WinIDS - Windows 7 / 2008 / 2012 - IIS 7.5 / 8 - MySQL :: WINSNORT...

http://winsnort.com/index.php?module=Pages&func=display&pageid=4...

32/64bit Windows Intrusion Detection System (WinIDS) Guided Install

Written by: Michael E. Steele
IIS 7.5 / 8 Web-Server MySQL Database Server Last Date Revised: May 20, 2013

Introduction
When it comes to deploy an IDS (Intrusion Detection System), many network engineers automatically think of Snort. Why? First of all, it's a highly-capable full-featured Intrusion Detection System (that can even act as an Intrusion Prevention System with the appropriate tweaks). Second of all, it's completely free, both its binary and source code tree. Snort can also run in many platforms, including Linux, MS Windows and FreeBSD, so there are plenty of options to deploy this system. However, installing the Windows Intrusion Detection System (WinIDS) with a production-ready setup always takes a while, moreover when you have to "discover" many things and solve many issues on your own in order to complete the setup. I've managed to get through that process in the Windows environment and now I'd like to share my process with you. During my research I found a lot of guides and blogs like this describing the installation process. Yet, none of them specifically detailed setting this up in a Windows environment, so I had to gather a lot of information and I had to generate some information as well.

Copyright Notice
This document is Copyright © 2002-2013 Michael Steele. All rights reserved. Permission to distribute this document is hereby granted providing that distribution is electronic, in it's original form, no money is involved, and this copyright notice is maintained. Other requests for distribution will be considered. Use the information in this document at your own risk. Michael Steele disavows any potential liability of this document. Use of the concepts, examples, and/or other content of this document are entirely at your own risk. This guide is written in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. All copyrights are owned by their owners, unless specifically noted otherwise. Third party trademarks or brand names are the

1 trong 21

6/26/2013 9:11 PM

WinIDS - Windows 7 / 2008 / 2012 - IIS 7.5 / 8 - MySQL :: WINSNORT...

http://winsnort.com/index.php?module=Pages&func=display&pageid=4...

property of their owners. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements.

Support Questions and Help
All support questions MUST be directed to the support forums [1] . This is a way to address the masses, instead of a single person. If you haven't acquired this guide directly from the Winsnort.com [2] website, then you most likely don't have the latest revision!

My setup is a classical Windows Intrusion Detection System (WinIDS) deployment:
The Snort detection engine will be running in passive mode, logging events to a unified2 log file. Barnyard2 will be processing the Windows Intrusion Detection Systems (WinIDS) unified2 log files. A MySQL-driven database will store processed events/logs for further analysis. Internet Information Services 7.5 / 8 web-server will drive the Windows Intrusion Detection Systems (WinIDS) analysis GUI console. BASE will serve as the web-based Windows Intrusion Detection Systems (WinIDS) events analysis GUI console. I have to say that even when this guided install is written to seamlessly integrate these tools, I've made my best at describing the installation process of each component as general as possible. This way, you can take important elements to develop your own setup integrating other tools. Although I created this guide using a single computer, it's very easy to extend the deployment to multiple computers (multi-tier approach), each one in charge of one task (i.e. sensors, database server, web server).

Operating System and Configuration Setup
Supported 32/64bit operating systems for this Windows Intrusion Detection System (WinIDS) guided install It is imperative that any of the supported Microsoft operating systems listed below have all the latest services packs and security updates installed from the Microsoft Windows update site. Failure to complete this task will most likely cause the Windows Intrusion Detection Systems (WinIDS) guided install to fail. Windows Windows Windows Windows Windows XP Professional (SP3) 7 Professional (SP1) Server 2003 Standard Edition (SP2) Server 2008 Standard Edition (SP2) Server 2012 Standard Edition

Only the support Microsoft operating systems listed above have been thoroughly tested in both the 32bit and 64bit environments for this particular guided install. It is highly recommended to install the Windows Intrusion Detection System (WinIDS) on a fresh, clean Windows installation. Making sure all the latest service packs and security updates from the Microsoft update center have been installed. This is how I've setup and tested the Windows Intrusion Detection System (WinIDS). Make sure that all the necessary changes are made if you configuration is different. Failure to make the appropriate changes will most likely cause a failure. I'll be using Windows XP Pro (SP3) 32bit, but any 32/64bit Version of Windows listed above in will do. I've created a user named 'Operator', set the password to 'z1pp3r', and assigned user 'Operator' Administrative privileges. I'm installing the complete Windows Intrusion Detection System (WinIDS) logged on as user 'Operator'. I have 3GB of memory installed, but anything over 2GB should be fine, but the absolute minimum is 2GB (more is better). I'm using two partitions - C: (System) with 300GB, and D: (WinIDS) with 1TB. I'm installing the complete Windows Intrusion Detection System (WinIDS) into the 'd:\winids' folder.

2 trong 21

6/26/2013 9:11 PM

vbs' (less the outside quotes). replace the 'winids-sp-xxx-xx. Do not proceed until the above script has rebooted the system.64bit Software Pack' to 'd:\' drive. Server 2008. in the 'Enter password' dialog box type 'w1nsn03t. and Server 2003 Installs 'Notepad2' to Windows\System32 Installs 'unzip' to Windows\System32 Installs 'tartool' to Windows\System32 Inserts 'winids' hostname to hosts file Sets 'Hidden Files' as off in registry Sets 'Show File Extensions' as on in registry Sets 'Visual Effects' as minimal in registry Reboots system I strongly suggest after the reboot..(32/64bit) Software Pack' below! 32bit: Download The 'WinIDS . The modder.WinIDS .exe' (less the outside quotes). and Server 2012 Installs 'Microsoft .MySQL :: WINSNORT. There may be more recent version of the support packages available. left-click 'OK' allowing all the Windows Intrusion Detection Systems (WinIDS) files to be extracted to the 'd:\temp' folder. Pre-installation Tasks Downloading and extracting the 'Windows Intrusion Detection Systems (WinIDS) Software Pack' Only use the files in the 'WinIDS .exe' filename with the actual filename that was downloaded to the 'd:\' drive from above.. Each issue should be resolved prior to starting this guided install.com/index.. Using other files. 64bit: Download The 'WinIDS .xx. http://winsnort. not included in the appropriate Windows Intrusion Detection System (WinIDS) Software Pack will most likely cause the Windows Intrusion Detection System (WinIDS) guided install to fail.0' for Windows XP. These files have been thoroughly tested in all the Windows Intrusion Detection Systems (WinIDS) guided installs. in the 'Destination folder' dialog box type 'd:\temp' (less the outside quotes).c0m' (less the outside quotes). In the above.vbs file preforms several tasks: Turns 'UAC' off for Windows 7.xx. or there is a problem which could cause the guided install to fail.IIS 7. Open a CMD window and type 'd:\winids-sp-xxx-xx.(32/64bit) Software Pack'. the Microsoft Baseline Security Analyzer [3] (MBSA) be used to identify and correct common security miss configurations. and tap the 'Enter' key.NET Framework 4. left-click 'Extract'.5 / 8 .xx.php?module=Pages&func=display&pageid=4. The WinIDS self-extracting archive wizard appears. and Server 2003 Installs 'IP Version 6' for Windows XP.Windows 7 / 2008 / 2012 . Depending on the processors architecture download the appropriate 'WinIDS . and the WinIDS self-extracting archive wizard automatically closes.32bit Software Pack' to 'd:\' drive. Installing the Basic Windows Intrusion Detection System (WinIDS) 3 trong 21 6/26/2013 9:11 PM .xx. but they have either not been tested. and tap the 'Enter' key.. System configuration changes At the CMD prompt type 'd:\temp\modder. and this could take several minutes.

