Professional Documents
Culture Documents
Create rodrigo
Online
Home Users
Tutorials Unread Content Mark site read
Installing a Windows Intrusion Detection System (WinIDS)
Installing an Apache2 Web Server logging events to a MySQL Database
By Morpheus
Find their other tutorials
Introduction
Take Note: Winsnort has phased out support for the 32bit architecture,
and all references have been removed in all the tutorials.
During my research, and development I've found a lot of tutorials, and blogs
describing the installation process for the UNIX environment. Yet, none of
them specifically detailed setting this up in a Windows environment. I've
been working on, and updating these tutorials for the past 12 plus years,
and managed to get through the complete process in the Windows
environment.
These tutorials gives all the basic instructions on how to create a complete,
and all inclusive standalone Windows Intrusion Detection System (WinIDS).
This is all made possible by simply wrapping Snort, a very powerful
Intrusion Detection Engine into a multitude of free open source programs.
Best of all, other than the cost of the Windows operating system, it's
completely free.
If there are any doubts which tutorial should be used, there is a posted topic
HERE that will provide the basics so an informed decision can be made
based on which combination of software packages are best suited for the
installation.
Copyright Notice
Use the information in this document at your own risk. Michael Steele
disavows any potential liability of this document. Use of the concepts,
examples, and/or other content of this document are entirely at your own
risk.
This tutorial is written in the hope that it will be useful, but without any
warranty; without even the implied warranty of merchantability or fitness for
a particular purpose.
otherwise. Third party trademarks or brand names are the property of their
owners. Use of a term in this document should not be regarded as affecting
the validity of any trademark or service mark. Naming of particular products
or brands should not be seen as endorsements.
By request, there is a premium fee service available for one on one support.
If you have not acquired this tutorial directly from the winsnort.com
website, then you most likely do not have the latest revision of this
tutorial!
With the LTSC servicing model, customers can delay receiving feature
updates and instead only receive monthly quality updates on devices.
Features from Windows 10 that could be updated with new functionality,
including Cortana, Edge, and all in-box Universal Windows apps, are also
not included. Feature updates are offered in new LTSC releases every 2–
3 years instead of every 6 months, and organizations can choose to
install them as in-place upgrades or even skip releases over a 10-year life
cycle. Microsoft is committed to providing bug fixes and security patches
for each LTSC release during this 10 year period.
The Long Term Servicing Channel is not intended for deployment on most
www.winsnort.com/tutorials/article/4-installing-an-apache2-web-server-logging-events-to-a-mysql-database/ 3/33
24/7/2020 Installing an Apache2 Web Server logging events to a MySQL Database - Installing a Windows Intrusion Detection System (WinIDS)…
All the operating systems listed above have been tested using this
tutorial. However, any another Windows operating system listed above,
under the same framework will most likely work.
All available Service Packs and updates MUST be applied from the
Microsoft Download Center.
For these tutorials there are two partitions: C: (System) with 300GB,
and D: (WinIDS) with 1TB.
Installed memory should be no less than 4GB (more is always better).
The default installation path noted above is hard coded into this tutorial,
and is also hard coded into some of the install scripts. Installers will need
to make the appropriate changes in both places if the default installation
path is anything other then 'd:\winids', or the support files are located
anywhere other than the 'd:\temp' folder.
Open File Explore and navigate to the location of the 'winids-core.zip' file,
right-click the 'winids-core.zip' file, highlight and left-click 'Extract all...', in the
'Files will be extracted to this folder:' dialog box type 'd:\temp' (less the
outside quotes), left-click and uncheck the 'Show extracted files when
complete' radio box, left-click extract, in the 'Password:' dialog box type
'w1nsn03t.c0m' (less the outside quotes), left-click 'OK', and eXit File
Explorer..
It is imperative to only use the files downloaded from the URL links below.
All the files have been verified as compatible with this particular Windows
Intrusion Detection Systems (WinIDS) tutorial. All the files below will need
to be downloaded into the folder (d:\temp) that was created when the files
from the above 'WinIDS - Core Software Support Pack' were extracted.
