Morpheus

Move the test.php to the /base folder ant try http://winids/test.php

​Thy this link and see if it fixes the problem.

Go into the folder /base right-click the folder signatures, and left-click 'Properties'. There is a entry 'Contains:' that holds the number of files. Get that number, and then is a short while do it again and see if that number is growing. It usually takes a very long time because it is using Perl to copy thousands of files. It's a Perl problem, and the developer knows about it. Good thing that opensourse file doesn't get updated often...

It appears when the PHP Handler Mappings is added to the IIS Webserver there may be times it fails to propagate those settings to the IIS Default Web Site. This causes an Error 403 Forbidden to appear in the browser window when the section titled Testing IIS, and the PHP installation is executed. There can be a couple of reasons why this Error: 403 Forbidden is being displayed. The section titled Configuring IIS for PHP, and the Windows Intrusion Detection Systems security console was not correctly configured. The section titled Configuring IIS for PHP, and the Windows Intrusion Detection Systems security console was correctly configured, but the PHP Handler Mappings did not propagate to the IIS Default Web Site. It is recommended to go back to the section labeled Configuring IIS for PHP, and the Windows Intrusion Detection Systems security console, recheck all the settings to make sure they are correct, and then retest the section labeled Testing IIS, and the PHP installation. If the 'PHP' test is successful then continue on with the tutorial. If not come back and complete the below. It's assumed that the Web Browser is still open, along with the terminal window. Close the Web Browser, and leave the terminal window open. In the open terminal type 'c:\windows\system32\inetsrv\iis.msc' (less the outside quotes), tap the 'Enter' key, and the Internet Information Services (IIS) Manager opens. Note: The Internet Information Services (IIS) Manager may opens and ask 'Do you want to get started with...' left-click 'No'. On the left under 'Connections' the very top entry expand '<server name>', under <server name> expand 'Sites', left-click 'Default Web Site', in the center window titled 'Default Web Site Name' in the section labeled 'IIS', left-click highlighting 'Handler Mappings', on the right under 'Actions' and left-click 'Open Feature'. In the center window titled 'Handler Mappings' there may be or may not be a 'PHP' entry listed under the 'Name' column. Scroll down the window and if there is a 'PHP' entry under the 'Name' column then left-click highlighting the 'PHP' entry, on the right under 'Actions' left-click 'X Remove', a 'Confirm Remove' message appears, and left-click 'Yes'. On the right under 'Actions' left-click 'Add Script Map...', in the 'Request Path:' dialog box type '*.php' (less the outside quotes), in the 'Executable:' dialog box type 'd:\winids\php\php-cgi.exe' (less the outside quotes), in the 'Name:' dialog box type 'PHP' (less the outside quotes), left-click 'OK', the 'Add Script Map' notification message appears, left-click 'Yes', and exit the Internet Information Services (IIS) Manager. At the CMD prompt type 'iisreset /restart' (less the outside quotes), and tap the 'Enter' key. Go back to the section labeled Testing IIS, and the PHP installation and continue.

