32/64bit Windows Intrusion Detection System (Winids) Guided Install

WinIDS - Windows 7 / 2008 / 2012 - IIS 7.5 / 8 - MySQL :: WINSNORT...
http://winsnort.com/index.php?module=Pages&func=display&pageid=4...
32/64bit Windows Intrusion Detection System (WinIDS) Guided Install
Written by: Michael E. Steele

IIS 7.5 / 8 Web-Server MySQL Database Server Last Date Revised: May 20, 2013
Introduction
When it comes to deploy an IDS (Intrusion Detection System), many network engineers automatically think of Snort. Why? First of all, it's a highly-capable full-featured Intrusion Detection System (that can even act as an Intrusion Prevention System with the appropriate tweaks). Second of all, it's completely free, both its binary and source code tree. Snort can also run in many platforms, including Linux, MS Windows and FreeBSD, so there are plenty of options to deploy this system. However, installing the Windows Intrusion Detection System (WinIDS) with a production-ready setup always takes a while, moreover when you have to "discover" many things and solve many issues on your own in order to complete the setup. I've managed to get through that process in the Windows environment and now I'd like to share my process with you. During my research I found a lot of guides and blogs like this describing the installation process. Yet, none of them specifically detailed setting this up in a Windows environment, so I had to gather a lot of information and I had to generate some information as well.
Copyright Notice
This document is Copyright 2002-2013 Michael Steele. All rights reserved. Permission to distribute this document is hereby granted providing that distribution is electronic, in it's original form, no money is involved, and this copyright notice is maintained. Other requests for distribution will be considered. Use the information in this document at your own risk. Michael Steele disavows any potential liability of this document. Use of the concepts, examples, and/or other content of this document are entirely at your own risk. This guide is written in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. All copyrights are owned by their owners, unless specifically noted otherwise. Third party trademarks or brand names are the
1 trong 21
6/26/2013 9:11 PM
property of their owners. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements.
Support Questions and Help

All support questions MUST be directed to the support forums [1] . This is a way to address the masses, instead of a single person. If you haven't acquired this guide directly from the Winsnort.com [2] website, then you most likely don't have the latest revision!
My setup is a classical Windows Intrusion Detection System (WinIDS) deployment:

The Snort detection engine will be running in passive mode, logging events to a unified2 log file. Barnyard2 will be processing the Windows Intrusion Detection Systems (WinIDS) unified2 log files. A MySQL-driven database will store processed events/logs for further analysis. Internet Information Services 7.5 / 8 web-server will drive the Windows Intrusion Detection Systems (WinIDS) analysis GUI console. BASE will serve as the web-based Windows Intrusion Detection Systems (WinIDS) events analysis GUI console. I have to say that even when this guided install is written to seamlessly integrate these tools, I've made my best at describing the installation process of each component as general as possible. This way, you can take important elements to develop your own setup integrating other tools. Although I created this guide using a single computer, it's very easy to extend the deployment to multiple computers (multi-tier approach), each one in charge of one task (i.e. sensors, database server, web server).
Operating System and Configuration Setup

Supported 32/64bit operating systems for this Windows Intrusion Detection System (WinIDS) guided install It is imperative that any of the supported Microsoft operating systems listed below have all the latest services packs and security updates installed from the Microsoft Windows update site. Failure to complete this task will most likely cause the Windows Intrusion Detection Systems (WinIDS) guided install to fail. Windows Windows Windows Windows Windows XP Professional (SP3) 7 Professional (SP1) Server 2003 Standard Edition (SP2) Server 2008 Standard Edition (SP2) Server 2012 Standard Edition
Only the support Microsoft operating systems listed above have been thoroughly tested in both the 32bit and 64bit environments for this particular guided install. It is highly recommended to install the Windows Intrusion Detection System (WinIDS) on a fresh, clean Windows installation. Making sure all the latest service packs and security updates from the Microsoft update center have been installed. This is how I've setup and tested the Windows Intrusion Detection System (WinIDS). Make sure that all the necessary changes are made if you configuration is different. Failure to make the appropriate changes will most likely cause a failure. I'll be using Windows XP Pro (SP3) 32bit, but any 32/64bit Version of Windows listed above in will do. I've created a user named 'Operator', set the password to 'z1pp3r', and assigned user 'Operator' Administrative privileges. I'm installing the complete Windows Intrusion Detection System (WinIDS) logged on as user 'Operator'. I have 3GB of memory installed, but anything over 2GB should be fine, but the absolute minimum is 2GB (more is better). I'm using two partitions - C: (System) with 300GB, and D: (WinIDS) with 1TB. I'm installing the complete Windows Intrusion Detection System (WinIDS) into the 'd:\winids' folder.
2 trong 21
6/26/2013 9:11 PM
Pre-installation Tasks
Downloading and extracting the 'Windows Intrusion Detection Systems (WinIDS) Software Pack'
Only use the files in the 'WinIDS - (32/64bit) Software Pack'. These files have been thoroughly tested in all the Windows Intrusion Detection Systems (WinIDS) guided installs. Using other files, not included in the appropriate Windows Intrusion Detection System (WinIDS) Software Pack will most likely cause the Windows Intrusion Detection System (WinIDS) guided install to fail. There may be more recent version of the support packages available, but they have either not been tested, or there is a problem which could cause the guided install to fail.
Depending on the processors architecture download the appropriate 'WinIDS - (32/64bit) Software Pack' below! 32bit: Download The 'WinIDS - 32bit Software Pack' to 'd:\' drive. 64bit: Download The 'WinIDS - 64bit Software Pack' to 'd:\' drive. Open a CMD window and type 'd:\winids-sp-xxx-xx.xx.xx.exe' (less the outside quotes), and tap the 'Enter' key. In the above, replace the 'winids-sp-xxx-xx.xx.xx.exe' filename with the actual filename that was downloaded to the 'd:\' drive from above. The WinIDS self-extracting archive wizard appears, in the 'Destination folder' dialog box type 'd:\temp' (less the outside quotes), left-click 'Extract', in the 'Enter password' dialog box type 'w1nsn03t.c0m' (less the outside quotes), left-click 'OK' allowing all the Windows Intrusion Detection Systems (WinIDS) files to be extracted to the 'd:\temp' folder, and the WinIDS self-extracting archive wizard automatically closes.
System configuration changes