Testing the Windows Intrusion Detection System (WinIDS) for network traffic At the CMD prompt type 'd:\winids\snort\bin\snort -W' (less the outside quotes) and tap the 'Enter' key.exe' (less the outside quotes).exe' filename with the actual filename located in the 'd:\temp' folder.IIS 7.. and tap the 'Enter' key.131826 10. left-click 'Next'. There may be several Network Interface Cards listed. and tap the 'Enter' key. and tap the 'Enter' key.0. and something similar to the following output is a confirmation indicating that everything is ready to proceed. the 'Index' number is important. Installing WinPcap Open a CMD window and type 'd:\temp\WinPcap_4_1_3.5 / 8 .. left-click 'Next' allowing Snort to install. left-click 'Next'. In the above. The WinPcap installation wizard appears.121. and the 'x' (less the outside quotes) will always represent the 'Index' number of Network Interface Card that will be monitoring the Windows Intrusion Detection System (WinIDS). The following is a partial example of what might be listed as valid Network Interface Cards. and will need to be remembered for later use in the guided install. the Traffic Detection and Inspection Engine At the CMD prompt type 'd:\temp\Snort_2_9_4_6_Installer.exe' (less the outside quotes). and left-click 'Finish'.php?module=Pages&func=display&pageid=4. http://winsnort. The Snort installation wizard appears. replace the 'Snort_2_9_4_6_Installer. left-click 'Next'. left-click 'Run the program without getting help'. left-click 'Next'. If the 'Program Compatibility Assistant' appears. 10/08-12:12:32. The switch for the Network Interface Card will always be '-ix' (less the outside quotes). left-click the 'I Agree' button. replace the 'WinPcap_4_1_3. left-click the 'I Agree' button. Index ----1 Physical Address ---------------00:0C:29:25:B4:96 IP Address ---------0000:0000:fe80:0000:0000:0000:ad63:31cf In the above list. left-click install. type 'd:\winids\snort' (less the outside quotes).MySQL :: WINSNORT. and it will be up to the installer to determine the correct Network Interface Card (Index number) that will be monitoring the Windows Intrusion Detection System (WinIDS).com/index. in the 'Destination Folder' dialog box.55. left-click 'OK'.. In the above. left-click the 'Close' button. verifying there is network traffic on interface 'x'.0. This will start Snort in verbose mode.WinIDS .241:80 TCP TTL:128 TOS:0x0 ID:1586 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x7430B82E Ack: 0x1850214F Win: 0xFAF0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 4 trong 21 6/26/2013 9:11 PM . At the CMD prompt type 'd:\winids\snort\bin\snort -v -ix' (less the outside quotes).exe' filename with the actual filename located in the 'd:\temp' folder.Windows 7 / 2008 / 2012 . The above run line will require the 'Index' number of the monitoring Network Interface Card added to the 'x' in the '-ix' switch..29:1068 -> 65. make SURE the 'Automatically start the WinPcap driver at boot time' is checked. Installing Snort. There should now be multiple packets passing through the CMD window.

msi' (less the outside quotes). to the left of the 'World Wide Web Services left-click check the radio box (it may 5 trong 21 6/26/2013 9:11 PM .msi' filename with the actual filename located in the 'd:\temp' folder.1-32bit.14.. left-click 'Next'. and tap the 'Enter' key. activate the CMD window..' radio box.msi' filename with the actual filename located in the 'd:\temp' folder. At the 'cpan' CMD prompt type 'install Sys::Syslog' (less the outside quotes).' radio button. left-click 'Install'.tar. and tap the 'Enter' key. left-click and uncheck the 'Read README file. and tap the 'Enter' key.gz d:\winids\snort' (less the outside quotes).2. and tap the 'Enter' key.2. The Strawberry Perl installation wizard appears.2. left-click 'Next'.1-64bit.gz' filename with the actual filename located in the 'd:\temp' folder. At the 'cpan' CMD prompt type 'quit' (less the outside quotes).IIS 7. At the CMD prompt type 'exit' (less the outside quotes). left-click the 'I accept the terms. left-click 'Next'.Windows 7 At the CMD prompt type 'appwiz. Install Internet Information Services 7. In the above.com/index. to the left of 'Web Management tools' left-click the radio box (it may only turn blue).Windows 7 / 2008 / 2012 .5 / 8 . and there was multiple Network Interface Cards listed.. and tap the 'Enter' key. in the 'Install Strawberry Perl to:' dialog box type 'd:\winids\strawberry\' (less the outside quotes). Do not proceed until network traffic is being displayed in the CMD window. Installing Strawberry Perl 32bit: At the CMD prompt type 'd:\temp\strawberry-perl-5. In the above. Installing Perl Pre-Requisites Open a CMD window and type 'perl -MCPAN -e shell' (less the outside quotes).. and press the 'CTRL/C' keys to stop the Snort process.1-64bit.cpl' (less the outside quotes).1-32bit. If no traffic is passing through the CMD window.msi' (less the outside quotes). try another 'Index' number.14.MySQL :: WINSNORT.2. replace the 'strawberry-perl-5. 64bit: At the CMD prompt type 'd:\temp\strawberry-perl-5.tar.14. Installing Latest Rule Set At the CMD prompt type 'tartool d:\temp\snortrules-snapshot-2941.5 . replace the 'strawberry-perl-5.. and tap the 'Enter' key. and tap the 'Enter' key. In the 'Turn Windows features on or off' expand 'Internet Information Services'.14. and tap the 'Enter' key. it will take several minutes to preform the install. In the above replace the 'snortrules-snapshot-2941. In the above command. under 'Control Panel Home'. The 'Uninstall or Change a program' control panel opens..WinIDS .php?module=Pages&func=display&pageid=4. and left-click 'Finish'. http://winsnort. left-click 'Turn Windows features on or off'. eXit the web browser. After verifying active network traffic.