It appears when the PHP Handler Mappings is added to the IIS Webserver there may be times it fails to propagate those settings to the IIS Default Web Site. This causes an Error 403 Forbidden to appear in the browser window when the section titled Testing IIS, and the PHP installation is executed. There can be a couple of reasons why this Error: 403 Forbidden is being displayed. The section titled Configuring IIS for PHP, and the Windows Intrusion Detection Systems security console was not correctly configured. The section titled Configuring IIS for PHP, and the Windows Intrusion Detection Systems security console was correctly configured, but the PHP Handler Mappings did not propagate to the IIS Default Web Site. It is recommended to go back to the section labeled Configuring IIS for PHP, and the Windows Intrusion Detection Systems security console, recheck all the settings to make sure they are correct, and then retest the section labeled Testing IIS, and the PHP installation. If the 'PHP' test is successful then continue on with the tutorial. If not come back and complete the below. It's assumed that the Web Browser is still open, along with the terminal window. Close the Web Browser, and leave the terminal window open. In the open terminal type 'c:\windows\system32\inetsrv\iis.msc' (less the outside quotes), tap the 'Enter' key, and the Internet Information Services (IIS) Manager opens. Note: The Internet Information Services (IIS) Manager may opens and ask 'Do you want to get started with...' left-click 'No'. On the left under 'Connections' the very top entry expand '<server name>', under <server name> expand 'Sites', left-click 'Default Web Site', in the center window titled 'Default Web Site Name' in the section labeled 'IIS', left-click highlighting 'Handler Mappings', on the right under 'Actions' and left-click 'Open Feature'. In the center window titled 'Handler Mappings' there may be or may not be a 'PHP' entry listed under the 'Name' column. Scroll down the window and if there is a 'PHP' entry under the 'Name' column then left-click highlighting the 'PHP' entry, on the right under 'Actions' left-click 'X Remove', a 'Confirm Remove' message appears, and left-click 'Yes'. On the right under 'Actions' left-click 'Add Script Map...', in the 'Request Path:' dialog box type '*.php' (less the outside quotes), in the 'Executable:' dialog box type 'd:\winids\php\php-cgi.exe' (less the outside quotes), in the 'Name:' dialog box type 'PHP' (less the outside quotes), left-click 'OK', the 'Add Script Map' notification message appears, left-click 'Yes', and exit the Internet Information Services (IIS) Manager. At the CMD prompt type 'iisreset /restart' (less the outside quotes), and tap the 'Enter' key. Go back to the section labeled Testing IIS, and the PHP installation and continue.

​Go into the Windows Intrusion Detection Systems security console and there is an option at the bottom that will allow you to delete as 1- All of the selected events.

Running the test rules only tells you that it's capturing packets from that machine. If there is no mirroring in place then your not going to be seeing any events being logged.

Stop Snort, and Barnyard2. Delete everything in the log folder. The Windows Intrusion Detection System needs to be plugged into a HUB or a switch that can mirror all the ports to the port the Windows Intrusion Detection System is plugged into. Make SURE the HOME_NET is set correctly, and using any could be a work around until you are sure its logging events. Restart the Windows Intrusion Detection System when the above is true. My guess is that it is working but for some reason it's not seeing traffic. The next thing to do if the above is true and the Windows Intrusion Detection System is still not logging, is to turn on all the rules.

Ok, is it only collecting events using the test rules, or is it actually collecting events based on the active rules?

Have you tried manually triggering events? Link

Not real sure about some of you configurations. It appears you are using an outdated snort.conf file. You will need to retrieve a stock snort.conf and configure. Do not activate the SO rules as they are not compatable with Windows. Delete all the files in snort/logs prior to restarting.

​Just saw this, sorry for the miss...

I'm asking this in this in the snort-users list. I'm also seeing this when I run snort -v -i1 and I don't remember ever seeing this. Warning: are usually only informational. That warning is completely useless because its wanting to load the preprocessors, and that requires using the -c switch which has never been required when using the -v switch for viewing packets. Let's see what they come back with... This most likely has nothing to do with no events being captured.

Looks like a user authentication problem. Try logging into the database manually using user snort . That is the authentication Barnyard2 uses. If that fails the drop the user snort and create it again.

Looks like there was an error configuring the database. You could uninstall it and confgure it again?

​I'm not sure, but its a warning and can be ignored.

Try reversing the slashes: Change from: \i d:\winids\barnyard2\schemas\create_postgresql; Change to: \i d:/winids/barnyard2/schemas/create_postgresql; Let me know if that works... Can you also try removing the ; at the end to see if it works?

​Sounds great, Let us know how it works out, and we can fix up a tutorial.

​You need to configure line number: 190 snort_version=x.x.x.x

Attach your pulledpork.conf file.

You need to post a screen shot of the complete error. Did you run the modder.vbs file? Did you install the version of Strawberry perl per the tutorial? Did you install to the d:\ drive?

It's not an error, its a warning because it's not supported in Windows. Too bad because it would make updating the rules so much easier. There may be a way to do this with a Windows equivalent, or possibly Cygwin, but I've not looked directly into that. There will be a bunch of warnings showing up, they are purely informational, and never a show stopper.

Where exactly in the tutorial is it failing?

Was this happening before or after installing PulledPork? Attach the snort.conf, pulledpork.conf, and barnyard.conf

It appears all that is needed is to add each of the rules file into the enablesid.conf file? If I remember right there is a global way to do this without having to add a list of rules? Thanks...