At the CMD prompt type 'd:\temp\modder.vbs' (less the outside quotes), and tap the 'Enter' key. Do not proceed until the above script has rebooted the system, and this could take several minutes. The modder.vbs file preforms several tasks: Turns 'UAC' off for Windows 7, Server 2008, and Server 2012 Installs 'Microsoft .NET Framework 4.0' for Windows XP, and Server 2003 Installs 'IP Version 6' for Windows XP, and Server 2003 Installs 'Notepad2' to Windows\System32 Installs 'unzip' to Windows\System32 Installs 'tartool' to Windows\System32 Inserts 'winids' hostname to hosts file Sets 'Hidden Files' as off in registry Sets 'Show File Extensions' as on in registry Sets 'Visual Effects' as minimal in registry Reboots system I strongly suggest after the reboot, the Microsoft Baseline Security Analyzer [3] (MBSA) be used to identify and correct common security miss configurations. Each issue should be resolved prior to starting this guided install.
Installing the Basic Windows Intrusion Detection System (WinIDS)
3 trong 21
6/26/2013 9:11 PM
Installing WinPcap
Open a CMD window and type 'd:\temp\WinPcap_4_1_3.exe' (less the outside quotes), and tap the 'Enter' key. In the above, replace the 'WinPcap_4_1_3.exe' filename with the actual filename located in the 'd:\temp' folder.
If the 'Program Compatibility Assistant' appears, left-click 'Run the program without getting help'. The WinPcap installation wizard appears, left-click 'Next', left-click 'Next', left-click the 'I Agree' button, make SURE the 'Automatically start the WinPcap driver at boot time' is checked, left-click install, and left-click 'Finish'.
Installing Snort, the Traffic Detection and Inspection Engine

At the CMD prompt type 'd:\temp\Snort_2_9_4_6_Installer.exe' (less the outside quotes), and tap the 'Enter' key. In the above, replace the 'Snort_2_9_4_6_Installer.exe' filename with the actual filename located in the 'd:\temp' folder. The Snort installation wizard appears, left-click the 'I Agree' button, left-click 'Next', left-click 'Next', in the 'Destination Folder' dialog box, type 'd:\winids\snort' (less the outside quotes), left-click 'Next' allowing Snort to install, left-click the 'Close' button, left-click 'OK'.
Testing the Windows Intrusion Detection System (WinIDS) for network traffic
At the CMD prompt type 'd:\winids\snort\bin\snort -W' (less the outside quotes) and tap the 'Enter' key. The following is a partial example of what might be listed as valid Network Interface Cards. Index ----1 Physical Address ---------------00:0C:29:25:B4:96 IP Address ---------0000:0000:fe80:0000:0000:0000:ad63:31cf
In the above list, the 'Index' number is important, and will need to be remembered for later use in the guided install. There may be several Network Interface Cards listed, and it will be up to the installer to determine the correct Network Interface Card (Index number) that will be monitoring the Windows Intrusion Detection System (WinIDS). The switch for the Network Interface Card will always be '-ix' (less the outside quotes), and the 'x' (less the outside quotes) will always represent the 'Index' number of Network Interface Card that will be monitoring the Windows Intrusion Detection System (WinIDS). At the CMD prompt type 'd:\winids\snort\bin\snort -v -ix' (less the outside quotes), and tap the 'Enter' key. The above run line will require the 'Index' number of the monitoring Network Interface Card added to the 'x' in the '-ix' switch. This will start Snort in verbose mode, verifying there is network traffic on interface 'x'. There should now be multiple packets passing through the CMD window, and something similar to the following output is a confirmation indicating that everything is ready to proceed. 10/08-12:12:32.131826 10.0.0.29:1068 -> 65.55.121.241:80 TCP TTL:128 TOS:0x0 ID:1586 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x7430B82E Ack: 0x1850214F Win: 0xFAF0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
4 trong 21
6/26/2013 9:11 PM
After verifying active network traffic, eXit the web browser, activate the CMD window, and press the 'CTRL/C' keys to stop the Snort process. If no traffic is passing through the CMD window, and there was multiple Network Interface Cards listed, try another 'Index' number.
Do not proceed until network traffic is being displayed in the CMD window.
Installing Latest Rule Set

At the CMD prompt type 'tartool d:\temp\snortrules-snapshot-2941.tar.gz d:\winids\snort' (less the outside quotes), and tap the 'Enter' key. In the above replace the 'snortrules-snapshot-2941.tar.gz' filename with the actual filename located in the 'd:\temp' folder.
Installing Strawberry Perl

32bit: At the CMD prompt type 'd:\temp\strawberry-perl-5.14.2.1-32bit.msi' (less the outside quotes), and tap the 'Enter' key. In the above, replace the 'strawberry-perl-5.14.2.1-32bit.msi' filename with the actual filename located in the 'd:\temp' folder.
64bit: At the CMD prompt type 'd:\temp\strawberry-perl-5.14.2.1-64bit.msi' (less the outside quotes), and tap the 'Enter' key. In the above, replace the 'strawberry-perl-5.14.2.1-64bit.msi' filename with the actual filename located in the 'd:\temp' folder. The Strawberry Perl installation wizard appears, left-click 'Next', left-click the 'I accept the terms...' radio button, left-click 'Next', in the 'Install Strawberry Perl to:' dialog box type 'd:\winids\strawberry\' (less the outside quotes), left-click 'Next', left-click 'Install', left-click and uncheck the 'Read README file.' radio box, and left-click 'Finish'. At the CMD prompt type 'exit' (less the outside quotes), and tap the 'Enter' key.
Installing Perl Pre-Requisites

Open a CMD window and type 'perl -MCPAN -e shell' (less the outside quotes), and tap the 'Enter' key. At the 'cpan' CMD prompt type 'install Sys::Syslog' (less the outside quotes), and tap the 'Enter' key. In the above command, it will take several minutes to preform the install. At the 'cpan' CMD prompt type 'quit' (less the outside quotes), and tap the 'Enter' key.
Install Internet Information Services 7.5 - Windows 7

At the CMD prompt type 'appwiz.cpl' (less the outside quotes), and tap the 'Enter' key. The 'Uninstall or Change a program' control panel opens, under 'Control Panel Home', left-click 'Turn Windows features on or off'. In the 'Turn Windows features on or off' expand 'Internet Information Services', to the left of 'Web Management tools' left-click the radio box (it may only turn blue), to the left of the 'World Wide Web Services left-click check the radio box (it may
5 trong 21
6/26/2013 9:11 PM
only turn blue), expand 'World Wide Web Services', expand 'Application Development Features', left-click and check all features, except 'Server-Side Includes', left-click 'OK' allowing windows to make changes, and eXit the 'Uninstall or Change a program' control panel. At the CMD prompt type 'd:\temp\moveiis7-8.bat' (less the outside quotes), and tap the 'Enter' key.
Install Internet Information Services 7.5 - Server 2008