4. This database is the same database that will get directly populated by Snorts output database routine.zip' filename with the actual filename located in the 'd:\temp' folder. For this purpose. where it saves the name of the log/alert file being process..Server 2008 At the CMD prompt type 'appwiz.cpl' (less the outside quotes).zip -d d:\winids\inetpub\wwwroot\base' (less the outside quotes). The 'Add Roles Wizard' starts. and the 'Server Manager' opens.5 / 8 . Under 'Application Development' scroll down and left-click the select box titled 'CGI'.cpl' (less the outside quotes). left-click and check all features.5 .bat' (less the outside quotes). and is security analysis web tool. and tap the 'Enter' key. and the offset within the log/alert file. The 'Server Manager' opens.5. Left-click the select box to the left of 'Web Server (IIS)'. left-click 'Next'.Server 2012 At the CMD prompt type 'appwiz. At the 'Select Role Services' page scroll down and expand 'Application Development'. expand 'Application Development Features'. At the 'Select server roles' selection window under 'Roles' scroll down left-click 'Web Server (IIS)'. and lefgt-click 'Next'. and tap the 'Enter' key.. It is a tiny application which only task is to display/report Snort events. and left-click 'Next'.php?module=Pages&func=display&pageid=4. and tap the 'Enter' key.IIS 7. left-click 'OK' allowing windows to make changes. and left-click 'Next'. At the 'Select destination server' selection window. only turn blue). left-click 'Turn Windows features on or off'. In the 'Server Manager' window.. Install Internet Information Services 7. and left-click 'Next'. and eXit the 'Uninstall or Change a program' control panel. and left-click 'Next' opening the 'Select Server Roles page'. Install Internet Information Services 8 . At the 'Select installation Type' selection window. As Barnyard2 runs independently of Snort. The 'Add features that are required for Web Server (IIS)?' windows opens. under 'Control Panel Home'. At the 'Select features' selection window. Barnyard2 only needs to keep track of how many events it has processed at a given time. left-click 'Next'.bat' (less the outside quotes). at the same time that Snort generates them. left-click 'Turn Windows features on or off'. and tap the 'Enter' key. and left-click 'Add Roles'. left-click 'Close'. At the CMD prompt type 'd:\temp\moveiis7-8. At the 'Web Server (IIS)' page left-click 'Next'.bat' (less the outside quotes). At the 'Web Server Role (IIS)' selection window. At the 'Confirm installation selections' selection window. Installing the Windows Intrusion Detection Systems (WinIDS) Security Console BASE is used for the Windows Intrusion Detection Systems (WinIDS) Security Console. In the above. a database server. Barnyard2 is in charge of parsing and processing Snort's unified2 log files sending them to a specified destination (where they will be used for security analysis and monitoring) such as.4. that is. left-click 'Add Features'. and the 'Add Roles and Features Wizard' opens.MySQL :: WINSNORT. and exit 'Programs and Features'. At the CMD prompt type 'd:\temp\moveiis7-8. Windows Intrusion Detection Systems (WinIDS) Security Console uses a database backend to get the data.. exit the 'Server Manager'. 6 trong 21 6/26/2013 9:11 PM . To the left of 'Server Side Includes' left-click unselecting 'Server Side Includes'. expand 'World Wide Web Services'. At the CMD prompt type 'd:\temp\moveiis7-8. Left-click the select box to the left of 'Application Development' selecting all server roles. At the 'Confirm Installation Selections' page left-click 'Install'. scroll down to Roles Summary.WinIDS . http://winsnort. left-click 'Next'. Installing Barnyard2 Barnyard2 will run and reside in a terminal window located in the Windows taskbar on boot.Windows 7 / 2008 / 2012 . At the CMD prompt type 'unzip -oqq d:\temp\base-1. it doesn't need to process the logs/alert in real time. Left-click 'Next'. left-click 'Next'. Barnyard2 uses a "waldo" file. left-click 'Close'. except 'Server-Side Includes'. The 'Uninstall or Change a program' control panel opens. replace the 'base-1.com/index. and eXit the 'Server Manager'. and tap the 'Enter' key. left-click 'Install' allowing IIS to complete the features installation. At the 'Before you begin' selection window.5. At the 'Select roles services' selection window scroll down and expand 'Application Development'. and tap the 'Enter' key. eXit 'Programs and Features'. The 'Program and Features' control panel opens.

dll" c:\windows\system32' (less the outside quotes). For this guided install.30. Barnyard2 will be sending processed unified2 log data to a MySQL database backend server.. Left-click selecting the 'Server only' option. Left-click 'Execute' allowing the MySQL server to complete the install. and tap the 'Enter' key.13. The MySQL Database server installers 'Find latest products' screen appears. and left-click 'Next'. The MySQL Database server installers 'Configuration Overview' screen appears. In the above.30. In the 'Installation Path:' dialog box type 'd:\winids\mysql\' (less the outside quotes). Left-click checking the 'I accept the license terms' radio box.13. Left-click the 'Install MySQL Products' link to start the MySQL installation. replace the 'adodb518a. and tap the 'Enter' key. Installing ADODB At the CMD prompt type 'unzip -oqq d:\temp\adodb518a. The MySQL Database server installers 'Choosing a setup type' screen appears. and left-click 'Next' The MySQL Database server installers 'Installation Progress' screen appears.Windows 7 / 2008 / 2012 . and tap the 'Enter' key. left-click 'Next' allowing the MySQL server to complete the configuration. and left-click 'Next'. http://winsnort..5 / 8 .'. Under 'Root Account Password' in the 'MySQL Root Password:' dialog box type 'd1ngd0ng' (less the outside quotes). Under 'Server Configuration Type' left-click the 'Config Type:' drop down select box left-clicking the 'Server Machine'. At the CMD prompt type 'unzip -oqq d:\temp\barnyard2-2-1.1. The MySQL Database server installers 'MySQL Server Configuration' screen 1 of 3 appears. In the above. and left-click 'Next'. The MySQL Database server installers 'Check Requirements' screen appears.zip' filename with the actual filename located in the 'd:\temp' folder. and left-click 'Next'. Otherwise left-click 'Execute' allowing any updates to be fetched. Should display '1 file(s) copied. and left-click 'Next'. and tap the 'Enter' key. 7 trong 21 6/26/2013 9:11 PM . replace the 'mysql-installer-community-5.zip' filename with the actual filename located in the 'd:\temp' folder.zip -d d:\winids' (less the outside quotes). The MySQL Database server installers 'MySQL Server Configuration' screen 2 of 3 appears. The MySQL Database server installers 'Welcome' screen appears.. and left-click 'Finish' At the CMD prompt type 'copy "d:\winids\mysql\mysql server 5. replace the 'barnyard2-2-1. and left-click 'Next'.msi' filename with the actual filename located in the 'd:\temp' folder. The MySQL Database server installers 'License Agreement' screen appears.WinIDS . Barnyard2 is capable of processing Snorts Unified2 log files.1.com/index. and return to the command prompt.5. and left-click 'Next'. In the above.. the 'Config Type:' should now show 'Server Machine'.5\lib\libmysql.php?module=Pages&func=display&pageid=4. In the 'Data Path:' dialog box type 'd:\winids \mysql\' (less the outside quotes).. Installing the MySQL Database Server At the CMD prompt type 'd:\temp\mysql-installer-community-5. The MySQL Database server installers 'Installation Complete' screen appears.msi' (less the outside quotes). The MySQL Database server installers 'MySQL Server Configuration' screen 3 of 3 appears. If No internet connection is available left-click checking the 'Skip the checks for updates.MySQL :: WINSNORT..5.' radio box.IIS 7. and left-click 'Next'. In the 'Repeat Password:' dialog box type 'd1ngd0ng' (less the outside quotes). and left-click 'Next'.zip -d d:\winids\barnyard2' (less the outside quotes).

