8 - Mysql __ Winsnort

21
3 2 / 6 4 b i t W i n d o w s I n t r u s i o n D e t e c t i o n S y s t e m ( W i n I D S ) G u i d e d I n s t a l l Written by: M i c h a e l E . S t e e l e IIS 7.5 / 8 Web-Server MySQL Database Server Last Date Revised: May 20, 2013 I n t r o d u c t i o n When it comes to deploy an IDS (Intrusion Detection System), many network engineers automatically think of Snort. Why? First of all, it's a highly-capable full-featured Intrusion Detection System (that can even act as an Intrusion Prevention System with the appropriate tweaks). Second of all, it's completely free, both its binary and source code tree. Snort can also run in many platforms, including Linux, MS Windows and FreeBSD, so there are plenty of options to deploy this system. However, installing the Windows Intrusion Detection System (WinIDS) with a production-ready setup always takes a while, moreover when you have to "discover" many things and solve many issues on your own in order to complete the setup. I've managed to get through that process in the Windows environment and now I'd like to share my process with you. During my research I found a lot of guides and blogs like this describing the installation process. Yet, none of them specifically detailed setting this up in a Windows environment, so I had to gather a lot of information and I had to generate some information as well. C o p y r i g h t N o t i c e This document is Copyright © 2002-2013 Michael Steele. All rights reserved. Permission to distribute this document is hereby granted providing that distribution is electronic, in it's original form, no money is involved, and this copyright notice is maintained. Other requests for distribution will be considered. Use the information in this document at your own risk. Michael Steele disavows any potential liability of this document. Use of the concepts, examples, and/or other content of this document are entirely at your own risk. This guide is written in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. All copyrights are owned by their owners, unless specifically noted otherwise. Third party trademarks or brand names are the WinIDS - Windows 7 / 2008 / 2012 - IIS 7.5 / 8 - MySQL :: WINSNORT... http://winsnort.com/index.php?module=Pages&func=display&pageid=4... 1 trong 21 6/26/2013 9:11 PM

Transcript of 8 - Mysql __ Winsnort

Page 1: 8 - Mysql __ Winsnort

32/64bit Windows Intrusion Detection System (WinIDS) Guided Install

Written by: Michael E. Steele

IIS 7.5 / 8 Web-Server

MySQL Database Server

Last Date Revised: May 20, 2013

Introduction

When it comes to deploy an IDS (Intrusion Detection System), many network engineers automatically think of Snort. Why? First

of all, it's a highly-capable full-featured Intrusion Detection System (that can even act as an Intrusion Prevention System with

the appropriate tweaks). Second of all, it's completely free, both its binary and source code tree. Snort can also run in many

platforms, including Linux, MS Windows and FreeBSD, so there are plenty of options to deploy this system.

However, installing the Windows Intrusion Detection System (WinIDS) with a production-ready setup always takes a while,

moreover when you have to "discover" many things and solve many issues on your own in order to complete the setup. I've

managed to get through that process in the Windows environment and now I'd like to share my process with you. During my

research I found a lot of guides and blogs like this describing the installation process. Yet, none of them specifically detailed

setting this up in a Windows environment, so I had to gather a lot of information and I had to generate some information as

well.

Copyright Notice

This document is Copyright © 2002-2013 Michael Steele. All rights reserved. Permission to distribute this document is hereby

granted providing that distribution is electronic, in it's original form, no money is involved, and this copyright notice is

maintained. Other requests for distribution will be considered.

Use the information in this document at your own risk. Michael Steele disavows any potential liability of this document. Use of

the concepts, examples, and/or other content of this document are entirely at your own risk.

This guide is written in the hope that it will be useful, but without any warranty; without even the implied warranty of

merchantability or fitness for a particular purpose.

All copyrights are owned by their owners, unless specifically noted otherwise. Third party trademarks or brand names are the

WinIDS - Windows 7 / 2008 / 2012 - IIS 7.5 / 8 - MySQL :: WINSNORT... http://winsnort.com/index.php?module=Pages&func=display&pageid=4...

1 trong 21 6/26/2013 9:11 PM

Page 2: 8 - Mysql __ Winsnort

property of their owners. Use of a term in this document should not be regarded as affecting the validity of any trademark or

service mark. Naming of particular products or brands should not be seen as endorsements.

Support Questions and Help

All support questions MUST be directed to the support forums [1]. This is a way to address the masses, instead of a single

person.

If you haven't acquired this guide directly from the Winsnort.com [2] website, then you most likely don't have the

latest revision!

My setup is a classical Windows Intrusion Detection System (WinIDS) deployment:

The Snort detection engine will be running in passive mode, logging events to a unified2 log file.

Barnyard2 will be processing the Windows Intrusion Detection Systems (WinIDS) unified2 log files.

A MySQL-driven database will store processed events/logs for further analysis.

Internet Information Services 7.5 / 8 web-server will drive the Windows Intrusion Detection Systems (WinIDS) analysis GUI

console.