At the CMD prompt type 'appwiz.cpl' (less the outside quotes), and tap the 'Enter' key. The 'Uninstall or Change a program' control panel opens, under 'Control Panel Home', left-click 'Turn Windows features on or off', and the 'Server Manager' opens. In the 'Server Manager' window, scroll down to Roles Summary, and left-click 'Add Roles'. The 'Add Roles Wizard' starts, and left-click 'Next' opening the 'Select Server Roles page'. Left-click the select box to the left of 'Web Server (IIS)', and left-click 'Next'. At the 'Web Server (IIS)' page left-click 'Next'. At the 'Select Role Services' page scroll down and expand 'Application Development'. Left-click the select box to the left of 'Application Development' selecting all server roles. To the left of 'Server Side Includes' left-click unselecting 'Server Side Includes', and lefgt-click 'Next'. At the 'Confirm Installation Selections' page left-click 'Install', left-click 'Close', exit the 'Server Manager', and exit 'Programs and Features'. At the CMD prompt type 'd:\temp\moveiis7-8.bat' (less the outside quotes), and tap the 'Enter' key.
Install Internet Information Services 8 - Server 2012

At the CMD prompt type 'appwiz.cpl' (less the outside quotes), and tap the 'Enter' key. The 'Program and Features' control panel opens, left-click 'Turn Windows features on or off'. The 'Server Manager' opens, and the 'Add Roles and Features Wizard' opens. At the 'Before you begin' selection window, Left-click 'Next'. At the 'Select installation Type' selection window, left-click 'Next'. At the 'Select destination server' selection window, left-click 'Next'. At the 'Select server roles' selection window under 'Roles' scroll down left-click 'Web Server (IIS)'. The 'Add features that are required for Web Server (IIS)?' windows opens, left-click 'Add Features', and left-click 'Next'. At the 'Select features' selection window, left-click 'Next'. At the 'Web Server Role (IIS)' selection window, left-click 'Next'. At the 'Select roles services' selection window scroll down and expand 'Application Development'. Under 'Application Development' scroll down and left-click the select box titled 'CGI', and left-click 'Next'. At the 'Confirm installation selections' selection window, left-click 'Install' allowing IIS to complete the features installation, left-click 'Close', eXit 'Programs and Features', and eXit the 'Server Manager'. At the CMD prompt type 'd:\temp\moveiis7-8.bat' (less the outside quotes), and tap the 'Enter' key.
Installing the Windows Intrusion Detection Systems (WinIDS) Security Console

BASE is used for the Windows Intrusion Detection Systems (WinIDS) Security Console, and is security analysis web tool. It is a tiny application which only task is to display/report Snort events. Windows Intrusion Detection Systems (WinIDS) Security Console uses a database backend to get the data. This database is the same database that will get directly populated by Snorts output database routine. At the CMD prompt type 'unzip -oqq d:\temp\base-1.4.5.zip -d d:\winids\inetpub\wwwroot\base' (less the outside quotes), and tap the 'Enter' key. In the above, replace the 'base-1.4.5.zip' filename with the actual filename located in the 'd:\temp' folder.
Installing Barnyard2
Barnyard2 will run and reside in a terminal window located in the Windows taskbar on boot. Barnyard2 is in charge of parsing and processing Snort's unified2 log files sending them to a specified destination (where they will be used for security analysis and monitoring) such as, a database server. As Barnyard2 runs independently of Snort, it doesn't need to process the logs/alert in real time, that is, at the same time that Snort generates them. Barnyard2 only needs to keep track of how many events it has processed at a given time. For this purpose, Barnyard2 uses a "waldo" file, where it saves the name of the log/alert file being process, and the offset within the log/alert file.
6 trong 21
6/26/2013 9:11 PM
Barnyard2 is capable of processing Snorts Unified2 log files. For this guided install, Barnyard2 will be sending processed unified2 log data to a MySQL database backend server. At the CMD prompt type 'unzip -oqq d:\temp\barnyard2-2-1.13.zip -d d:\winids\barnyard2' (less the outside quotes), and tap the 'Enter' key. In the above, replace the 'barnyard2-2-1.13.zip' filename with the actual filename located in the 'd:\temp' folder.
Installing the MySQL Database Server

At the CMD prompt type 'd:\temp\mysql-installer-community-5.5.30.1.msi' (less the outside quotes), and tap the 'Enter' key. In the above, replace the 'mysql-installer-community-5.5.30.1.msi' filename with the actual filename located in the 'd:\temp' folder. The MySQL Database server installers 'Welcome' screen appears. Left-click the 'Install MySQL Products' link to start the MySQL installation. The MySQL Database server installers 'License Agreement' screen appears. Left-click checking the 'I accept the license terms' radio box, and left-click 'Next'. The MySQL Database server installers 'Find latest products' screen appears. If No internet connection is available left-click checking the 'Skip the checks for updates...' radio box, and left-click 'Next'. Otherwise left-click 'Execute' allowing any updates to be fetched, and left-click 'Next'. The MySQL Database server installers 'Choosing a setup type' screen appears. Left-click selecting the 'Server only' option. In the 'Installation Path:' dialog box type 'd:\winids\mysql\' (less the outside quotes). In the 'Data Path:' dialog box type 'd:\winids \mysql\' (less the outside quotes), and left-click 'Next'. The MySQL Database server installers 'Check Requirements' screen appears, and left-click 'Next' The MySQL Database server installers 'Installation Progress' screen appears. Left-click 'Execute' allowing the MySQL server to complete the install, and left-click 'Next'. The MySQL Database server installers 'Configuration Overview' screen appears, and left-click 'Next'. The MySQL Database server installers 'MySQL Server Configuration' screen 1 of 3 appears. Under 'Server Configuration Type' left-click the 'Config Type:' drop down select box left-clicking the 'Server Machine', the 'Config Type:' should now show 'Server Machine', and left-click 'Next'. The MySQL Database server installers 'MySQL Server Configuration' screen 2 of 3 appears. Under 'Root Account Password' in the 'MySQL Root Password:' dialog box type 'd1ngd0ng' (less the outside quotes). In the 'Repeat Password:' dialog box type 'd1ngd0ng' (less the outside quotes), and left-click 'Next'. The MySQL Database server installers 'MySQL Server Configuration' screen 3 of 3 appears, left-click 'Next' allowing the MySQL server to complete the configuration, and left-click 'Next'. The MySQL Database server installers 'Installation Complete' screen appears, and left-click 'Finish' At the CMD prompt type 'copy "d:\winids\mysql\mysql server 5.5\lib\libmysql.dll" c:\windows\system32' (less the outside quotes), and tap the 'Enter' key. Should display '1 file(s) copied.', and return to the command prompt.
Installing ADODB
At the CMD prompt type 'unzip -oqq d:\temp\adodb518a.zip -d d:\winids' (less the outside quotes), and tap the 'Enter' key. In the above, replace the 'adodb518a.zip' filename with the actual filename located in the 'd:\temp' folder.
7 trong 21
6/26/2013 9:11 PM
Installing PHP
At the CMD prompt type 'unzip -oqq d:\temp\php-5.4.15-nts-Win32-VC9-x86.zip -d d:\winids\php' (less the outside quotes), and tap the 'Enter' key. In the above, replace the 'php-5.4.15-nts-Win32-VC9-x86.zip' filename with the actual filename located in the 'd:\temp' folder, and it has '-nts-' in the filename.
Updating the 'sid-msg.map' file