192.168.map file to correctly input the names of the events into the database when associated with an alert by sid. At the CMD prompt type 'notepad2 d:\winids\snort\etc\snort. This really comes into play when the output method from Snort is in unified2 format. and tap the 'Enter' key..map file: The 'sid-msg. the events in the database will show up only as gid:sid. The home network variable below defines the network you wish to monitor. like the local LAN segment for instance It is set by specifying one or more networks in the form of a CIDR [4]. taking that output. and reading it with Barnyard2 for input into the database. http://winsnort.1.Windows 7 / 2008 / 2012 .map' will also show events from all new rules as gid:sid.zip -d d:\winids\activators' (less the outside quotes). (1:2133 for example).map' file At the CMD prompt type 'unzip -oqq d:\temp\activators. Since the rule msg is not stored in the unified2 file format.4. Configuring the Snort Detection Engine At the CMD prompt type 'type NUL > d:\winids\snort\rules\white_list. updating the rules and not updating the 'sid-msg.. Use the Find in Notepad2 to locate and change the variables below.. and tap the 'Enter' key.1.php?module=Pages&func=display&pageid=4. it's necessary for Barnyard2 to read the sid-msg./rules 8 trong 21 6/26/2013 9:11 PM . Installing PHP At the CMD prompt type 'unzip -oqq d:\temp\php-5. At the CMD prompt type 'unzip -oqq d:\temp\create-sidmap. Original Line(s): ipvar HOME_NET any Change to: ipvar HOME_NET 192.com/index.pl d:\winids\snort\rules\ > d:\winids\snort\etc\sid-msg. The IP address below is fictitious and must be changed to the correct IP Address and CIDR that reflects the actual network that the Windows Intrusion Detection System (WinIDS) will be monitoring. and it has '-nts-' in the filename.IIS 7. replace the 'php-5.WinIDS .5 / 8 .0/24 In the above HOME_NET example.MySQL :: WINSNORT.zip -d d:\winids\php' (less the outside quotes).1.rules' (less the outside quotes).15-nts-Win32-VC9-x86.254.168. Information about the sid-msg. and tap the 'Enter' key.15-nts-Win32-VC9-x86. (1:2133 for example). At the CMD prompt type 'type NUL > d:\winids\snort\rules\black_list.conf' (less the outside quotes).map' (less the outside quotes). Original Line(s): var RULE_PATH . and tap the 'Enter' key. and tap the 'Enter' key.rules' (less the outside quotes). Also.4. Updating the 'sid-msg.zip' filename with the actual filename located in the 'd:\temp' folder. Windows Intrusion Detection System (WinIDS) will monitor addresses 192. At the CMD prompt type 'd:\winids\create-sidmap\create-sidmap.map' file essentially maps the Rule MSG alert name to the sid number assigned to the rule. Without the 'sid-msg.1 ..zip -d d:\winids\create-sidmap' (less the outside quotes). and tap the 'Enter' key.map' being read by barnyard2.. and tap the 'Enter' key.168. In the above. It is important to specify the correct range of internal network addresses that Windows Intrusion Detection System (WinIDS) will need to monitor.

.dll Original Line(s): dynamicdetection directory /usr/local/lib/snort_dynamicrules Change to: # dynamicdetection directory /usr/local/lib/snort_dynamicrules Original Line(s): preprocessor normalize_ip4 preprocessor normalize_tcp: ips ecn stream preprocessor normalize_icmp4 preprocessor normalize_ip6 preprocessor normalize_icmp6 Change to: # preprocessor # preprocessor # preprocessor # preprocessor # preprocessor normalize_ip4 normalize_tcp: ips ecn stream normalize_icmp4 normalize_ip6 normalize_icmp6 Original Line(s): # preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } Change to: preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } Original Line(s): # output unified2: filename merged.MySQL :: WINSNORT. Change to: var RULE_PATH d:\winids\snort\rules Original Line(s): var SO_RULE_PATH .rules include $PREPROC_RULE_PATH/decoder..php?module=Pages&func=display&pageid=4.so Change to: dynamicengine d:\winids\snort\lib\snort_dynamicengine\sf_engine.log./rules Change to: var BLACK_LIST_PATH d:\winids\snort\rules Original Line(s): dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ Change to: dynamicpreprocessor directory d:\winids\snort\lib\snort_dynamicpreprocessor Original Line(s): dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine./preproc_rules Change to: var PREPROC_RULE_PATH d:\winids\snort\preproc_rules Original Line(s): var WHITE_LIST_PATH ../rules Change to: var WHITE_LIST_PATH d:\winids\snort\rules Original Line(s): var BLACK_LIST_PATH . 9 trong 21 6/26/2013 9:11 PM .conf Change to: include d:\winids\snort\etc\threshold.log.. http://winsnort.IIS 7.....rules # include $PREPROC_RULE_PATH/decoder.config Original Line(s): include reference. limit 128 Original Line(s): include classification. and eXit Notepad2. vlan_event_types Change to: output unified2: filename merged.config Change to: include d:\winids\snort\etc\reference.WinIDS .rules # include $PREPROC_RULE_PATH/sensitive-data. mpls_event_types.rules Change to: include $PREPROC_RULE_PATH/preprocessor.conf Save the file.Windows 7 / 2008 / 2012 ./so_rules Original Line(s): var PREPROC_RULE_PATH . nostamp.rules Original Line(s): include threshold.5 / 8 ./so_rules Change to: # var SO_RULE_PATH . limit 128.config Change to: include d:\winids\snort\etc\classification.rules include $PREPROC_RULE_PATH/sensitive-data..config Original Line(s): # include $PREPROC_RULE_PATH/preprocessor.com/index.

dll Change to: extension=php_gd2. error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT Original Line(s): . Should display '1 file(s) copied.Windows 7 / 2008 / 2012 .dll Change to: extension=php_mysql.include_path = ". extension=php_gd2.force_redirect = 0 Original Line(s): . If all the tests are passed.timezone = Change to: date. Inserting the correct Timezone setting where the Windows Intrusion Detection System (WinIDS) will be located is essential.dll Original Line(s): . and tap the 'Enter' key.dll Original Line(s): . http://winsnort.ini' (less the outside quotes). extension=php_mysql. the following is a confirmation that the Snort configuration file and rules have tested good. America/New_York is only the default.ini' (less the outside quotes).save_path = "c:\windows\temp" Save the file..session..IIS 7. Snort successfully validated the configuration! Snort exiting Do not proceed until 'Snort successfully validated the configuration!' Configuring PHP At the CMD prompt type 'copy d:\winids\php\php. The above run line will require the 'Index' number of the monitoring Network Interface Card added to the 'x' in the '-ix' switch.com/index. Testing the Snort configuration file At the CMD prompt type 'd:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.5 / 8 . Check out the PHP website for the List of Supported Timezones [5]. Use the Find in Notepad2 to locate and change the variables below.MySQL :: WINSNORT. and return to the CMD prompt.conf -l d:\winids\snort\log -ix -T' (less the outside quotes).WinIDS .'. extension_dir = "ext" Change to: extension_dir = "d:\winids\php\ext" Original Line(s):. and tap the 'Enter' key.timezone = America/New_York In the above date. 10 trong 21 6/26/2013 9:11 PM .d:\winids\php\pear" Original Line(s): .php?module=Pages&func=display&pageid=4.. and eXit Notepad2. This will start Snort in self-test mode for configuration and rule file testing.ini-production d:\winids\php\php..force_redirect = 1 Change to:cgi. Original Line(s): max_execution_time = 30 Change to: max_execution_time = 60 Original Line(s): error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT Change to: . and tap the 'Enter' key. At the CMD prompt type 'notepad2 d:\winids\php\php.c:\php\includes" Change to: include_path = "d:\winids\php.save_path = "/tmp" Change to: session.date.. cgi.timezone setting. Original Line(s): .