BASE will serve as the web-based Windows Intrusion Detection Systems (WinIDS) events analysis GUI console.

I have to say that even when this guided install is written to seamlessly integrate these tools, I've made my best at describing

the installation process of each component as general as possible. This way, you can take important elements to develop your

own setup integrating other tools.

Although I created this guide using a single computer, it's very easy to extend the deployment to multiple computers (multi-tier

approach), each one in charge of one task (i.e. sensors, database server, web server).

Operating System and Configuration Setup

Supported 32/64bit operating systems for this Windows Intrusion Detection System (WinIDS) guided install

It is imperative that any of the supported Microsoft operating systems listed below have all the latest services packs

and security updates installed from the Microsoft Windows update site. Failure to complete this task will most likely

cause the Windows Intrusion Detection Systems (WinIDS) guided install to fail.

Windows XP Professional (SP3)

Windows 7 Professional (SP1)

Windows Server 2003 Standard Edition (SP2)

Windows Server 2008 Standard Edition (SP2)

Windows Server 2012 Standard Edition

Only the support Microsoft operating systems listed above have been thoroughly tested in both the 32bit and 64bit

environments for this particular guided install. It is highly recommended to install the Windows Intrusion Detection

System (WinIDS) on a fresh, clean Windows installation. Making sure all the latest service packs and security updates

from the Microsoft update center have been installed.

This is how I've setup and tested the Windows Intrusion Detection System (WinIDS). Make sure that all the

necessary changes are made if you configuration is different. Failure to make the appropriate changes will most likely

cause a failure.

I'll be using Windows XP Pro (SP3) 32bit, but any 32/64bit Version of Windows listed above in will do.

I've created a user named 'Operator', set the password to 'z1pp3r', and assigned user 'Operator' Administrative privileges.

I'm installing the complete Windows Intrusion Detection System (WinIDS) logged on as user 'Operator'.

I have 3GB of memory installed, but anything over 2GB should be fine, but the absolute minimum is 2GB (more is better).

I'm using two partitions - C: (System) with 300GB, and D: (WinIDS) with 1TB.

I'm installing the complete Windows Intrusion Detection System (WinIDS) into the 'd:\winids' folder.

WinIDS - Windows 7 / 2008 / 2012 - IIS 7.5 / 8 - MySQL :: WINSNORT... http://winsnort.com/index.php?module=Pages&func=display&pageid=4...

2 trong 21 6/26/2013 9:11 PM

Page 3: 8 - Mysql __ Winsnort

Pre-installation Tasks

Downloading and extracting the 'Windows Intrusion Detection Systems (WinIDS) Software

Pack'

Only use the files in the 'WinIDS - (32/64bit) Software Pack'. These files have been thoroughly tested in all the

Windows Intrusion Detection Systems (WinIDS) guided installs. Using other files, not included in the appropriate

Windows Intrusion Detection System (WinIDS) Software Pack will most likely cause the Windows Intrusion Detection

System (WinIDS) guided install to fail. There may be more recent version of the support packages available, but they

have either not been tested, or there is a problem which could cause the guided install to fail.

Depending on the processors architecture download the appropriate 'WinIDS - (32/64bit) Software Pack' below!

32bit: Download The 'WinIDS - 32bit Software Pack' to 'd:\' drive.

64bit: Download The 'WinIDS - 64bit Software Pack' to 'd:\' drive.

Open a CMD window and type 'd:\winids-sp-xxx-xx.xx.xx.exe' (less the outside quotes), and tap the 'Enter' key.

In the above, replace the 'winids-sp-xxx-xx.xx.xx.exe' filename with the actual filename that was downloaded to the

'd:\' drive from above.

The WinIDS self-extracting archive wizard appears, in the 'Destination folder' dialog box type 'd:\temp' (less the outside

quotes), left-click 'Extract', in the 'Enter password' dialog box type 'w1nsn03t.c0m' (less the outside quotes), left-click 'OK'

allowing all the Windows Intrusion Detection Systems (WinIDS) files to be extracted to the 'd:\temp' folder, and the WinIDS

self-extracting archive wizard automatically closes.

System configuration changes

At the CMD prompt type 'd:\temp\modder.vbs' (less the outside quotes), and tap the 'Enter' key.

Do not proceed until the above script has rebooted the system, and this could take several minutes.

The modder.vbs file preforms several tasks:

Turns 'UAC' off for Windows 7, Server 2008, and Server 2012

Installs 'Microsoft .NET Framework 4.0' for Windows XP, and Server 2003

Installs 'IP Version 6' for Windows XP, and Server 2003

Installs 'Notepad2' to Windows\System32

Installs 'unzip' to Windows\System32

Installs 'tartool' to Windows\System32

Inserts 'winids' hostname to hosts file

Sets 'Hidden Files' as off in registry

Sets 'Show File Extensions' as on in registry

Sets 'Visual Effects' as minimal in registry

Reboots system

I strongly suggest after the reboot, the Microsoft Baseline Security Analyzer [3] (MBSA) be used to identify and correct

common security miss configurations. Each issue should be resolved prior to starting this guided install.