At the CMD prompt type 'unzip -oqq d:\temp\activators.zip -d d:\winids\activators' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'unzip -oqq d:\temp\create-sidmap.zip -d d:\winids\create-sidmap' (less the outside quotes), and tap the 'Enter' key. Information about the sid-msg.map file: The 'sid-msg.map' file essentially maps the Rule MSG alert name to the sid number assigned to the rule. This really comes into play when the output method from Snort is in unified2 format, taking that output, and reading it with Barnyard2 for input into the database. Since the rule msg is not stored in the unified2 file format, it's necessary for Barnyard2 to read the sid-msg.map file to correctly input the names of the events into the database when associated with an alert by sid. Without the 'sid-msg.map' being read by barnyard2, the events in the database will show up only as gid:sid. (1:2133 for example). Also, updating the rules and not updating the 'sid-msg.map' will also show events from all new rules as gid:sid. (1:2133 for example). At the CMD prompt type 'd:\winids\create-sidmap\create-sidmap.pl d:\winids\snort\rules\ > d:\winids\snort\etc\sid-msg.map' (less the outside quotes), and tap the 'Enter' key.
Configuring the Snort Detection Engine

At the CMD prompt type 'type NUL > d:\winids\snort\rules\white_list.rules' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'type NUL > d:\winids\snort\rules\black_list.rules' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'notepad2 d:\winids\snort\etc\snort.conf' (less the outside quotes), and tap the 'Enter' key. Use the Find in Notepad2 to locate and change the variables below. The home network variable below defines the network you wish to monitor, like the local LAN segment for instance It is set by specifying one or more networks in the form of a CIDR [4]. The IP address below is fictitious and must be changed to the correct IP Address and CIDR that reflects the actual network that the Windows Intrusion Detection System (WinIDS) will be monitoring. Original Line(s): ipvar HOME_NET any Change to: ipvar HOME_NET 192.168.1.0/24 In the above HOME_NET example, Windows Intrusion Detection System (WinIDS) will monitor addresses 192.168.1.1 - 192.168.1.254. It is important to specify the correct range of internal network addresses that Windows Intrusion Detection System (WinIDS) will need to monitor. Original Line(s): var RULE_PATH ../rules
8 trong 21
6/26/2013 9:11 PM
Change to: var RULE_PATH d:\winids\snort\rules Original Line(s): var SO_RULE_PATH ../so_rules Change to: # var SO_RULE_PATH ../so_rules Original Line(s): var PREPROC_RULE_PATH ../preproc_rules Change to: var PREPROC_RULE_PATH d:\winids\snort\preproc_rules Original Line(s): var WHITE_LIST_PATH ../rules Change to: var WHITE_LIST_PATH d:\winids\snort\rules Original Line(s): var BLACK_LIST_PATH ../rules Change to: var BLACK_LIST_PATH d:\winids\snort\rules Original Line(s): dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ Change to: dynamicpreprocessor directory d:\winids\snort\lib\snort_dynamicpreprocessor Original Line(s): dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so Change to: dynamicengine d:\winids\snort\lib\snort_dynamicengine\sf_engine.dll Original Line(s): dynamicdetection directory /usr/local/lib/snort_dynamicrules Change to: # dynamicdetection directory /usr/local/lib/snort_dynamicrules Original Line(s): preprocessor normalize_ip4 preprocessor normalize_tcp: ips ecn stream preprocessor normalize_icmp4 preprocessor normalize_ip6 preprocessor normalize_icmp6 Change to: # preprocessor # preprocessor # preprocessor # preprocessor # preprocessor
normalize_ip4 normalize_tcp: ips ecn stream normalize_icmp4 normalize_ip6 normalize_icmp6
Original Line(s): # preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } Change to: preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } Original Line(s): # output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types Change to: output unified2: filename merged.log, limit 128 Original Line(s): include classification.config Change to: include d:\winids\snort\etc\classification.config Original Line(s): include reference.config Change to: include d:\winids\snort\etc\reference.config Original Line(s): # include $PREPROC_RULE_PATH/preprocessor.rules # include $PREPROC_RULE_PATH/decoder.rules # include $PREPROC_RULE_PATH/sensitive-data.rules Change to: include $PREPROC_RULE_PATH/preprocessor.rules include $PREPROC_RULE_PATH/decoder.rules include $PREPROC_RULE_PATH/sensitive-data.rules Original Line(s): include threshold.conf Change to: include d:\winids\snort\etc\threshold.conf Save the file, and eXit Notepad2.
9 trong 21
6/26/2013 9:11 PM
Testing the Snort configuration file

At the CMD prompt type 'd:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix -T' (less the outside quotes), and tap the 'Enter' key. The above run line will require the 'Index' number of the monitoring Network Interface Card added to the 'x' in the '-ix' switch. This will start Snort in self-test mode for configuration and rule file testing. If all the tests are passed, the following is a confirmation that the Snort configuration file and rules have tested good. Snort successfully validated the configuration! Snort exiting
Do not proceed until 'Snort successfully validated the configuration!'
Configuring PHP
At the CMD prompt type 'copy d:\winids\php\php.ini-production d:\winids\php\php.ini' (less the outside quotes), and tap the 'Enter' key. Should display '1 file(s) copied.', and return to the CMD prompt. At the CMD prompt type 'notepad2 d:\winids\php\php.ini' (less the outside quotes), and tap the 'Enter' key. Use the Find in Notepad2 to locate and change the variables below. Original Line(s): max_execution_time = 30 Change to: max_execution_time = 60 Original Line(s): error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT Change to: ; error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT Original Line(s): ;include_path = ".;c:\php\includes" Change to: include_path = "d:\winids\php;d:\winids\php\pear" Original Line(s): ; extension_dir = "ext" Change to: extension_dir = "d:\winids\php\ext" Original Line(s):; cgi.force_redirect = 1 Change to:cgi.force_redirect = 0 Original Line(s): ; extension=php_gd2.dll Change to: extension=php_gd2.dll Original Line(s): ; extension=php_mysql.dll Change to: extension=php_mysql.dll Original Line(s): ;date.timezone = Change to: date.timezone = America/New_York In the above date.timezone setting, America/New_York is only the default. Inserting the correct Timezone setting where the Windows Intrusion Detection System (WinIDS) will be located is essential. Check out the PHP website for the List of Supported Timezones [5]. Original Line(s): ;session.save_path = "/tmp" Change to: session.save_path = "c:\windows\temp" Save the file, and eXit Notepad2.
10 trong 21
6/26/2013 9:11 PM
Configuring Internet Information Services for PHP