Snort 2_9_16: Download and save the file to the d:\temp folder.
Note: If the installer is not logged into the snort.org website prior to
initiating the next download, the installer will be re-directed to the
snort.org website. At that point either create a new account or login. While
still being logged into the snort.org website return to the Windows
Intrusion Detection Systems (WinIDS) tutorial, and initiate the next
download.
Strawberry Perl 5.30.2.1: Download and save the file to the d:\temp
folder.
Apache2 2.4.43 (VS16): Download and save the file to the d:\temp
folder.
Apache2 FastCGI module 2.3.10 (VS16): Download and save the file
to the d:\temp folder.
PHP 5.6.40 TS (VC11): Download and save the file to the d:\temp
folder.
www.winsnort.com/tutorials/article/4-installing-an-apache2-web-server-logging-events-to-a-mysql-database/ 6/33
24/7/2020 Installing an Apache2 Web Server logging events to a MySQL Database - Installing a Windows Intrusion Detection System (WinIDS)…
Note: If the User Account Control dialog box appears at ANY time during
this install ALWAYS left-click 'Yes' to continue, or the install will fail.
The correct source drive letter where the Windows install media is located
must be inserted into the 'x' position above.
After the reboot it is strongly advise that the Microsoft Baseline Security
Analyzer (MBSA) be used to identify and correct common security miss
configurations. Each issue should be resolved prior to starting this tutorial.
Installing Npcap
www.winsnort.com/tutorials/article/4-installing-an-apache2-web-server-logging-events-to-a-mysql-database/ 8/33
24/7/2020 Installing an Apache2 Web Server logging events to a MySQL Database - Installing a Windows Intrusion Detection System (WinIDS)…
The 'Snort has been successfully installed' window opens, left-click 'OK'.
The switch for the Network Interface Card will always be '-ix' (less the
outside quotes), and the 'x' (less the outside quotes) will always represent
the 'Index' number of Network Interface Card that will be monitoring the
Windows Intrusion Detection System (WinIDS).
The above run line will require the 'Index' number of the monitoring
Network Interface Card inserted in the place of the 'x' position above. This
will start Snort in verbose mode, verifying there is network traffic on
interface 'x'.
www.winsnort.com/tutorials/article/4-installing-an-apache2-web-server-logging-events-to-a-mysql-database/ 9/33
24/7/2020 Installing an Apache2 Web Server logging events to a MySQL Database - Installing a Windows Intrusion Detection System (WinIDS)…
There should now be multiple packets passing through the CMD window,
and something similar to the following output is a confirmation indicating
that everything is ready to proceed.
Note: If no traffic is passing through the CMD window, try another 'Index'
number.
After verifying active network traffic, eXit the web-browser, activate the CMD
window, and press the 'CTRL/C' keys to stop the Snort process.
The 'Welcome to the Setup Wizard for Strawberry Perl...' window opens,
left-click 'Next'.
The 'End-User License Agreement' window opens, left-click checking the 'I
accept the terms...' radio button, and left-click 'Next'.
The 'Destination Folder' window opens, in the 'Install Strawberry Perl to:'
dialog box type 'd:\winids\strawberry\' (less the outside quotes), and left-click
'Next'.
The 'Install Strawberry Perl..' window opens, allow the install to complete,
and left-click 'Next'.
www.winsnort.com/tutorials/article/4-installing-an-apache2-web-server-logging-events-to-a-mysql-database/ 10/33
24/7/2020 Installing an Apache2 Web Server logging events to a MySQL Database - Installing a Windows Intrusion Detection System (WinIDS)…
The 'Completed the Strawberry Perl...' window opens, uncheck the 'Read
README file.' radio box, and left-click 'Finish'.
At the CMD prompt type 'exit' (less the outside quotes), and tap the 'Enter'
key.