Installing the Basic Windows Intrusion Detection System (WinIDS)

WinIDS - Windows 7 / 2008 / 2012 - IIS 7.5 / 8 - MySQL :: WINSNORT... http://winsnort.com/index.php?module=Pages&func=display&pageid=4...

3 trong 21 6/26/2013 9:11 PM

Page 4: 8 - Mysql __ Winsnort

Installing WinPcap

Open a CMD window and type 'd:\temp\WinPcap_4_1_3.exe' (less the outside quotes), and tap the 'Enter' key.

In the above, replace the 'WinPcap_4_1_3.exe' filename with the actual filename located in the 'd:\temp' folder.

If the 'Program Compatibility Assistant' appears, left-click 'Run the program without getting help'.

The WinPcap installation wizard appears, left-click 'Next', left-click 'Next', left-click the 'I Agree' button, make SURE the

'Automatically start the WinPcap driver at boot time' is checked, left-click install, and left-click 'Finish'.

Installing Snort, the Traffic Detection and Inspection Engine

At the CMD prompt type 'd:\temp\Snort_2_9_4_6_Installer.exe' (less the outside quotes), and tap the 'Enter' key.

In the above, replace the 'Snort_2_9_4_6_Installer.exe' filename with the actual filename located in the 'd:\temp'

folder.

The Snort installation wizard appears, left-click the 'I Agree' button, left-click 'Next', left-click 'Next', in the 'Destination Folder'

dialog box, type 'd:\winids\snort' (less the outside quotes), left-click 'Next' allowing Snort to install, left-click the 'Close' button,

left-click 'OK'.

Testing the Windows Intrusion Detection System (WinIDS) for network traffic

At the CMD prompt type 'd:\winids\snort\bin\snort -W' (less the outside quotes) and tap the 'Enter' key.

The following is a partial example of what might be listed as valid Network Interface Cards.

Index Physical Address IP Address----- ---------------- ---------- 1 00:0C:29:25:B4:96 0000:0000:fe80:0000:0000:0000:ad63:31cf

In the above list, the 'Index' number is important, and will need to be remembered for later use in the guided install.

There may be several Network Interface Cards listed, and it will be up to the installer to determine the correct

Network Interface Card (Index number) that will be monitoring the Windows Intrusion Detection System (WinIDS).

The switch for the Network Interface Card will always be '-ix' (less the outside quotes), and the 'x' (less the outside

quotes) will always represent the 'Index' number of Network Interface Card that will be monitoring the Windows

Intrusion Detection System (WinIDS).

At the CMD prompt type 'd:\winids\snort\bin\snort -v -ix' (less the outside quotes), and tap the 'Enter' key.

The above run line will require the 'Index' number of the monitoring Network Interface Card added to the 'x' in the

'-ix' switch. This will start Snort in verbose mode, verifying there is network traffic on interface 'x'.

There should now be multiple packets passing through the CMD window, and something similar to the following

output is a confirmation indicating that everything is ready to proceed.

10/08-12:12:32.131826 10.0.0.29:1068 -> 65.55.121.241:80TCP TTL:128 TOS:0x0 ID:1586 IpLen:20 DgmLen:40 DF***A**** Seq: 0x7430B82E Ack: 0x1850214F Win: 0xFAF0 TcpLen: 20=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

WinIDS - Windows 7 / 2008 / 2012 - IIS 7.5 / 8 - MySQL :: WINSNORT... http://winsnort.com/index.php?module=Pages&func=display&pageid=4...

4 trong 21 6/26/2013 9:11 PM

Page 5: 8 - Mysql __ Winsnort

After verifying active network traffic, eXit the web browser, activate the CMD window, and press the 'CTRL/C' keys to stop the

Snort process.

If no traffic is passing through the CMD window, and there was multiple Network Interface Cards listed, try another

'Index' number.

Do not proceed until network traffic is being displayed in the CMD window.

Installing Latest Rule Set

At the CMD prompt type 'tartool d:\temp\snortrules-snapshot-2941.tar.gz d:\winids\snort' (less the outside quotes), and tap the

'Enter' key.

In the above replace the 'snortrules-snapshot-2941.tar.gz' filename with the actual filename located in the 'd:\temp'

folder.

Installing Strawberry Perl

32bit: At the CMD prompt type 'd:\temp\strawberry-perl-5.14.2.1-32bit.msi' (less the outside quotes), and tap the 'Enter' key.

In the above, replace the 'strawberry-perl-5.14.2.1-32bit.msi' filename with the actual filename located in the

'd:\temp' folder.

64bit: At the CMD prompt type 'd:\temp\strawberry-perl-5.14.2.1-64bit.msi' (less the outside quotes), and tap the 'Enter' key.