At the CMD prompt type 'c:\windows\system32\inetsrv\iis.msc' (less the outside quotes), and tap the 'Enter' key. The 'Internet Information Services (IIS) Manager' opens, in the left pane under 'Connections' expand servername. If the 'Internet Information Services (IIS) Manager' appears asking 'Do you want to get started with...' left-click 'No'. Under 'Connections' expand Sites, left-click 'Default Web Site', in the center pane under 'IIS' left-click 'Handler Mappings', under 'Actions' left-click 'Open Feature', under 'Actions' left-click 'Add Script Map...', in the 'Request Path:' dialog box type '*.php' (less the outside quotes), in the 'Executable:' dialog box type 'd:\winids\php\php-cgi.exe' (less the outside quotes), in the 'Name:' dialog box type 'PHP' (less the outside quotes), left-click 'OK', the 'Add Script Map' notification message appears and left-click 'Yes'. In the 'Handler Mappings' under the 'Enabled' section there will be a new 'PHP' entry in the 'Name' column, highlight and right-click 'PHP', left-click 'Edit...', and Verify all three dialog box settings match what was entered above, left-click 'OK', and eXit the 'Internet Information Services (IIS) Manager'. Do not proceed until the 'Handler Mappings' for PHP have been set correctly!' At the CMD prompt type 'iisreset /restart' (less the outside quotes), and tap the 'Enter' key.
Testing Internet Information Services, and the PHP installation

Open a CMD window and type 'copy d:\temp\test.php d:\winids\inetpub\wwwroot' (less the outside quotes), and tap the 'Enter' key. Should display '1 file(s) copied.', and return to the CMD prompt. Open a web-browser and type 'http://winids/test.php' (less the outside quotes) into the URL Address box, and tap the 'Enter' key. Several sections of information concerning the status and install of PHP should be displayed. In the first section of information make SURE that the item labeled 'Loaded Configuration File' is pointing to 'd:\winids \php\php.ini' (less the outside quotes). In the section labeled 'Configuration - PHP Core' (less the outside quotes) make SURE that the item labeled 'extension_dir' is pointing to 'd:\winids\php\ext' (less the outside quotes) in columns 'Local Values' (less the outside quotes) and 'Master Values' (less the outside quotes). In the section labeled 'Configuration - PHP Core' (less the outside quotes) make SURE that the item labeled 'include_path' is pointing to 'd:\winids\php\pear' (less the outside quotes) in columns 'Local Values' (less the outside quotes) and 'Master Values' (less the outside quotes). In the section labeled 'session' (less the outside quotes) make SURE that the item labeled 'session.save_path' is pointing to 'c:\windows\temp' (less the outside quotes) in columns 'Local Values' (less the outside quotes) and 'Master Values' (less the outside quotes).
Do not proceed until all the above paths are correct! eXit the web-browser. At the CMD prompt type 'del d:\winids\inetpub\wwwroot\test.php' (less the outside quotes), and tap the 'Enter' key.
11 trong 21
6/26/2013 9:11 PM
Adding Snort to the Windows Services Database

At the CMD prompt type 'cd /d d:\winids\snort\bin' (less the outside quotes) and tap the 'Enter' key. At the CMD prompt type 'snort /SERVICE /INSTALL -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix' (less the outside quotes), and tap the 'Enter' key. The above run line will require the 'Index' number of the monitoring Network Interface Card added to the 'x' in the '-ix' switch. The following is a confirmation that the Snort service was successfully added to the Windows Services Database. [SNORT_SERVICE] Attempting to install the Snort service. [SNORT_SERVICE] The full path to the Snort binary appears to be: D:\winids\snort\bin\snort /SERVICE [SNORT_SERVICE] Successfully added registry keys to: \HKEY_LOCAL_MACHINE\SOFTWARE\Snort\ [SNORT_SERVICE] Successfully added the Snort service to the Windows Services Database.
Do not proceed until the Snort service has been successfully added to the Windows Services Database. At the CMD prompt type 'sc config snortsvc start= auto' (less the outside quotes), and tap the 'Enter' key. The following as a confirmation that the Snort auto-start service has been successfully activated. [SC] ChangeServiceConfig SUCCESS
Do not proceed until the Snort auto-start service has been SUCCESSfully activated. At the CMD prompt type 'exit' (less the outside quotes), and tap the 'Enter' key.
Configuring the MySQL Database Server