Open a CMD window with Administrator privileges and type 'unzip -oqq
d:\temp\httpd-2.4.43-win64-VS16.zip -d d:\winids' (less the outside quotes),
and tap the 'Enter' key.
Installing Barnyard2
The MySQL installer 'Select Products and Features' window opens. Under
'Available Products:' left-click expanding 'MySQL Servers', left-click
expanding 'MySQL Server', left-click expanding 'MySQL Servers 8.0', left-
click highlighting 'MySQL Server 8.0.xx - X64', left click the green arrow
pointing to the right moving the 'MySql Server 8.0.xx - X64' to the
www.winsnort.com/tutorials/article/4-installing-an-apache2-web-server-logging-events-to-a-mysql-database/ 11/33
24/7/2020 Installing an Apache2 Web Server logging events to a MySQL Database - Installing a Windows Intrusion Detection System (WinIDS)…
The MySQL installer 'High Availability' window opens. Verify the radio button
to the left of 'Standalone MySQL Server / Classic MySQL Replication' is
selected, and left-click 'Next'.
The MySQL installer 'Type and Networking' window opens. Under 'Server
Configuration Type' left-click the 'Config Type:", left-click selecting 'Server
Computer', and left-click 'Next'.
The MySQL installer 'Accounts and Roles' window opens. In the 'MySQL
Root Password:' dialog box type 'd1ngd0ng' (less the outside quotes). In the
'Repeat Password:' dialog box type 'd1ngd0ng' (less the outside quotes),
and left-click 'Next'.
Should display '1 file(s) copied.', and return to the command prompt.
Installing ADODB
Installing PHP
The 'sid-msg.map' file essentially maps the Rule MSG alert name to the
sid number assigned to the rule.
This really comes into play when the output method from Snort is in
unified2 format, taking that output, and reading it with Barnyard2 for input
into the database.
Since the rule msg is not stored in the unified2 file format, it's necessary
for Barnyard2 to read the sid-msg.map file to correctly input the names of
the events into the database when associated with an alert by sid.
Use the Find option in Notepad2 to locate and change the variables
below.
Original Line(s):
# include $PREPROC_RULE_PATH/preprocessor.rules
# include $PREPROC_RULE_PATH/decoder.rules
# include $PREPROC_RULE_PATH/sensitive-data.rules
Change to:
include $PREPROC_RULE_PATH/preprocessor.rules
include $PREPROC_RULE_PATH/decoder.rules
include $PREPROC_RULE_PATH/sensitive-data.rules
The switch for the Network Interface Card will always be '-ix' (less the
outside quotes), and the 'x' (less the outside quotes) will always represent
the 'Index' number of Network Interface Card that will be monitoring the
Windows Intrusion Detection System (WinIDS).
www.winsnort.com/tutorials/article/4-installing-an-apache2-web-server-logging-events-to-a-mysql-database/ 15/33
24/7/2020 Installing an Apache2 Web Server logging events to a MySQL Database - Installing a Windows Intrusion Detection System (WinIDS)…
The above run line will require the 'Index' number of the monitoring
Network Interface Card added to the 'x' above.
This will start Snort in self-test mode for configuration and rule file testing,
and depending on the resources used, and/or available, it could take
several minutes to run the self-test mode.
If all the tests are passed, the following is a confirmation that the Snort
configuration file and rules have tested good.
Configuring PHP
Should display '1 file(s) copied.', and return to the CMD prompt.
Use the Find option in Notepad2 to locate and change the variables
below.
Use the Find option in Notepad2 to locate and change the variables
below.