MySQL :: WINSNORT. Should display '1 file(s) copied.'. In the section labeled 'session' (less the outside quotes) make SURE that the item labeled 'session. left-click 'Edit. under 'Actions' left-click 'Open Feature'. in the center pane under 'IIS' left-click 'Handler Mappings'.com/index. Under 'Connections' expand Sites. and Verify all three dialog box settings match what was entered above. 11 trong 21 6/26/2013 9:11 PM . in the 'Name:' dialog box type 'PHP' (less the outside quotes). In the 'Handler Mappings' under the 'Enabled' section there will be a new 'PHP' entry in the 'Name' column.ini' (less the outside quotes). The 'Internet Information Services (IIS) Manager' opens.. left-click 'OK'.. Testing Internet Information Services. left-click 'Default Web Site'.php' (less the outside quotes) into the URL Address box. In the section labeled 'Configuration . and return to the CMD prompt.' left-click 'No'.. Do not proceed until the 'Handler Mappings' for PHP have been set correctly!' At the CMD prompt type 'iisreset /restart' (less the outside quotes). If the 'Internet Information Services (IIS) Manager' appears asking 'Do you want to get started with. and eXit the 'Internet Information Services (IIS) Manager'. highlight and right-click 'PHP'.5 / 8 .PHP Core' (less the outside quotes) make SURE that the item labeled 'extension_dir' is pointing to 'd:\winids\php\ext' (less the outside quotes) in columns 'Local Values' (less the outside quotes) and 'Master Values' (less the outside quotes). At the CMD prompt type 'del d:\winids\inetpub\wwwroot\test. and tap the 'Enter' key. in the left pane under 'Connections' expand servername. Do not proceed until all the above paths are correct! eXit the web-browser. and the PHP installation Open a CMD window and type 'copy d:\temp\test.php?module=Pages&func=display&pageid=4.Windows 7 / 2008 / 2012 ..PHP Core' (less the outside quotes) make SURE that the item labeled 'include_path' is pointing to 'd:\winids\php\pear' (less the outside quotes) in columns 'Local Values' (less the outside quotes) and 'Master Values' (less the outside quotes)..save_path' is pointing to 'c:\windows\temp' (less the outside quotes) in columns 'Local Values' (less the outside quotes) and 'Master Values' (less the outside quotes).php d:\winids\inetpub\wwwroot' (less the outside quotes). in the 'Request Path:' dialog box type '*..exe' (less the outside quotes). Open a web-browser and type 'http://winids/test.WinIDS . and tap the 'Enter' key.'.php' (less the outside quotes).'.. and tap the 'Enter' key. left-click 'OK'. In the first section of information make SURE that the item labeled 'Loaded Configuration File' is pointing to 'd:\winids \php\php. Several sections of information concerning the status and install of PHP should be displayed. and tap the 'Enter' key.. in the 'Executable:' dialog box type 'd:\winids\php\php-cgi. under 'Actions' left-click 'Add Script Map. http://winsnort. In the section labeled 'Configuration . the 'Add Script Map' notification message appears and left-click 'Yes'. Configuring Internet Information Services for PHP At the CMD prompt type 'c:\windows\system32\inetsrv\iis.msc' (less the outside quotes). and tap the 'Enter' key..IIS 7..php' (less the outside quotes).

At the mysql CMD prompt type 'create database snort. Configuring the MySQL Database Server Creating the Windows Intrusion Detection System Databases Open a CMD window and type 'mysql -u root -p' (less the outside quotes) and tap the 'Enter' key. At the password prompt type 'd1ngd0ng' (less the outside quotes) and tap the 'Enter' key.' and drop back to the mysql prompt. At the CMD prompt type 'exit' (less the outside quotes).' (less the outside quotes).IIS 7. It will display 'Query OK. The following as a confirmation that the Snort auto-start service has been successfully activated.' (less the outside quotes). At the CMD prompt type 'sc config snortsvc start= auto' (less the outside quotes). Do not proceed until the Snort service has been successfully added to the Windows Services Database.. Adding Snort to the Windows Services Database At the CMD prompt type 'cd /d d:\winids\snort\bin' (less the outside quotes) and tap the 'Enter' key.. and tap the 'Enter' key... [SNORT_SERVICE] Attempting to install the Snort service... http://winsnort..Windows 7 / 2008 / 2012 .WinIDS .conf -l d:\winids\snort\log -ix' (less the outside quotes). You will be dropped into the MySQL administration console CMD prompt.' (less the outside quotes). [SC] ChangeServiceConfig SUCCESS Do not proceed until the Snort auto-start service has been SUCCESSfully activated. At the CMD prompt type 'snort /SERVICE /INSTALL -c d:\winids\snort\etc\snort. It will display 'Query OK. and tap the 'Enter' key. and tap the 'Enter' key.5 / 8 . and tap the 'Enter' key. At the mysql CMD prompt type 'show databases.com/index.MySQL :: WINSNORT. and tap the 'Enter' key. 12 trong 21 6/26/2013 9:11 PM .' and drop back to the mysql prompt. and tap the 'Enter' key. At the mysql CMD prompt type 'create database archive. The following is a confirmation that the Snort service was successfully added to the Windows Services Database.php?module=Pages&func=display&pageid=4.. The above run line will require the 'Index' number of the monitoring Network Interface Card added to the 'x' in the '-ix' switch. [SNORT_SERVICE] The full path to the Snort binary appears to be: D:\winids\snort\bin\snort /SERVICE [SNORT_SERVICE] Successfully added registry keys to: \HKEY_LOCAL_MACHINE\SOFTWARE\Snort\ [SNORT_SERVICE] Successfully added the Snort service to the Windows Services Database.

It will display 'Current database: snort' and drop back to the mysql prompt.SELECT. At the mysql CMD prompt type 'source d:/winids/barnyard2/schemas/create_mysql' (less the outside quotes). It will display multiple 'Query OK.' (less the outside quotes). The last entry to the screen should show 'Records: 4 Duplicates: 0 Warnings: 0' (less the outside quotes). 1 rows affected (0.' (less the outside quotes).0? sec)' entries and drop back to the mysql prompt.UPDATE on snort. and tap the 'Enter' key.* to snort identified by 'l0gg3r'.5 / 8 .0? sec)' entries and drop back to the mysql prompt.Windows 7 / 2008 / 2012 . Creating the Windows Intrusion Detection System Database Tables At the mysql CMD prompt type 'connect snort.IIS 7.00 sec)' (less the outside quotes).. It will display multiple 'Query OK. At the mysql CMD prompt type 'source d:\winids\inetpub\wwwroot\base\sql\create_base_tbls_mysql. and tap the 'Enter' key.' (less the outside quotes). and drop back to the mysql prompt. 1 rows affected (0. At the mysql CMD prompt type 'source d:\winids\inetpub\wwwroot\base\sql\create_base_tbls_mysql.sql' (less the outside quotes). It will display 'Current database: snort' and drop back to the mysql prompt. The last entry to the screen should show '22 rows in set (0. At the mysql CMD prompt type 'source d:/winids/barnyard2/schemas/create_mysql' (less the outside quotes). Creating the Windows Intrusion Detection System Database Access. http://winsnort. The last entry to the screen should show 'Records: 4 Duplicates: 0 Warnings: 0' (less the outside quotes)... At the mysql CMD prompt type 'grant INSERT. and tap the 'Enter' key. and drop back to the mysql prompt. 'mysql'.sql' (less the outside quotes). and tap the 'Enter' key. and tap the 'Enter' key..php?module=Pages&func=display&pageid=4. 'archive'.UPDATE on snort. and tap the 'Enter' key. and tap the 'Enter' key. and Authenticated Users At the mysql CMD prompt type 'set password for root@localhost = password('d1ngd0ng').WinIDS . and tap the 'Enter' key. At the mysql CMD prompt type 'grant INSERT. 'information_schema'. At the mysql CMD prompt type 'show tables. and tap the 'Enter' key.* to snort@localhost identified by 'l0gg3r'.MySQL :: WINSNORT.' (less the outside quotes). It will display 'Query OK' and drop back to the mysql prompt. and 'snort'. The last entry to the screen should show '22 rows in set (0.' (less the 13 trong 21 6/26/2013 9:11 PM . and drop back to the mysql prompt. and tap the 'Enter' key. At the mysql CMD prompt type 'show tables.com/index.SELECT. At the mysql CMD prompt type 'connect archive.' (less the outside quotes).00 sec)' (less the outside quotes).' (less the outside quotes). There should be several databases listed. and drop back to the mysql prompt.