Creating the Windows Intrusion Detection System Databases Open a CMD window and type 'mysql -u root -p' (less the outside quotes) and tap the 'Enter' key. At the password prompt type 'd1ngd0ng' (less the outside quotes) and tap the 'Enter' key. You will be dropped into the MySQL administration console CMD prompt. At the mysql CMD prompt type 'create database snort;' (less the outside quotes), and tap the 'Enter' key. It will display 'Query OK...' and drop back to the mysql prompt. At the mysql CMD prompt type 'create database archive;' (less the outside quotes), and tap the 'Enter' key. It will display 'Query OK...' and drop back to the mysql prompt. At the mysql CMD prompt type 'show databases;' (less the outside quotes), and tap the 'Enter' key.
12 trong 21
6/26/2013 9:11 PM
There should be several databases listed, 'information_schema', 'archive', 'mysql', and 'snort'.
Creating the Windows Intrusion Detection System Database Tables At the mysql CMD prompt type 'connect snort;' (less the outside quotes), and tap the 'Enter' key. It will display 'Current database: snort' and drop back to the mysql prompt. At the mysql CMD prompt type 'source d:/winids/barnyard2/schemas/create_mysql' (less the outside quotes), and tap the 'Enter' key. It will display multiple 'Query OK, 1 rows affected (0.0? sec)' entries and drop back to the mysql prompt. At the mysql CMD prompt type 'source d:\winids\inetpub\wwwroot\base\sql\create_base_tbls_mysql.sql' (less the outside quotes), and tap the 'Enter' key. The last entry to the screen should show 'Records: 4 Duplicates: 0 Warnings: 0' (less the outside quotes), and drop back to the mysql prompt. At the mysql CMD prompt type 'show tables;' (less the outside quotes), and tap the 'Enter' key. The last entry to the screen should show '22 rows in set (0.00 sec)' (less the outside quotes), and drop back to the mysql prompt. At the mysql CMD prompt type 'connect archive;' (less the outside quotes), and tap the 'Enter' key. It will display 'Current database: snort' and drop back to the mysql prompt. At the mysql CMD prompt type 'source d:/winids/barnyard2/schemas/create_mysql' (less the outside quotes), and tap the 'Enter' key. It will display multiple 'Query OK, 1 rows affected (0.0? sec)' entries and drop back to the mysql prompt. At the mysql CMD prompt type 'source d:\winids\inetpub\wwwroot\base\sql\create_base_tbls_mysql.sql' (less the outside quotes), and tap the 'Enter' key. The last entry to the screen should show 'Records: 4 Duplicates: 0 Warnings: 0' (less the outside quotes), and drop back to the mysql prompt. At the mysql CMD prompt type 'show tables;' (less the outside quotes), and tap the 'Enter' key. The last entry to the screen should show '22 rows in set (0.00 sec)' (less the outside quotes), and drop back to the mysql prompt.
Creating the Windows Intrusion Detection System Database Access, and Authenticated Users At the mysql CMD prompt type 'set password for root@localhost = password('d1ngd0ng');' (less the outside quotes), and tap the 'Enter' key. At the mysql CMD prompt type 'grant INSERT,SELECT,UPDATE on snort.* to snort identified by 'l0gg3r';' (less the outside quotes), and tap the 'Enter' key. It will display 'Query OK' and drop back to the mysql prompt. At the mysql CMD prompt type 'grant INSERT,SELECT,UPDATE on snort.* to snort@localhost identified by 'l0gg3r';' (less the
13 trong 21
6/26/2013 9:11 PM
outside quotes), and tap the 'Enter' key. It will display 'Query OK' and drop back to the mysql prompt. At the mysql CMD prompt type 'grant INSERT,SELECT,UPDATE,DELETE,CREATE on snort.* to base identified by 'an@l1st';' (less the outside quotes), and tap the 'Enter' key. It will display 'Query OK' and drop back to the mysql prompt. At the mysql CMD prompt type 'grant INSERT,SELECT,UPDATE,DELETE,CREATE on snort.* to base@localhost identified by 'an@l1st';' (less the outside quotes), and tap the 'Enter' key. It will display 'Query OK' and drop back to the mysql prompt. At the mysql CMD prompt type 'grant INSERT,SELECT,UPDATE,DELETE,CREATE on archive.* to base identified by 'an@l1st';' (less the outside quotes), and tap the 'Enter' key. It will display 'Query OK' and drop back to the mysql prompt. At the mysql CMD prompt type 'grant INSERT,SELECT,UPDATE,DELETE,CREATE on archive.* to base@localhost identified by 'an@l1st';' (less the outside quotes), and tap the 'Enter' key. It will display 'Query OK' and drop back to the mysql prompt. At the mysql CMD prompt type 'use mysql;' (less the outside quotes), and tap the 'Enter' key. At the mysql CMD prompt type 'select * from user;' (less the outside quotes), and tap the 'Enter' key. There should be several users listed, 'root', 'snort', 'snort', 'base', and 'base'. At the mysql CMD prompt type 'quit;' (less the outside quotes), and tap the 'Enter' key
Confirming MySQL and Snort are operational

At the CMD prompt type 'net stop mysql55 & net start mysql55' (less the outside quotes), and tap the 'Enter'. At the CMD prompt type 'net start snort' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'taskmgr.exe' (less the outside quotes), and tap the 'Enter' key. The 'Windows Task Manager' starts, left-click the 'Processes' tab, in the 'Image name' category there should be a 'snort.exe', and 'mysqld.exe' listed as a process. Do not proceed until the processes above are running! eXit the 'Task Manager'.
Configuring the Windows Intrusion Detection Systems (WinIDS) Security Console

At the CMD prompt type 'copy d:\winids\inetpub\wwwroot\base\base_conf.php.dist d:\winids\inetpub\wwwroot \base\base_conf.php' (less the outside quotes), and tap the 'Enter' key. Should display '1 file(s) copied.', and return to the CMD prompt. At the CMD prompt type 'tartool d:\temp\opensource.gz d:\winids\inetpub\wwwroot\base\signatures' (less the outside quotes), and tap the 'Enter' key.
14 trong 21
6/26/2013 9:11 PM
The above command may take a few minutes to complete as its moving several thousand files. At the CMD prompt type 'notepad2 d:\winids\inetpub\wwwroot\base\base_conf.php' (less the outside quotes), and tap the 'Enter' key. Use the Find in Notepad2 to locate and change the variables below. Original Line(s): $BASE_urlpath = ''; Change to: $BASE_urlpath = 'http://winids'; Original Line(s): $DBlib_path = ''; Change to: $DBlib_path = 'd:\winids\adodb5'; Original Line(s): $DBtype = '?????'; Change to: $DBtype = 'mysql'; Original Line(s): $alert_dbname $alert_host $alert_port $alert_user $alert_password = = = = = 'snort_log'; 'localhost'; ''; 'snort'; 'mypassword';
Change to: $alert_dbname $alert_host $alert_port $alert_user $alert_password = = = = = 'snort'; 'winids'; ''; 'base'; 'an@l1st';
Original Line(s): $archive_exists $archive_dbname $archive_host $archive_port $archive_user $archive_password = = = = = = 0; # Set this to 1 if you have an archive DB 'snort_archive'; 'localhost'; ''; 'snort'; 'mypassword';
Change to: $archive_exists $archive_dbname $archive_host $archive_port $archive_user $archive_password = = = = = = 1; # Set this to 1 if you have an archive DB 'archive'; 'winids'; ''; 'base'; 'an@l1st';
Original Line(s): $show_rows = 48; Change to: $show_rows = 90; Original Line(s): $show_expanded_query = 0; Change to: $show_expanded_query = 1; Original Line(s): $colored_alerts = 0; Change to: $colored_alerts = 1; Original Line(s): $priority_colors = array ('FF0000','FFFF00','FF9900','999999','FFFFFF','006600'); Change to: $priority_colors = array('000000','FF0000','FF9900','FFFF00','999999');
15 trong 21
6/26/2013 9:11 PM
Original Line(s): // $graph_font_name = "Verdana"; Change to: $graph_font_name = "Verdana"; Original Line(s): $graph_font_name = "DejaVuSans"; Change to: // $graph_font_name = "DejaVuSans"; Original Line(s): //$Geo_IPfree_file_ascii = "/var/www/html/ips-ascii.txt"; Change to: $Geo_IPfree_file_ascii = "d:\winids\inetpub\wwwroot\base\ips-ascii.txt"; Save the file, and eXit Notepad2.
Configuring Graphing for the Windows Intrusion Detection Systems (WinIDS) Security Console
Open a CMD window and type 'copy d:\temp\go-pear.phar d:\winids\php' (less the outside quotes), and tap the 'Enter' key. Should display '1 file(s) copied.', and return to the CMD prompt. At the CMD prompt type 'cd /d d:\winids\php' (less the outside quotes), and tap the 'Enter' key. At the CMD prompt type 'php go-pear.phar' (less the outside quotes), and tap the 'Enter' key. At the next prompt tap the 'Enter' key to install 'System-Wide' PEAR. At the next prompt tap the 'Enter' key. At the 'Press any key to continue . . .', press any key to exit back to the CMD prompt. At the CMD prompt type 'pear install Image_Color-alpha' (less the outside quotes), and tap the 'Enter' key. A successful install will display 'install ok: channel://pear.php.net/Image_Color-...' prior to dropping back to the CMD prompt. At the CMD prompt type 'pear install Image_Canvas-alpha' (less the outside quotes), and tap the 'Enter' key. A successful install will display 'install ok: channel://pear.php.net/Image_Canvas-...' prior to dropping back to the CMD prompt. At the CMD prompt type 'pear install Image_Graph-alpha' (less the outside quotes), and tap the 'Enter' key. A successful install will display 'install ok: channel://pear.php.net/Image_Graph-...' prior to dropping back to the CMD prompt. At the CMD prompt type 'pear install Log-alpha' (less the outside quotes), and tap the 'Enter' key. A successful install will display 'install ok: channel://pear.php.net/Log-...' prior to dropping back to the CMD prompt. At the CMD prompt type 'pear install Math_BigInteger-alpha' (less the outside quotes), and tap the 'Enter' key. A successful install will display 'install ok: channel://pear.php.net/Math...' prior to dropping back to the CMD prompt. At the CMD prompt type 'pear install Numbers_Roman-alpha' (less the outside quotes), and tap the 'Enter' key. A successful install will display 'install ok: channel://pear.php.net/Numbers_Roman-...' prior to dropping back to the CMD prompt. At the CMD prompt type 'pear install Numbers_Words-alpha' (less the outside quotes), and tap the 'Enter' key. A successful install will display 'install ok: channel://pear.php.net/Numbers_Words-...' prior to dropping back to the CMD prompt. At the CMD prompt type 'pear install Mail-alpha' (less the outside quotes), and tap the 'Enter' key. A successful install will display 'install ok: channel://pear.php.net/Mail-...' prior to dropping back to the CMD prompt. At the CMD prompt type 'pear install Mail_Mime-alpha' (less the outside quotes), and tap the 'Enter' key. A successful install will display 'install ok: channel://pear.php.net/Mail_Mime-...' prior to dropping back to the CMD prompt.
16 trong 21
6/26/2013 9:11 PM
At the CMD prompt type 'copy d:\winids\inetpub\wwwroot\base\world_map6.* d:\winids\php\pear\image\graph\images\maps' (less the outside quotes), and tap the 'Enter' key. Should display '2 file(s) copied.', and return to the CMD prompt.
Configuring IIS for the Windows Intrusion Detection Security Console