Original Line(s): DirectoryIndex index.html
www.winsnort.com/tutorials/article/4-installing-an-apache2-web-server-logging-events-to-a-mysql-database/ 17/33
24/7/2020 Installing an Apache2 Web Server logging events to a MySQL Database - Installing a Windows Intrusion Detection System (WinIDS)…
Scroll all the way to the bottom of the file and insert the next 26 lines of
code:
<IfModule fcgid_module>
FcgidInitialEnv PHPRC "d:\winids\php"
FcgidInitialEnv PATH "d:\winids\php;c:\Windows\system3
FcgidInitialEnv SystemRoot "c:\Windows"
FcgidInitialEnv SystemDrive "c:"
FcgidInitialEnv TEMP "c:\Windows\Temp"
FcgidInitialEnv TMP "c:\Windows\Temp"
FcgidInitialEnv windir "c:\Windows"
FcgidIOTimeout 40
FcgidConnectTimeout 10
FcgidMaxProcesses 8
FcgidOutputBufferSize 64
ProcessLifeTime 0
FcgidMaxRequestsPerProcess 0
FcgidMinProcessesPerClass 0
FcgidMaxProcesses 50
FcgidFixPathinfo 0
FcgidZombieScanInterval 20
FcgidMaxRequestLen 536870912
FcgidIOTimeout 120
<Files ~ "\.php$">
Options Indexes FollowSymLinks ExecCGI
AddHandler fcgid-script .php
FcgidWrapper "d:/winids/php/php-cgi.exe" .php
</Files>
</IfModule>
The 'User Alert Security' dialog box may appear requesting permission to
allow the 'Apache HTTP Server' to communicate with the private internal
network, and left-click 'Allow access'.
You should see the following as a confirmation that the Apache service
www.winsnort.com/tutorials/article/4-installing-an-apache2-web-server-logging-events-to-a-mysql-database/ 18/33
24/7/2020 Installing an Apache2 Web Server logging events to a MySQL Database - Installing a Windows Intrusion Detection System (WinIDS)…
has been successfully installed, and the Apache configuration file has
been tested.
At the CMD prompt type 'net start apache2.4' (less the outside quotes), and
tap the 'Enter' key.
Should display '1 file(s) copied.', and return to the CMD prompt.
In the first section of information make SURE that the item labeled
'Loaded Configuration File' is pointing to 'd:\winids\php\php.ini' (less the
outside quotes).
In the section labeled 'Configuration - PHP Core' (less the outside quotes)
make SURE that the item labeled 'extension_dir' is pointing to
'd:\winids\php\ext' (less the outside quotes) in columns 'Local Values' (less
the outside quotes), and 'Master Values' (less the outside quotes).
In the section labeled 'Configuration - PHP Core' (less the outside quotes)
make SURE that the item labeled 'include_path' is pointing to
'd:\winids\php;d:\winids\php\pear' (less the outside quotes) in columns
'Local Values' (less the outside quotes), and 'Master Values' (less the
outside quotes).
In the section labeled 'session' (less the outside quotes) make SURE that
www.winsnort.com/tutorials/article/4-installing-an-apache2-web-server-logging-events-to-a-mysql-database/ 19/33
24/7/2020 Installing an Apache2 Web Server logging events to a MySQL Database - Installing a Windows Intrusion Detection System (WinIDS)…
At the CMD prompt type 'cd /d d:\winids\snort\bin' (less the outside quotes),
and tap the 'Enter' key.
The switch for the Network Interface Card will always be '-ix' (less the
outside quotes), and the 'x' (less the outside quotes) will always represent
the 'Index' number of Network Interface Card that will be monitoring the
Windows Intrusion Detection System (WinIDS).
The above run line will require the 'Index' number of the monitoring
Network Interface Card added to the 'x' above.
Do not proceed until the Snort service has been successfully added
to the Windows Services Database.
At the CMD prompt type 'sc config snortsvc start= auto' (less the outside
quotes), and tap the 'Enter' key.
The following is a confirmation that the Snort auto-start service has been
successfully activated.
Use the find and locate the line '[mysqld]' (less the outside quotes), and
just below add the next two lines.
character-set-server=utf8
bind-address=127.0.0.1
You will be dropped into the MySQL administration console CMD prompt.
At the mysql CMD prompt type 'create database snort;' (less the outside
quotes), and tap the 'Enter' key.