and tap the 'Enter' key. At the mysql CMD prompt type 'grant INSERT. It will display 'Query OK' and drop back to the mysql prompt.exe' listed as a process.' (less the outside quotes).'. At the mysql CMD prompt type 'quit.UPDATE. Configuring the Windows Intrusion Detection Systems (WinIDS) Security Console At the CMD prompt type 'copy d:\winids\inetpub\wwwroot\base\base_conf. It will display 'Query OK' and drop back to the mysql prompt. 'base'. Should display '1 file(s) copied.' (less the outside quotes).. At the mysql CMD prompt type 'grant INSERT.* to base identified by 'an@l1st'. It will display 'Query OK' and drop back to the mysql prompt. and 'mysqld. It will display 'Query OK' and drop back to the mysql prompt. At the CMD prompt type 'taskmgr.' (less the outside quotes). left-click the 'Processes' tab.DELETE.DELETE. and tap the 'Enter' key. and tap the 'Enter' key. At the CMD prompt type 'net start snort' (less the outside quotes). At the mysql CMD prompt type 'grant INSERT. 14 trong 21 6/26/2013 9:11 PM .SELECT.DELETE. outside quotes).Windows 7 / 2008 / 2012 . 'snort'. and 'base'. in the 'Image name' category there should be a 'snort. and tap the 'Enter' key. At the mysql CMD prompt type 'select * from user. Do not proceed until the processes above are running! eXit the 'Task Manager'. http://winsnort. 'root'.CREATE on archive. There should be several users listed.CREATE on snort.. and tap the 'Enter' key.' (less the outside quotes).IIS 7.exe' (less the outside quotes).CREATE on archive.* to base@localhost identified by 'an@l1st'. and tap the 'Enter' key.UPDATE. and return to the CMD prompt. At the mysql CMD prompt type 'use mysql.' (less the outside quotes).5 / 8 .php?module=Pages&func=display&pageid=4.WinIDS .* to base identified by 'an@l1st'.' (less the outside quotes). At the CMD prompt type 'tartool d:\temp\opensource.SELECT.CREATE on snort. and tap the 'Enter' key Confirming MySQL and Snort are operational At the CMD prompt type 'net stop mysql55 & net start mysql55' (less the outside quotes).* to base@localhost identified by 'an@l1st'.SELECT. 'snort'. and tap the 'Enter' key. The 'Windows Task Manager' starts. and tap the 'Enter' key. and tap the 'Enter' key. and tap the 'Enter' key.php.gz d:\winids\inetpub\wwwroot\base\signatures' (less the outside quotes). and tap the 'Enter'.MySQL :: WINSNORT.php' (less the outside quotes).com/index.dist d:\winids\inetpub\wwwroot \base\base_conf.DELETE.. It will display 'Query OK' and drop back to the mysql prompt.' (less the outside quotes). At the mysql CMD prompt type 'grant INSERT.UPDATE. and tap the 'Enter' key.exe'.UPDATE.SELECT..

'an@l1st'.'FF9900'. http://winsnort. 'mypassword'.'FF9900'. 15 trong 21 6/26/2013 9:11 PM . Use the Find in Notepad2 to locate and change the variables below.MySQL :: WINSNORT. 'base'. At the CMD prompt type 'notepad2 d:\winids\inetpub\wwwroot\base\base_conf. ''. The above command may take a few minutes to complete as its moving several thousand files.'FF0000'.Windows 7 / 2008 / 2012 . Change to: $archive_exists $archive_dbname $archive_host $archive_port $archive_user $archive_password = = = = = = 1. ''.'999999'). Change to: $show_expanded_query = 1. Original Line(s): $DBlib_path = ''. Change to: $DBlib_path = 'd:\winids\adodb5'. Original Line(s): $priority_colors = array ('FF0000'.5 / 8 . 'localhost'. Original Line(s): $alert_dbname $alert_host $alert_port $alert_user $alert_password = = = = = 'snort_log'. 'localhost'. 'an@l1st'.php' (less the outside quotes). and tap the 'Enter' key.IIS 7..com/index. # Set this to 1 if you have an archive DB 'snort_archive'. Change to: $priority_colors = array('000000'. Change to: $colored_alerts = 1. Change to: $show_rows = 90. 'base'. Original Line(s): $BASE_urlpath = ''. Change to: $alert_dbname $alert_host $alert_port $alert_user $alert_password = = = = = 'snort'.. Original Line(s): $DBtype = '?????'.php?module=Pages&func=display&pageid=4.'006600'). Original Line(s): $colored_alerts = 0. 'winids'.'FFFF00'.'FFFF00'. # Set this to 1 if you have an archive DB 'archive'.'999999'. Original Line(s): $show_rows = 48.'FFFFFF'.. 'winids'.WinIDS . Change to: $DBtype = 'mysql'. Change to: $BASE_urlpath = 'http://winids'.. Original Line(s): $show_expanded_query = 0. ''. 'mypassword'. 'snort'. ''. 'snort'. Original Line(s): $archive_exists $archive_dbname $archive_host $archive_port $archive_user $archive_password = = = = = = 0.