At the CMD prompt type 'c:\windows\system32\inetsrv\iis.msc' (less the outside quotes), and tap the 'Enter' key. The 'Internet Information Services (IIS) Manager' opens, in the left pane under 'Connections' expand servername. If the 'Internet Information Services (IIS) Manager' appears asking 'Do you want to get started with...' left-click 'No'. Under servername left-click 'Default Web Site', in the center pane under 'IIS' left-click 'Default Document', under 'Actions' left-click 'Open Feature', under 'Actions' left-click 'Add...', in the 'Add Default Document' applet appears, in the 'Name:' dialog box type 'base_main.php' (less the outside quotes), left-click 'OK'. In the 'Default Document' under the 'Name' column 'base_main.php' (less the outside quotes) should be listed at the very top, and the 'Entry Type' should be 'Local'. Under 'Connections' right-click 'Default Web Site', highlight 'Manage Web Site', highlight and left-click 'Advanced Settings', in the 'Advanced Settings' applet under (General) left-click 'Physical Path', in the dialog box to the right of 'Physical Path' type 'd:\winids\inetpub\wwwroot\base' (less the outside quotes), left-click 'OK', and eXit the 'Internet Information Services (IIS) Manager' applet.
Configuring Barnyard2
At the CMD prompt type 'notepad2 d:\winids\barnyard2\etc\barnyard2.conf' (less the outside quotes), and tap the 'Enter' key. Use the Find in Notepad2 to locate and change the variables below. Original Line(s): config config config config reference_file: classification_file: gen_file: sid_file: /etc/snort/reference.config /etc/snort/classification.config /etc/snort/gen-msg.map /etc/snort/sid-msg.map
Change to: config config config config reference_file: classification_file: gen_file: sid_file: d:\winids\snort\etc\reference.config d:\winids\snort\etc\classification.config d:\winids\snort\etc\gen-msg.map d:\winids\snort\etc\sid-msg.map
Original Line(s): # config event_cache_size: 4096 Change to: config event_cache_size: 32768 Original Line(s): # output database: log, mysql, user=root password=test dbname=db host=localhost Change to: output database: log, mysql, user=snort password=l0gg3r dbname=snort host=winids sensor_name=WinIDS-Home Save the file, and eXit Notepad2.
Testing the Barnyard2 configuration file
17 trong 21
6/26/2013 9:11 PM
At the CMD prompt type 'd:\winids\activators\by2-test' (less the outside quotes), and tap the 'Enter' key. Running the above batch file will cause Barnyard2 to start up in self-test mode, checking all the supplied command line switches that are passed to it and indicating that everything is ready to proceed. If all the tests are passed, the following is a confirmation that the Barnyard2 configuration file is good. Barnyard2 successfully loaded configuration file! Snort exiting database: Closing connection to database "snort"
Do not proceed until Barnyard2 has successfully loaded configuration file, eXited Snort, and closed the connection to database!
Adding Barnyard2 to auto-run on user login

At the CMD window type 'd:\temp\auto-local-barnyard2.reg' (less the outside quotes), and tap the 'Enter' key. The 'auto-barnyard.reg' file contains the run line for Barnyard2. The Registry Editor selection box opens and asks; 'Are you sure you want to add...', left-click 'Yes', and at the next input selection left-click 'OK'. At the CMD prompt type 'shutdown /r /t 10' (less the outside quotes), and tap the 'Enter' key to reboot. When the system is rebooted, Barnyard2 will be running in a Minimized window located in the Windows task bar. Opening the Barnyard2 CMD window will display the events as they are being shuttled to the database.
Starting the Windows Intrusion Detection Systems (WinIDS) Security Console

