpork\etc\pulledpork.conf -nPT' (less the outside quotes) and tap the Enter key. The above run line will only process the local rules for the new policy change on the fly! This run line will not update the rules from the rules repository. It will only update the policy selection from the existing set of rules! The rules should be checked for errors after the update for validation, and Snort must be cycled! Open a CMD prompt type as Administratort 'd:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix -T' (less the outside quotes) and tap the 'Enter' key. Note: In the interface switch above (-ix), the x will be substituted for the Index number of the monitoring NIC. If all the tests are passed, the following is a confirmation that the Snort configuration file and rules have tested good. Snort successfully validated the configuration! Snort exiting

Yes, it does take some time on systems that have limited memory

1) I was waiting for Sourcefire to update the rule package to 2980 before releasing the updated tutorials. Not sure what is going on but there seems to be some disagreements between the two divisions that is causing a delay. However the updated tutorials are now online to fix this. I'm not sure why they pulled 2.9.7.6 from the repository. 2) I just checked on a new install a few days ago and the paths for Perl were added. 3) You might want to place an exclusion into McAfee for the signatures folder. That's a strange one...

Yea, that happens sometimes. Cutting and pasting works really well, but being very careful is a must...

Look at line 45 in the snort.conf file. Match line with the tutorial and that should get you to the fix. If problems still exist attach the snort.conf file.

The winids.rules file is associated with Pulledpork.

You need to create the files in the folder. The tutorial had you create them on the initial install. If you deleted the rules folder than you removed the files.

It appears you may only be seeing events from the preprocessors and not the rules. Make SURE you tested the rules after updating making SURE they were all read in. The number of rules will be in the output from the test.

Not too much data, corrupted data would be the most likely cause.

Did you clear the browser cache ? Did you try in a different browser ? Did you try cycling compatibility view in IE ?

The version of BASE you are using is not supported using any of the Windows Intrusion Detection Systems tutorials.

The location has a 404 error. Ask in the snort users group with a copy of the error. In the interim just hash out the line and it will be bypassed.

Is the file 888.85498046875-black_list.rules in the d:\winids\pulledpork\temp folder ? It appears the download location may not be available. You might leave a note in the snort-users group with the error message you are receiving.

Check out this topic

Stop snort, stop Barnyard2, delete all the files in the log folder, from the attached .zip replace the configuration files, and reboot. I'm not sure beyond this. My suggestion if this doesn't work to start over fresh on everything and follow the tutorial. Good luck... files.zip

Everything in the above terminal window is normal for Barnyard2 starting up. The more Barnyard2 is ran the fewer 'Warnings' get displayed, which is normal. It is waiting for events to be logged by Snort. Any events will be displayed in the above window. Is there any files of size in the snort/log folder? Attach your snort.conf and your barnyard2.conf.

It appears there is a networking issue somewhere. I unsure what the problem could be. If you have setup the test rules and are still not seeing events in the Windows Intrusion Detection Systems (WinIDS) security console then there is a blockage somewhere? You have a custom install which makes it difficult to trouble shoot. Scripts need converted and a LOT of paths needs to be changed. It appears the tutorial is working but there its not detecting network traffic. The test rules will detect all network traffic. If you open the browser and it things are happening that traffic will be logged as an event and sent through to the console.

There could be several reasons why there are no events being displayed. The WinIDS is plugged into a switch and cannot see all the traffic. The HOME_NET is not set correctly There are actually NO events being triggered If you believe the above are not causing problems. Manually add rules to detect on specific packets and log.

I'm out of suggestions? Might try looking for the error through Google and see if something there helps.