Morpheus

If Snort is setup correctly queries to the log folder are defaulted to the snort folder. 

No you don't need to do anything. What you are seeing is correct. I made an error in the tutorial and have since corrected it. Check out the tutorial, and it should match your install.

What is the process you used and I'll check it on another build.
Did you just add the below to your local.rules file?
alert ( msg: "ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK"; sid: 4; gid: 112; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )
Did you use something to generate the alert?
 

Looks like there was a problem with the modder file adding winids to the hosts file.
add to hosts file: 127.0.0.1 winids

There was an issue with the repository being hacked and was taken down. The tutorials were changed in order to internally control that process.

The user has apparently fixed the issue without posting the root cause of the issue.

Go back to the section titled below to get the solution:
Testing the Windows Intrusion Detection System (WinIDS) for network traffic

Make sure you have ran the modder.vbs file as Administrator and allowed it to reboot on its own.
Make sure the test.php file has been copied to the d:\winids\apache24\htdocs\base folder.
 
Make sure you can ping winids:

 
Make sure all the required Microsoft Visual C++ packages have been installed:

 
If all the above is correct then please attach the php.ini file and the httpd.conf file.
 

To access our step-by-step installation guides, simply click the Tutorials link in the main menu bar.
Supported Operating Systems
WinIDS is officially supported only on 64-bit (x64) architectures for the following operating systems:
Desktop: Windows 10 and 11 Professional
Server: Windows Server 2016SE, 2019SE, 2022SE and 2025SE
Choosing Your Tutorial
Winsnort.com offers six distinct tutorials based on your deployment goals. For the best experience, always start with a fresh operating system installation.
Option A: Master (Stand-Alone) System
We offer four full tutorials for a complete, standalone WinIDS installation. To choose the right one, you only need to make two decisions:
Web Server: Microsoft Internet Information Services (IIS) OR Apache2
Database Server: MySQL OR PostgreSQL
Option B: Slave Sensors
We offer two tutorials for deploying remote slave sensors. To choose the right one, you only need to make one decision:
Remote Database Target: Will the sensor send events to a MySQL OR PostgreSQL database?
(Note: Regardless of your choices, a multitude of necessary supporting programs will be automatically installed throughout the process.)
Getting Support
Each tutorial is paired with its own dedicated support forum.
During Installation: Click the "Get Support" button at the top of your chosen tutorial to open the correct forum. Please keep all installation-related questions in that specific thread until your system is fully functional and events are successfully reaching the WinIDS security console.
Post-Installation: Once your WinIDS deployment is verified and running, please post any general operations or troubleshooting questions in the Client Forum.
Need Help Now?
If you have questions before diving in, simply reply to this topic. This thread is actively monitored by our administrators and moderators. While we usually respond much faster, please allow up to 24 hours for a reply. Don't be surprised if our fantastic community members jump in to help you sooner!
Good luck, and happy WinSnorting!

The above looks normal. If you open the command window in the task bar it should say waiting for data. if you see packets being displayed in the command window than there is a problem. Those packets should be registering in the security console.
If you are not seeing any packets in the command window than there is nothing triggering events. There could be several reasons why; not on the same subnet, plugged into a switch and switches must have port mirroring set to the security consoles ip.

Looks like you ran into a problem installing and moving the IIS server. I'm not sure how this can be fixed as I've never seen the error. You might try reinstalling from scratch ands make SURE the command window is in Admin mode before running the move script.

I found a few quirks but nothing major. Swap the files in the attached .zip with your existing files.
winIDS.zip

Not sure but it's not getting the MSV C++ installed correctly
Did you run the modder.vbs file?
Is this a fresh install of the operating system?
Have you tried installing the MS Visual C ++ redistributable as 'Run as Administrator'?

I just noticed:
 
Change this: d:winidssnortbinsnort -c d:winidssnortetcsnort.conf -l d:winidssnortlog –i1 -T
 
To this: d:winidssnortbinsnort -c d:winidssnortetcsnort.conf -l d:winidssnortlog -i1 -T

1) Wonder what else didn't happen when the modder.vbs file ran?
 
2) Sourcefire has updated their snort.org site in the past few days and there has been issues with the rules, and opensource files?
 
3) I'm not sure as that has never happened here. This is most likely an issue related to item 1
 
I'll look into item 2 and adjust to the new name.
 
Update: Several of the file names were changed on the snort.org site, and all the tutorials now reflect those changes.