In the above, replace the 'strawberry-perl-5.14.2.1-64bit.msi' filename with the actual filename located in the

'd:\temp' folder.

The Strawberry Perl installation wizard appears, left-click 'Next', left-click the 'I accept the terms...' radio button, left-click 'Next',

in the 'Install Strawberry Perl to:' dialog box type 'd:\winids\strawberry\' (less the outside quotes), left-click 'Next', left-click

'Install', left-click and uncheck the 'Read README file.' radio box, and left-click 'Finish'.

At the CMD prompt type 'exit' (less the outside quotes), and tap the 'Enter' key.

Installing Perl Pre-Requisites

Open a CMD window and type 'perl -MCPAN -e shell' (less the outside quotes), and tap the 'Enter' key.

At the 'cpan' CMD prompt type 'install Sys::Syslog' (less the outside quotes), and tap the 'Enter' key.

In the above command, it will take several minutes to preform the install.

At the 'cpan' CMD prompt type 'quit' (less the outside quotes), and tap the 'Enter' key.

Install Internet Information Services 7.5 - Windows 7

At the CMD prompt type 'appwiz.cpl' (less the outside quotes), and tap the 'Enter' key.

The 'Uninstall or Change a program' control panel opens, under 'Control Panel Home', left-click 'Turn Windows features on or

off'. In the 'Turn Windows features on or off' expand 'Internet Information Services', to the left of 'Web Management tools'

left-click the radio box (it may only turn blue), to the left of the 'World Wide Web Services left-click check the radio box (it may

WinIDS - Windows 7 / 2008 / 2012 - IIS 7.5 / 8 - MySQL :: WINSNORT... http://winsnort.com/index.php?module=Pages&func=display&pageid=4...

5 trong 21 6/26/2013 9:11 PM

Page 6: 8 - Mysql __ Winsnort

only turn blue), expand 'World Wide Web Services', expand 'Application Development Features', left-click and check all features,

except 'Server-Side Includes', left-click 'OK' allowing windows to make changes, and eXit the 'Uninstall or Change a program'

control panel.

At the CMD prompt type 'd:\temp\moveiis7-8.bat' (less the outside quotes), and tap the 'Enter' key.

Install Internet Information Services 7.5 - Server 2008

At the CMD prompt type 'appwiz.cpl' (less the outside quotes), and tap the 'Enter' key.

The 'Uninstall or Change a program' control panel opens, under 'Control Panel Home', left-click 'Turn Windows features on or

off', and the 'Server Manager' opens. In the 'Server Manager' window, scroll down to Roles Summary, and left-click 'Add Roles'.

The 'Add Roles Wizard' starts, and left-click 'Next' opening the 'Select Server Roles page'. Left-click the select box to the left of

'Web Server (IIS)', and left-click 'Next'. At the 'Web Server (IIS)' page left-click 'Next'. At the 'Select Role Services' page scroll

down and expand 'Application Development'. Left-click the select box to the left of 'Application Development' selecting all server

roles. To the left of 'Server Side Includes' left-click unselecting 'Server Side Includes', and lefgt-click 'Next'. At the 'Confirm

Installation Selections' page left-click 'Install', left-click 'Close', exit the 'Server Manager', and exit 'Programs and Features'.

At the CMD prompt type 'd:\temp\moveiis7-8.bat' (less the outside quotes), and tap the 'Enter' key.

Install Internet Information Services 8 - Server 2012

At the CMD prompt type 'appwiz.cpl' (less the outside quotes), and tap the 'Enter' key.

The 'Program and Features' control panel opens, left-click 'Turn Windows features on or off'. The 'Server Manager' opens, and

the 'Add Roles and Features Wizard' opens. At the 'Before you begin' selection window, Left-click 'Next'. At the 'Select

installation Type' selection window, left-click 'Next'. At the 'Select destination server' selection window, left-click 'Next'. At the

'Select server roles' selection window under 'Roles' scroll down left-click 'Web Server (IIS)'. The 'Add features that are required

for Web Server (IIS)?' windows opens, left-click 'Add Features', and left-click 'Next'. At the 'Select features' selection window,

left-click 'Next'. At the 'Web Server Role (IIS)' selection window, left-click 'Next'. At the 'Select roles services' selection window

scroll down and expand 'Application Development'. Under 'Application Development' scroll down and left-click the select box

titled 'CGI', and left-click 'Next'. At the 'Confirm installation selections' selection window, left-click 'Install' allowing IIS to

complete the features installation, left-click 'Close', eXit 'Programs and Features', and eXit the 'Server Manager'.

At the CMD prompt type 'd:\temp\moveiis7-8.bat' (less the outside quotes), and tap the 'Enter' key.

Installing the Windows Intrusion Detection Systems (WinIDS) Security Console

BASE is used for the Windows Intrusion Detection Systems (WinIDS) Security Console, and is security analysis web tool. It is a

tiny application which only task is to display/report Snort events. Windows Intrusion Detection Systems (WinIDS) Security

Console uses a database backend to get the data. This database is the same database that will get directly populated by Snorts

output database routine.