and tap the 'Enter' key. At the CMD prompt type 'pear install Mail-alpha' (less the outside quotes).php. and tap the 'Enter' key. At the CMD prompt type 'cd /d d:\winids\php' (less the outside quotes). A successful install will display 'install ok: channel://pear. At the CMD prompt type 'pear install Log-alpha' (less the outside quotes).' prior to dropping back to the CMD prompt. A successful install will display 'install ok: channel://pear. Original Line(s): // $graph_font_name = "Verdana".net/Mail-. http://winsnort.php.IIS 7.' prior to dropping back to the CMD prompt.' prior to dropping back to the CMD prompt. At the CMD prompt type 'php go-pear. and tap the 'Enter' key. At the CMD prompt type 'pear install Image_Color-alpha' (less the outside quotes)..net/Math... Change to: $Geo_IPfree_file_ascii = "d:\winids\inetpub\wwwroot\base\ips-ascii.MySQL :: WINSNORT. Original Line(s): $graph_font_name = "DejaVuSans".phar d:\winids\php' (less the outside quotes).. Should display '1 file(s) copied.php.. A successful install will display 'install ok: channel://pear.5 / 8 .php.net/Numbers_Words-..'. and tap the 'Enter' key.WinIDS . At the 'Press any key to continue . At the CMD prompt type 'pear install Math_BigInteger-alpha' (less the outside quotes).. At the CMD prompt type 'pear install Mail_Mime-alpha' (less the outside quotes).txt". Configuring Graphing for the Windows Intrusion Detection Systems (WinIDS) Security Console Open a CMD window and type 'copy d:\temp\go-pear. At the CMD prompt type 'pear install Image_Graph-alpha' (less the outside quotes). press any key to exit back to the CMD prompt. Save the file.. At the next prompt tap the 'Enter' key to install 'System-Wide' PEAR.' prior to dropping back to the CMD prompt. .' prior to dropping back to the CMD prompt..net/Mail_Mime-.php. and tap the 'Enter' key.net/Image_Canvas-.Windows 7 / 2008 / 2012 .' prior to dropping back to the CMD prompt. and tap the 'Enter' key. A successful install will display 'install ok: channel://pear. A successful install will display 'install ok: channel://pear. and tap the 'Enter' key..php. and tap the 'Enter' key.'. A successful install will display 'install ok: channel://pear.. . and return to the CMD prompt.php.php?module=Pages&func=display&pageid=4. Change to: $graph_font_name = "Verdana".. At the CMD prompt type 'pear install Numbers_Words-alpha' (less the outside quotes)..phar' (less the outside quotes). At the next prompt tap the 'Enter' key..' prior to dropping back to the CMD prompt.net/Image_Color-. A successful install will display 'install ok: channel://pear..net/Log-. and tap the 'Enter' key. Original Line(s): //$Geo_IPfree_file_ascii = "/var/www/html/ips-ascii.' prior to dropping back to the CMD prompt.php.txt".. Change to: // $graph_font_name = "DejaVuSans".php..net/Image_Graph-..' prior to dropping back to the CMD prompt. A successful install will display 'install ok: channel://pear..com/index. At the CMD prompt type 'pear install Numbers_Roman-alpha' (less the outside quotes). and tap the 'Enter' key.net/Numbers_Roman-... and eXit Notepad2.. 16 trong 21 6/26/2013 9:11 PM . A successful install will display 'install ok: channel://pear. and tap the 'Enter' key. At the CMD prompt type 'pear install Image_Canvas-alpha' (less the outside quotes). and tap the 'Enter' key.

com/index.... and tap the 'Enter' key. and return to the CMD prompt. under 'Actions' left-click 'Add.. user=snort password=l0gg3r dbname=snort host=winids sensor_name=WinIDS-Home Save the file.config /etc/snort/gen-msg. If the 'Internet Information Services (IIS) Manager' appears asking 'Do you want to get started with.map Change to: config config config config reference_file: classification_file: gen_file: sid_file: d:\winids\snort\etc\reference. Testing the Barnyard2 configuration file 17 trong 21 6/26/2013 9:11 PM .map Original Line(s): # config event_cache_size: 4096 Change to: config event_cache_size: 32768 Original Line(s): # output database: log.php' (less the outside quotes). Should display '2 file(s) copied.'. left-click 'OK'.'. Use the Find in Notepad2 to locate and change the variables below.map /etc/snort/sid-msg.. Under 'Connections' right-click 'Default Web Site'. and the 'Entry Type' should be 'Local'. In the 'Default Document' under the 'Name' column 'base_main. Configuring IIS for the Windows Intrusion Detection Security Console At the CMD prompt type 'c:\windows\system32\inetsrv\iis. highlight and left-click 'Advanced Settings'.map d:\winids\snort\etc\sid-msg.php' (less the outside quotes) should be listed at the very top... highlight 'Manage Web Site'.5 / 8 . The 'Internet Information Services (IIS) Manager' opens. and eXit the 'Internet Information Services (IIS) Manager' applet. and tap the 'Enter' key. and tap the 'Enter' key.msc' (less the outside quotes).* d:\winids\php\pear\image\graph\images\maps' (less the outside quotes). and eXit Notepad2. in the left pane under 'Connections' expand servername. in the center pane under 'IIS' left-click 'Default Document'. mysql. At the CMD prompt type 'copy d:\winids\inetpub\wwwroot\base\world_map6.IIS 7. http://winsnort.WinIDS . in the 'Advanced Settings' applet under (General) left-click 'Physical Path'. Under servername left-click 'Default Web Site'.conf' (less the outside quotes).MySQL :: WINSNORT. Configuring Barnyard2 At the CMD prompt type 'notepad2 d:\winids\barnyard2\etc\barnyard2. Original Line(s): config config config config reference_file: classification_file: gen_file: sid_file: /etc/snort/reference.config d:\winids\snort\etc\gen-msg. in the 'Name:' dialog box type 'base_main. under 'Actions' left-click 'Open Feature'.Windows 7 / 2008 / 2012 .config d:\winids\snort\etc\classification.config /etc/snort/classification. in the 'Add Default Document' applet appears.. user=root password=test dbname=db host=localhost Change to: output database: log. mysql. left-click 'OK'.' left-click 'No'.php?module=Pages&func=display&pageid=4. in the dialog box to the right of 'Physical Path' type 'd:\winids\inetpub\wwwroot\base' (less the outside quotes).

In Conclusion Congratulations. If no events start to show up in a reasonable length of time. Barnyard2 successfully loaded configuration file! Snort exiting database: Closing connection to database "snort" Do not proceed until Barnyard2 has successfully loaded configuration file.reg' file contains the run line for Barnyard2. Adding user authentication to the Windows Intrusion Detection Systems (WinIDS) Security Console.. and tap the 'Enter' key to reboot. and you should be seeing events in the local Windows Intrusion Detection Systems (WinIDS) Security Console.. come visit the forums for help on manually generating events. Barnyard2 will be running in a Minimized window located in the Windows task bar. events should be arriving into the database. At the CMD prompt type 'shutdown /r /t 10' (less the outside quotes). Configure a system. and tap the 'Enter' key.'.MySQL :: WINSNORT. and tap the 'Enter' key.. http://winsnort. the following is a confirmation that the Barnyard2 configuration file is good.. checking all the supplied command line switches that are passed to it and indicating that everything is ready to proceed. When the system is rebooted.5 / 8 .IIS 7.php?module=Pages&func=display&pageid=4. Tuning Snort thresholds and limit values. The 'auto-barnyard..reg' (less the outside quotes). Securing your host (Maybe changing the default database user access. and tap the 'Enter' key. At the CMD prompt type 'd:\winids\activators\by2-test' (less the outside quotes). I encourage you to perform some post-installation tasks needed to get a fully production-ready 'Windows Intrusion Detection System (WinIDS)'. left-click 'Yes'. etc. The Registry Editor selection box opens and asks. you have just completed setting up your first complete Windows Intrusion Detection System (WinIDS).WinIDS . Running the above batch file will cause Barnyard2 to start up in self-test mode.com/index.Windows 7 / 2008 / 2012 . 18 trong 21 6/26/2013 9:11 PM . At this point you are done with this guided install. This includes: Tuning your rules and preprocessors. Opening the Barnyard2 CMD window will display the events as they are being shuttled to the database. and closed the connection to database! Adding Barnyard2 to auto-run on user login At the CMD window type 'd:\temp\auto-local-barnyard2. and I hope this guided install has been of great assistance.. and at the next input selection left-click 'OK'.). Starting the Windows Intrusion Detection Systems (WinIDS) Security Console After the reboot open a web-browser and type 'http://winids' (less the outside quotes) into the URL Address box. 'Are you sure you want to add. disabling unneeded services. such as PulledPork to auto-update the Windows Intrusinon Detection Systems (WinIDS) rules and signatures. If all the tests are passed. eXited Snort. It may take a little while to start seeing events in the Windows Intrusion Detection Systems (WinIDS) Security Console.