It will display 'Query OK...' and drop back to the mysql prompt.
www.winsnort.com/tutorials/article/4-installing-an-apache2-web-server-logging-events-to-a-mysql-database/ 21/33
24/7/2020 Installing an Apache2 Web Server logging events to a MySQL Database - Installing a Windows Intrusion Detection System (WinIDS)…
At the mysql CMD prompt type 'create database archive;' (less the outside
quotes), and tap the 'Enter' key.
It will display 'Query OK...' and drop back to the mysql prompt.
At the mysql CMD prompt type 'show databases;' (less the outside quotes),
and tap the 'Enter' key.
It will display 'Current database: snort' and drop back to the mysql prompt.
It will display multiple 'Query OK, 1 rows affected (0.0? sec)' entries and
drop back to the mysql prompt.
At the mysql CMD prompt type 'show tables;' (less the outside quotes), and
tap the 'Enter' key.
The last entry to the screen should show '22 rows in set (0.00 sec)' (less
the outside quotes), and drop back to the mysql prompt.
At the mysql CMD prompt type 'connect archive;' (less the outside quotes),
and tap the 'Enter' key.
It will display 'Current database: archive' and drop back to the mysql
prompt.
www.winsnort.com/tutorials/article/4-installing-an-apache2-web-server-logging-events-to-a-mysql-database/ 22/33
24/7/2020 Installing an Apache2 Web Server logging events to a MySQL Database - Installing a Windows Intrusion Detection System (WinIDS)…
It will display multiple 'Query OK, 1 rows affected (0.0? sec)' entries and
drop back to the mysql prompt.
At the mysql CMD prompt type 'show tables;' (less the outside quotes), and
tap the 'Enter' key.
The last entry to the screen should show '22 rows in set (0.00 sec)' (less
the outside quotes), and drop back to the mysql prompt.
It will display 'Query OK' and drop back to the mysql prompt.
It will display 'Query OK' and drop back to the mysql prompt.
It will display 'Query OK' and drop back to the mysql prompt.
It will display 'Query OK' and drop back to the mysql prompt.
www.winsnort.com/tutorials/article/4-installing-an-apache2-web-server-logging-events-to-a-mysql-database/ 23/33
24/7/2020 Installing an Apache2 Web Server logging events to a MySQL Database - Installing a Windows Intrusion Detection System (WinIDS)…
It will display 'Query OK' and drop back to the mysql prompt.
At the mysql CMD prompt type 'use mysql;' (less the outside quotes), and
tap the 'Enter' key.
At the mysql CMD prompt type 'select user from user;' (less the outside
quotes), and tap the 'Enter' key.
At the mysql CMD prompt type 'quit;' (less the outside quotes), and tap the
'Enter' key.
At the CMD prompt type 'net stop mysql & net start mysql' (less the outside
quotes), and tap the 'Enter'.
At the CMD prompt type 'net start snort' (less the outside quotes), and tap
the 'Enter' key.
At the CMD prompt type 'taskmgr.exe' (less the outside quotes), and tap the
'Enter' key.
The 'Windows Task Manager' starts, in the bottom left-click and check 'Show
processes from all users', left-click the 'Processes' tab, in the 'Image name'
category 'snort.exe', and 'mysqld.exe' should be listed as a process.
Should display '1 file(s) copied.', and return to the CMD prompt.
www.winsnort.com/tutorials/article/4-installing-an-apache2-web-server-logging-events-to-a-mysql-database/ 24/33
24/7/2020 Installing an Apache2 Web Server logging events to a MySQL Database - Installing a Windows Intrusion Detection System (WinIDS)…
The above command may take a few minutes to complete as its moving
twenty thousand plus files.
Use the Find option in Notepad2 to locate and change the variables
below.