At the CMD prompt type 'unzip -oqq d:\temp\base-1.4.5.zip -d d:\winids\inetpub\wwwroot\base' (less the outside quotes), and

tap the 'Enter' key.

In the above, replace the 'base-1.4.5.zip' filename with the actual filename located in the 'd:\temp' folder.

Installing Barnyard2

Barnyard2 will run and reside in a terminal window located in the Windows taskbar on boot. Barnyard2 is in charge of parsing

and processing Snort's unified2 log files sending them to a specified destination (where they will be used for security analysis

and monitoring) such as, a database server. As Barnyard2 runs independently of Snort, it doesn't need to process the logs/alert

in real time, that is, at the same time that Snort generates them. Barnyard2 only needs to keep track of how many events it has

processed at a given time. For this purpose, Barnyard2 uses a "waldo" file, where it saves the name of the log/alert file being

process, and the offset within the log/alert file.

WinIDS - Windows 7 / 2008 / 2012 - IIS 7.5 / 8 - MySQL :: WINSNORT... http://winsnort.com/index.php?module=Pages&func=display&pageid=4...

6 trong 21 6/26/2013 9:11 PM

Page 7: 8 - Mysql __ Winsnort

Barnyard2 is capable of processing Snorts Unified2 log files. For this guided install, Barnyard2 will be sending processed

unified2 log data to a MySQL database backend server.

At the CMD prompt type 'unzip -oqq d:\temp\barnyard2-2-1.13.zip -d d:\winids\barnyard2' (less the outside quotes), and tap

the 'Enter' key.

In the above, replace the 'barnyard2-2-1.13.zip' filename with the actual filename located in the 'd:\temp' folder.

Installing the MySQL Database Server

At the CMD prompt type 'd:\temp\mysql-installer-community-5.5.30.1.msi' (less the outside quotes), and tap the 'Enter' key.

In the above, replace the 'mysql-installer-community-5.5.30.1.msi' filename with the actual filename located in the

'd:\temp' folder.

The MySQL Database server installers 'Welcome' screen appears. Left-click the 'Install MySQL Products' link to start the MySQL

installation.

The MySQL Database server installers 'License Agreement' screen appears. Left-click checking the 'I accept the license terms'

radio box, and left-click 'Next'.

The MySQL Database server installers 'Find latest products' screen appears. If No internet connection is available left-click

checking the 'Skip the checks for updates...' radio box, and left-click 'Next'. Otherwise left-click 'Execute' allowing any updates

to be fetched, and left-click 'Next'.

The MySQL Database server installers 'Choosing a setup type' screen appears. Left-click selecting the 'Server only' option. In

the 'Installation Path:' dialog box type 'd:\winids\mysql\' (less the outside quotes). In the 'Data Path:' dialog box type 'd:\winids

\mysql\' (less the outside quotes), and left-click 'Next'.

The MySQL Database server installers 'Check Requirements' screen appears, and left-click 'Next'

The MySQL Database server installers 'Installation Progress' screen appears. Left-click 'Execute' allowing the MySQL server to

complete the install, and left-click 'Next'.

The MySQL Database server installers 'Configuration Overview' screen appears, and left-click 'Next'.

The MySQL Database server installers 'MySQL Server Configuration' screen 1 of 3 appears. Under 'Server Configuration Type'

left-click the 'Config Type:' drop down select box left-clicking the 'Server Machine', the 'Config Type:' should now show 'Server

Machine', and left-click 'Next'.

The MySQL Database server installers 'MySQL Server Configuration' screen 2 of 3 appears. Under 'Root Account Password' in

the 'MySQL Root Password:' dialog box type 'd1ngd0ng' (less the outside quotes). In the 'Repeat Password:' dialog box type

'd1ngd0ng' (less the outside quotes), and left-click 'Next'.

The MySQL Database server installers 'MySQL Server Configuration' screen 3 of 3 appears, left-click 'Next' allowing the MySQL

server to complete the configuration, and left-click 'Next'.

The MySQL Database server installers 'Installation Complete' screen appears, and left-click 'Finish'

At the CMD prompt type 'copy "d:\winids\mysql\mysql server 5.5\lib\libmysql.dll" c:\windows\system32' (less the outside

quotes), and tap the 'Enter' key.

Should display '1 file(s) copied.', and return to the command prompt.

Installing ADODB

At the CMD prompt type 'unzip -oqq d:\temp\adodb518a.zip -d d:\winids' (less the outside quotes), and tap the 'Enter' key.

In the above, replace the 'adodb518a.zip' filename with the actual filename located in the 'd:\temp' folder.

WinIDS - Windows 7 / 2008 / 2012 - IIS 7.5 / 8 - MySQL :: WINSNORT... http://winsnort.com/index.php?module=Pages&func=display&pageid=4...