After the reboot open a web-browser and type 'http://winids' (less the outside quotes) into the URL Address box, and tap the 'Enter' key. It may take a little while to start seeing events in the Windows Intrusion Detection Systems (WinIDS) Security Console. If no events start to show up in a reasonable length of time, come visit the forums for help on manually generating events.
In Conclusion
Congratulations, you have just completed setting up your first complete Windows Intrusion Detection System (WinIDS), and I hope this guided install has been of great assistance. At this point you are done with this guided install, events should be arriving into the database, and you should be seeing events in the local Windows Intrusion Detection Systems (WinIDS) Security Console. I encourage you to perform some post-installation tasks needed to get a fully production-ready 'Windows Intrusion Detection System (WinIDS)'. This includes: Tuning your rules and preprocessors. Tuning Snort thresholds and limit values. Adding user authentication to the Windows Intrusion Detection Systems (WinIDS) Security Console. Securing your host (Maybe changing the default database user access, disabling unneeded services, etc.). Configure a system, such as PulledPork to auto-update the Windows Intrusinon Detection Systems (WinIDS) rules and signatures.
18 trong 21
6/26/2013 9:11 PM
Security Issues
Lets review what has happens so far: All support programs, including 'IIS 7.5/8' have been installed to a separate partition, which closed a multitude of security holes. The Windows Intrusion Detection Systems (WinIDS) Security Console can ONLY be accessed locally.
Optional Companion Documents

Be SURE to check out the other 'Companion Documents' located in the WinIDS Guided Installs area of 'WINSNORT.com' to enhance your Windows Intrusion Detection System (WinIDS). Manually updating the rules, signatures, and sig-msg.map file [6] This guided install will show how to manually update the rules, signatures, and the 'sig-msg.map' file on an existing Windows Intrusion Detection System (WinIDS).
Automatically updating the rules, signatures, and sig-msg.map file using PulledPork
This guided install will show how to automatically update the rules, signatures, and the 'sig-msg.map' file using PulledPork on an existing Windows Intrusion Detection System (WinIDS). Installing an eMail alerting client (EventWatchNT) [7] This guided install will show how to send user defined priority events sent to a Windows Application Log file being eMailed to user defined eMail accounts, on an existing Windows Intrusion Detection System (WinIDS). Sending events to a remote Unix Syslog Server [8] This guided install will show how to configure Snort to send events to a remote UNIX syslog server, on an existing Windows Intrusion Detection System (WinIDS). Installing MySQL Tools as an add-in to a MySQL enabled Windows Intrusion Detection System (WinIDS) [9] This guided install will show how to install the 'MySQL System Tray Monitor' as a service to monitor the condition of the MySQL database in real time, on an existing Windows Intrusion Detection System (WinIDS). This will allow starting and stopping of the database. The 'MySQL System Tray Monitor' has two tools associated with it that can be accessed directly from the 'MySQL System Tray Monitor'. These tools will allow editing, maintaining, and repairing of the MySQL database. Use extreme caution using these tools. Compiling Barnyard2 on Windows using Cygwin [10] This guided install will show how to manually or automatically compile your very own copy of Barnyard2 on any modern Windows system.
Debugging Installation errors

Check the Event Viewer as most of the support programs will throw FATAL errors into the Application log.
General problems
Please visit the support forums [11] if you have problems.
Places of interest
Websites Users Mailing Lists Support Programs Security tools and info
19 trong 21
6/26/2013 9:11 PM
Snort Home Page [12] Snort FAQ [13] Snort Users Manual [14] Official Snort Blog Site [15] Snort-users list archive [16] Snort.conf Configurations [17] PulledPork and Flowbits
[18]
Barnyard2-users [19] pulledpork-users [20] Snort-announce [21] Snort-users [22] Snort-sigs [23] Snort-devel [24]
BASE Home Page [25] Barnyard2 Home Page [26] MySQL Home Page [27] PostgreSQL Home Page [28] PulledPork Home Page [29] MySQL Tools [30] PHP Home Page [31] ADODB Home Page [32] WinPcap Home Page [33] Apache2 Home Page [34]
XP Security Checklist [35] NSA Securing XP [36]
Michael E. Steele | Microsoft Certified System Engineer (MCSE) Email Me: : michaels@winsnort.com [37] Our Support Forums - www.winsnort.com [38] Snort: Open Source Network IDS - www.snort.org [39]
7894 total words in this text | 9787 reads
[40]
Links 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29. 30. 31. 32. 33. 34. 35. 36. 37. 38.
http://winsnort.com/index.php?module=PNphpbb2 http://www.winsnort.com/ http://www.microsoft.com/technet/security/tools/mbsahome.mspx http://www.subnet-calculator.com/cidr.php http://php.net/timezones http://winsnort.com/index.php?module=Pages&func=display&pageid=51 http://winsnort.com/index.php?module=Pages&func=display&pageid=52 http://winsnort.com/index.php?module=Pages&func=display&pageid=21 http://winsnort.com/index.php?module=Pages&func=display&pageid=2 http://winsnort.com/index.php?module=Pages&func=display&pageid=50 http://winsnort.com/index.php?module=PNphpbb2 http://www.snort.org/ http://www.snort.org/docs/faq.html http://www.snort.org/docs/writing_rules/ http://blog.snort.org/ http://www.geocrawler.com/redir-sf.php3?list=snort-users http://winsnort.com/https://www.snort.org/vrt/snort-conf-configurations/ http://blog.snort.org/2012/01/importance-of-pulledpork.html http://winsnort.com/https://groups.google.com/forum/#!forum/barnyard2-users http://groups.google.com/group/pulledpork-users http://lists.sourceforge.net/mailman/listinfo/snort-announce http://lists.sourceforge.net/mailman/listinfo/snort-users http://lists.sourceforge.net/mailman/listinfo/snort-sigs http://lists.sourceforge.net/mailman/listinfo/snort-devel http://sourceforge.net/projects/secureideas/ http://winsnort.com/https://github.com/firnsy/barnyard2 http://www.mysql.com/ http://www.postgresql.org/ http://code.google.com/p/pulledpork/ http://dev.mysql.com/downloads/administrator/1.0.html http://www.php.net http://php.weblogs.com/adodb http://winpcap.polito.it/ http://httpd.apache.org/download.cgi http://www.labmice.net/articles/winxpsecuritychecklist.htm http://nsa1.www.conxion.com/winxp/guides/wxp-1.pdf http://winsnort.com/mailto:michaels@winsnort.com?subject=General%20Support http://winsnort.com/index.php?module=PNphpbb2
20 trong 21
6/26/2013 9:11 PM
39. http://www.snort.org 40. http://winsnort.com/index.php?module=Pages&func=display&pageid=49&theme=Printer
21 trong 21
6/26/2013 9:11 PM

32/64bit Windows Intrusion Detection System (Winids) Guided Install

Enviado por

Dados do documento

Descrição original:

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

32/64bit Windows Intrusion Detection System (Winids) Guided Install

Enviado por

Direitos autorais:

Formatos disponíveis

WinIDS - Windows 7 / 2008 / 2012 - IIS 7.5 / 8 - MySQL :: WINSNORT...