com' to enhance your Windows Intrusion Detection System (WinIDS). maintaining. Automatically updating the rules. General problems Please visit the support forums [11] if you have problems. on an existing Windows Intrusion Detection System (WinIDS). signatures. on an existing Windows Intrusion Detection System (WinIDS). The 'MySQL System Tray Monitor' has two tools associated with it that can be accessed directly from the 'MySQL System Tray Monitor'.IIS 7. signatures.WinIDS . http://winsnort. and sig-msg.map file using PulledPork This guided install will show how to automatically update the rules.map file [6] This guided install will show how to manually update the rules.5 / 8 . signatures. Installing an eMail alerting client (EventWatchNT) [7] This guided install will show how to send user defined priority events sent to a Windows Application Log file being eMailed to user defined eMail accounts.com/index. The Windows Intrusion Detection Systems (WinIDS) Security Console can ONLY be accessed locally. and the 'sig-msg. including 'IIS 7. Places of interest Websites Users Mailing Lists Support Programs Security tools and info 19 trong 21 6/26/2013 9:11 PM . Debugging Installation errors Check the Event Viewer as most of the support programs will throw FATAL errors into the Application log.Windows 7 / 2008 / 2012 . Use extreme caution using these tools. Security Issues Lets review what has happens so far: All support programs. Optional Companion Documents Be SURE to check out the other 'Companion Documents' located in the WinIDS Guided Installs area of 'WINSNORT. Compiling Barnyard2 on Windows using Cygwin [10] This guided install will show how to manually or automatically compile your very own copy of Barnyard2 on any modern Windows system... This will allow starting and stopping of the database. which closed a multitude of security holes. and repairing of the MySQL database. signatures. Sending events to a remote Unix Syslog Server [8] This guided install will show how to configure Snort to send events to a remote UNIX syslog server.php?module=Pages&func=display&pageid=4. Manually updating the rules. Installing MySQL Tools as an add-in to a MySQL enabled Windows Intrusion Detection System (WinIDS) [9] This guided install will show how to install the 'MySQL System Tray Monitor' as a service to monitor the condition of the MySQL database in real time...map' file on an existing Windows Intrusion Detection System (WinIDS). and the 'sig-msg.MySQL :: WINSNORT.5/8' have been installed to a separate partition. on an existing Windows Intrusion Detection System (WinIDS). and sig-msg. These tools will allow editing.map' file using PulledPork on an existing Windows Intrusion Detection System (WinIDS).

7.sourceforge..com/index.mysql.sourceforge.com/https://www. 28.it/ http://httpd.php?module=Pages&func=display&pageid=4.com/adodb http://winpcap.www. 9.php.0.php http://php.org/2012/01/importance-of-pulledpork.net/projects/secureideas/ http://winsnort.winsnort. Snort Home Page [12] Snort FAQ [13] Snort Users Manual [14] Official Snort Blog Site [15] Snort-users list archive [16] Snort.com/index.subnet-calculator. 15. 25. 5.snort..pdf http://winsnort.net/timezones http://winsnort.php?module=Pages&func=display&pageid=52 http://winsnort.com?subject=General%20Support http://winsnort. 37.google.org/ http://www. 22. http://winsnort. 27.google. 3.com/ http://www. 33.php3?list=snort-users http://winsnort. 35.com/index. 17. 30.IIS 7.php?module=PNphpbb2 http://www.com/https://groups.mysql. 23.net/articles/winxpsecuritychecklist.html http://www. 29.www. 6.php?module=Pages&func=display&pageid=50 http://winsnort.winsnort. 10.net/mailman/listinfo/snort-devel http://sourceforge. 13.com/index.com/firnsy/barnyard2 http://www.com/index. 14.conxion.MySQL :: WINSNORT.com/downloads/administrator/1.html http://www. 34.org/ http://www. 12.snort.apache.Windows 7 / 2008 / 2012 .php?module=PNphpbb2 20 trong 21 6/26/2013 9:11 PM . 2.com/mailto:michaels@winsnort.php?module=Pages&func=display&pageid=2 http://winsnort. 11.com/cidr.org/ http://code. 21.php?module=Pages&func=display&pageid=21 http://winsnort.com/p/pulledpork/ http://dev. 24.www. 20.org [39] 7894 total words in this text | 9787 reads [40] Links 1.php?module=PNphpbb2 http://www.snort.com/index. 26.com/group/pulledpork-users http://lists.5 / 8 .snort.. http://winsnort.snort.com [38] Snort: Open Source Network IDS .cgi http://www.conf Configurations [17] PulledPork and Flowbits [18] Barnyard2-users [19] pulledpork-users [20] Snort-announce [21] Snort-users [22] Snort-sigs [23] Snort-devel [24] BASE Home Page [25] Barnyard2 Home Page [26] MySQL Home Page [27] PostgreSQL Home Page [28] PulledPork Home Page [29] MySQL Tools [30] PHP Home Page [31] ADODB Home Page [32] WinPcap Home Page [33] Apache2 Home Page [34] XP Security Checklist [35] NSA Securing XP [36] Michael E.com [37] Our Support Forums . 31.com/winxp/guides/wxp-1.postgresql.geocrawler. 8.org/docs/writing_rules/ http://blog. 36.sourceforge.org/download.com/forum/#!forum/barnyard2-users http://groups.php?module=Pages&func=display&pageid=51 http://winsnort.org/vrt/snort-conf-configurations/ http://blog.mspx http://www. 18. 4.com/index.polito.com/ http://www.net/mailman/listinfo/snort-users http://lists.com/redir-sf.snort.WinIDS .com/https://github.com/index.net/mailman/listinfo/snort-announce http://lists.sourceforge.net http://php. 38.snort. Steele | Microsoft Certified System Engineer (MCSE) Email Me: : michaels@winsnort.weblogs.htm http://nsa1.org/docs/faq.. 16.com/technet/security/tools/mbsahome.html http://winsnort. 32.net/mailman/listinfo/snort-sigs http://lists.google.microsoft. 19.com/index.labmice.

39.com/index.org 40.MySQL :: WINSNORT.snort..php?module=Pages&func=display&pageid=49&theme=Printer 21 trong 21 6/26/2013 9:11 PM .IIS 7.. http://winsnort.Windows 7 / 2008 / 2012 .. http://winsnort.5 / 8 .com/index. http://www.WinIDS ..php?module=Pages&func=display&pageid=4.

Sign up to vote on this title
UsefulNot useful