7 trong 21 6/26/2013 9:11 PM

Page 8: 8 - Mysql __ Winsnort

Installing PHP

At the CMD prompt type 'unzip -oqq d:\temp\php-5.4.15-nts-Win32-VC9-x86.zip -d d:\winids\php' (less the outside

quotes), and tap the 'Enter' key.

In the above, replace the 'php-5.4.15-nts-Win32-VC9-x86.zip' filename with the actual filename located in the

'd:\temp' folder, and it has '-nts-' in the filename.

Updating the 'sid-msg.map' file

At the CMD prompt type 'unzip -oqq d:\temp\activators.zip -d d:\winids\activators' (less the outside quotes), and tap the 'Enter'

key.

At the CMD prompt type 'unzip -oqq d:\temp\create-sidmap.zip -d d:\winids\create-sidmap' (less the outside quotes), and tap

the 'Enter' key.

Information about the sid-msg.map file:

The 'sid-msg.map' file essentially maps the Rule MSG alert name to the sid number assigned to the rule.

This really comes into play when the output method from Snort is in unified2 format, taking that output, and reading it with

Barnyard2 for input into the database.

Since the rule msg is not stored in the unified2 file format, it's necessary for Barnyard2 to read the sid-msg.map file to correctly

input the names of the events into the database when associated with an alert by sid.

Without the 'sid-msg.map' being read by barnyard2, the events in the database will show up only as gid:sid. (1:2133 for

example). Also, updating the rules and not updating the 'sid-msg.map' will also show events from all new rules as gid:sid.

(1:2133 for example).

At the CMD prompt type 'd:\winids\create-sidmap\create-sidmap.pl d:\winids\snort\rules\ > d:\winids\snort\etc\sid-msg.map'

(less the outside quotes), and tap the 'Enter' key.

Configuring the Snort Detection Engine

At the CMD prompt type 'type NUL > d:\winids\snort\rules\white_list.rules' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'type NUL > d:\winids\snort\rules\black_list.rules' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'notepad2 d:\winids\snort\etc\snort.conf' (less the outside quotes), and tap the 'Enter' key.

Use the Find in Notepad2 to locate and change the variables below.

The home network variable below defines the network you wish to monitor, like the local LAN segment for instance It is set by

specifying one or more networks in the form of a CIDR [4].

The IP address below is fictitious and must be changed to the correct IP Address and CIDR that reflects the actual

network that the Windows Intrusion Detection System (WinIDS) will be monitoring.

Original Line(s): ipvar HOME_NET any

Change to: ipvar HOME_NET 192.168.1.0/24

In the above HOME_NET example, Windows Intrusion Detection System (WinIDS) will monitor addresses

192.168.1.1 - 192.168.1.254. It is important to specify the correct range of internal network addresses that Windows

Intrusion Detection System (WinIDS) will need to monitor.

Original Line(s): var RULE_PATH ../rules

WinIDS - Windows 7 / 2008 / 2012 - IIS 7.5 / 8 - MySQL :: WINSNORT... http://winsnort.com/index.php?module=Pages&func=display&pageid=4...

8 trong 21 6/26/2013 9:11 PM

Page 9: 8 - Mysql __ Winsnort

Change to: var RULE_PATH d:\winids\snort\rules

Original Line(s): var SO_RULE_PATH ../so_rules

Change to: # var SO_RULE_PATH ../so_rules

Original Line(s): var PREPROC_RULE_PATH ../preproc_rules

Change to: var PREPROC_RULE_PATH d:\winids\snort\preproc_rules

Original Line(s): var WHITE_LIST_PATH ../rules

Change to: var WHITE_LIST_PATH d:\winids\snort\rules

Original Line(s): var BLACK_LIST_PATH ../rules

Change to: var BLACK_LIST_PATH d:\winids\snort\rules

Original Line(s): dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/

Change to: dynamicpreprocessor directory d:\winids\snort\lib\snort_dynamicpreprocessor

Original Line(s): dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so

Change to: dynamicengine d:\winids\snort\lib\snort_dynamicengine\sf_engine.dll

Original Line(s): dynamicdetection directory /usr/local/lib/snort_dynamicrules

Change to: # dynamicdetection directory /usr/local/lib/snort_dynamicrules

Original Line(s):

preprocessor normalize_ip4

preprocessor normalize_tcp: ips ecn stream

preprocessor normalize_icmp4

preprocessor normalize_ip6

preprocessor normalize_icmp6

Change to:

# preprocessor normalize_ip4

# preprocessor normalize_tcp: ips ecn stream

# preprocessor normalize_icmp4

# preprocessor normalize_ip6

# preprocessor normalize_icmp6

Original Line(s): # preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low }

Change to: preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low }

Original Line(s): # output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types

Change to: output unified2: filename merged.log, limit 128

Original Line(s): include classification.config

Change to: include d:\winids\snort\etc\classification.config

Original Line(s): include reference.config

Change to: include d:\winids\snort\etc\reference.config

Original Line(s):

# include $PREPROC_RULE_PATH/preprocessor.rules

# include $PREPROC_RULE_PATH/decoder.rules

# include $PREPROC_RULE_PATH/sensitive-data.rules

Change to:

include $PREPROC_RULE_PATH/preprocessor.rules

include $PREPROC_RULE_PATH/decoder.rules

include $PREPROC_RULE_PATH/sensitive-data.rules

Original Line(s): include threshold.conf

Change to: include d:\winids\snort\etc\threshold.conf

Save the file, and eXit Notepad2.