Original Line(s):
$alert_dbname = 'snort_log';
$alert_host = 'localhost';
$alert_port = '';
$alert_user = 'snort';
$alert_password = 'mypassword';
Change to:
$alert_dbname = 'snort';
$alert_host = 'winids';
$alert_port = '';
$alert_user = 'base';
$alert_password = 'an@l1st';
Original Line(s):
$archive_user = 'snort';
$archive_password = 'mypassword';
Change to:
www.winsnort.com/tutorials/article/4-installing-an-apache2-web-server-logging-events-to-a-mysql-database/ 26/33
24/7/2020 Installing an Apache2 Web Server logging events to a MySQL Database - Installing a Windows Intrusion Detection System (WinIDS)…
Should display '1 file(s) copied.', and return to the CMD prompt.
At the CMD prompt type 'cd /d d:\winids\php' (less the outside quotes), and
tap the 'Enter' key.
At the CMD prompt type 'php go-pear.phar' (less the outside quotes), and
tap the 'Enter' key.
At the next prompt tap the 'Enter' key to install 'System-Wide' PEAR.
At the 'Press any key to continue . . .', press any key to exit back to the CMD
prompt.
At the CMD prompt type 'pear list -a' (less the outside quotes), and tap the
'Enter' key.
The above command line will list all the installed pear packages that are
required for the graphing capabilities of BASE, the Windows Intrusion
Detection Systems (WinIDS) web based GUI security console.
Do not proceed until all the highlighted PEAR packages above has
been successfully installed.
Should display '2 file(s) copied.', and return to the CMD prompt.
Configuring Barnyard2
Use the Find option in Notepad2 to locate and change the variables
below.
Original Line(s):
Change to:
This will start Barnyard2 in self-test mode for configuration testing, and
depending on the resources used and/or available it could take up to 30
minutes to run the self-test mode.
If all the tests are passed, the following is a confirmation that the
Barnyard2 configuration file is good.
The Registry Editor selection box opens and asks; 'Are you sure you want to
add...', left-click 'Yes', and at the next input selection left-click 'OK'.
At the CMD prompt type 'shutdown /r /t 10' (less the outside quotes), and
tap the 'Enter' key to reboot.
www.winsnort.com/tutorials/article/4-installing-an-apache2-web-server-logging-events-to-a-mysql-database/ 30/33
24/7/2020 Installing an Apache2 Web Server logging events to a MySQL Database - Installing a Windows Intrusion Detection System (WinIDS)…
Open a web-browser and type 'http://winids' (less the outside quotes) into
the URL Address box, and tap the 'Enter' key.
After the reboot it could take several minutes for events to start populating
into the Windows Intrusion Detection Systems (WinIDS) Security
Console. Refreshing the browser will show new events when added. If no
events start to show up in a reasonable length of time, come visit the
forums for help on manually generating events.
In Conclusion
I hope this tutorial has been helpful to you. Please feel free to provide
feedback, both issues you experienced and recommendations that you
might have. The goal of this tutorial was not just for you to create a
Windows Intrusion Detection System (WinIDS) using the most advanced
intrusion detection engine known as Snort, but to understand how all the
parts work together, and get a deeper understanding of all the components,
so that you can troubleshoot and modify your Windows Intrusion Detection
System (WinIDS) with confidence.
At this point you are done with this tutorial, events should be arriving into the
database, and you should be seeing events in the local Windows Intrusion
Detection Systems (WinIDS) Security Console. I encourage you to perform
some post-installation tasks needed to get a fully production-ready
'Windows Intrusion Detection System (WinIDS)'.
This includes:
Security Issues
Check the Event Viewer as most of the support programs will throw FATAL
errors into the Windows Application log.
For general problem issues that pertain to this specific tutorial, left-click the
get community support button at the top of this tutorial, or manually navigate
to the correct community support forum pertaining to this specific tutorial.
Feedback
I would love to get feedback from you about this tutorial. Any
recommendations, or ideas, please leave feedback HERE.
PREVIOUS TUTORIAL
Installing an Apache2 Web
GO TO TUTORIAL LISTING
Installing a Windows Intrusion
www.winsnort.com/tutorials/article/4-installing-an-apache2-web-server-logging-events-to-a-mysql-database/ 33/33