WinIDS - Windows 7 / 2008 / 2012 - IIS 7.5 / 8 - MySQL :: WINSNORT... http://winsnort.com/index.php?module=Pages&func=display&pageid=4...

9 trong 21 6/26/2013 9:11 PM

Page 10: 8 - Mysql __ Winsnort

Testing the Snort configuration file

At the CMD prompt type 'd:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix -T' (less the

outside quotes), and tap the 'Enter' key.

The above run line will require the 'Index' number of the monitoring Network Interface Card added to the 'x' in the

'-ix' switch. This will start Snort in self-test mode for configuration and rule file testing.

If all the tests are passed, the following is a confirmation that the Snort configuration file and rules have tested good.

Snort successfully validated the configuration!Snort exiting

Do not proceed until 'Snort successfully validated the configuration!'

Configuring PHP

At the CMD prompt type 'copy d:\winids\php\php.ini-production d:\winids\php\php.ini' (less the outside quotes), and tap the

'Enter' key.

Should display '1 file(s) copied.', and return to the CMD prompt.

At the CMD prompt type 'notepad2 d:\winids\php\php.ini' (less the outside quotes), and tap the 'Enter' key.

Use the Find in Notepad2 to locate and change the variables below.

Original Line(s): max_execution_time = 30

Change to: max_execution_time = 60

Original Line(s): error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT

Change to: ; error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT

Original Line(s): ;include_path = ".;c:\php\includes"

Change to: include_path = "d:\winids\php;d:\winids\php\pear"

Original Line(s): ; extension_dir = "ext"

Change to: extension_dir = "d:\winids\php\ext"

Original Line(s):; cgi.force_redirect = 1

Change to:cgi.force_redirect = 0

Original Line(s): ; extension=php_gd2.dll

Change to: extension=php_gd2.dll

Original Line(s): ; extension=php_mysql.dll

Change to: extension=php_mysql.dll

Original Line(s): ;date.timezone =

Change to: date.timezone = America/New_York

In the above date.timezone setting, America/New_York is only the default. Inserting the correct Timezone setting

where the Windows Intrusion Detection System (WinIDS) will be located is essential. Check out the PHP website for

the List of Supported Timezones [5].

Original Line(s): ;session.save_path = "/tmp"

Change to: session.save_path = "c:\windows\temp"

Save the file, and eXit Notepad2.

WinIDS - Windows 7 / 2008 / 2012 - IIS 7.5 / 8 - MySQL :: WINSNORT... http://winsnort.com/index.php?module=Pages&func=display&pageid=4...

10 trong 21 6/26/2013 9:11 PM

Page 11: 8 - Mysql __ Winsnort

Configuring Internet Information Services for PHP

At the CMD prompt type 'c:\windows\system32\inetsrv\iis.msc' (less the outside quotes), and tap the 'Enter' key.

The 'Internet Information Services (IIS) Manager' opens, in the left pane under 'Connections' expand servername.

If the 'Internet Information Services (IIS) Manager' appears asking 'Do you want to get started with...' left-click 'No'.

Under 'Connections' expand Sites, left-click 'Default Web Site', in the center pane under 'IIS' left-click 'Handler Mappings', under

'Actions' left-click 'Open Feature', under 'Actions' left-click 'Add Script Map...', in the 'Request Path:' dialog box type '*.php' (less

the outside quotes), in the 'Executable:' dialog box type 'd:\winids\php\php-cgi.exe' (less the outside quotes), in the 'Name:'

dialog box type 'PHP' (less the outside quotes), left-click 'OK', the 'Add Script Map' notification message appears and left-click

'Yes'.

In the 'Handler Mappings' under the 'Enabled' section there will be a new 'PHP' entry in the 'Name' column, highlight and

right-click 'PHP', left-click 'Edit...', and Verify all three dialog box settings match what was entered above, left-click 'OK', and

eXit the 'Internet Information Services (IIS) Manager'.

Do not proceed until the 'Handler Mappings' for PHP have been set correctly!'

At the CMD prompt type 'iisreset /restart' (less the outside quotes), and tap the 'Enter' key.

Testing Internet Information Services, and the PHP installation

Open a CMD window and type 'copy d:\temp\test.php d:\winids\inetpub\wwwroot' (less the outside quotes), and tap the 'Enter'

key.

Should display '1 file(s) copied.', and return to the CMD prompt.

Open a web-browser and type 'http://winids/test.php' (less the outside quotes) into the URL Address box, and tap the 'Enter'

key.

Several sections of information concerning the status and install of PHP should be displayed.

In the first section of information make SURE that the item labeled 'Loaded Configuration File' is pointing to 'd:\winids

\php\php.ini' (less the outside quotes).

In the section labeled 'Configuration - PHP Core' (less the outside quotes) make SURE that the item labeled

'extension_dir' is pointing to 'd:\winids\php\ext' (less the outside quotes) in columns 'Local Values' (less the outside

quotes) and 'Master Values' (less the outside quotes).

In the section labeled 'Configuration - PHP Core' (less the outside quotes) make SURE that the item labeled

'include_path' is pointing to 'd:\winids\php\pear' (less the outside quotes) in columns 'Local Values' (less the outside

quotes) and 'Master Values' (less the outside quotes).

In the section labeled 'session' (less the outside quotes) make SURE that the item labeled 'session.save_path' is

pointing to 'c:\windows\temp' (less the outside quotes) in columns 'Local Values' (less the outside quotes) and

'Master Values' (less the outside quotes).

Do not proceed until all the above paths are correct!

eXit the web-browser.

At the CMD prompt type 'del d:\winids\inetpub\wwwroot\test.php' (less the outside quotes), and tap the 'Enter' key.

WinIDS - Windows 7 / 2008 / 2012 - IIS 7.5 / 8 - MySQL :: WINSNORT... http://winsnort.com/index.php?module=Pages&func=display&pageid=4...

11 trong 21 6/26/2013 9:11 PM

Page 12: 8 - Mysql __ Winsnort

Adding Snort to the Windows Services Database

At the CMD prompt type 'cd /d d:\winids\snort\bin' (less the outside quotes) and tap the 'Enter' key.

At the CMD prompt type 'snort /SERVICE /INSTALL -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix' (less the outside

quotes), and tap the 'Enter' key.

The above run line will require the 'Index' number of the monitoring Network Interface Card added to the 'x' in the

'-ix' switch.

The following is a confirmation that the Snort service was successfully added to the Windows Services Database.

[SNORT_SERVICE] Attempting to install the Snort service.

[SNORT_SERVICE] The full path to the Snort binary appears to be: D:\winids\snort\bin\snort /SERVICE

[SNORT_SERVICE] Successfully added registry keys to: \HKEY_LOCAL_MACHINE\SOFTWARE\Snort\

[SNORT_SERVICE] Successfully added the Snort service to the Windows Services Database.

Do not proceed until the Snort service has been successfully added to the Windows Services Database.

At the CMD prompt type 'sc config snortsvc start= auto' (less the outside quotes), and tap the 'Enter' key.

The following as a confirmation that the Snort auto-start service has been successfully activated.

[SC] ChangeServiceConfig SUCCESS

Do not proceed until the Snort auto-start service has been SUCCESSfully activated.

At the CMD prompt type 'exit' (less the outside quotes), and tap the 'Enter' key.

Configuring the MySQL Database Server

Creating the Windows Intrusion Detection System Databases

Open a CMD window and type 'mysql -u root -p' (less the outside quotes) and tap the 'Enter' key.

At the password prompt type 'd1ngd0ng' (less the outside quotes) and tap the 'Enter' key.

You will be dropped into the MySQL administration console CMD prompt.

At the mysql CMD prompt type 'create database snort;' (less the outside quotes), and tap the 'Enter' key.

It will display 'Query OK...' and drop back to the mysql prompt.

At the mysql CMD prompt type 'create database archive;' (less the outside quotes), and tap the 'Enter' key.

It will display 'Query OK...' and drop back to the mysql prompt.

At the mysql CMD prompt type 'show databases;' (less the outside quotes), and tap the 'Enter' key.

WinIDS - Windows 7 / 2008 / 2012 - IIS 7.5 / 8 - MySQL :: WINSNORT... http://winsnort.com/index.php?module=Pages&func=display&pageid=4...

12 trong 21 6/26/2013 9:11 PM

Page 13: 8 - Mysql __ Winsnort

There should be several databases listed, 'information_schema', 'archive', 'mysql', and 'snort'.

Creating the Windows Intrusion Detection System Database Tables

At the mysql CMD prompt type 'connect snort;' (less the outside quotes), and tap the 'Enter' key.

It will display 'Current database: snort' and drop back to the mysql prompt.

At the mysql CMD prompt type 'source d:/winids/barnyard2/schemas/create_mysql' (less the outside quotes), and tap the

'Enter' key.

It will display multiple 'Query OK, 1 rows affected (0.0? sec)' entries and drop back to the mysql prompt.

At the mysql CMD prompt type 'source d:\winids\inetpub\wwwroot\base\sql\create_base_tbls_mysql.sql' (less the outside

quotes), and tap the 'Enter' key.

The last entry to the screen should show 'Records: 4 Duplicates: 0 Warnings: 0' (less the outside quotes), and drop

back to the mysql prompt.

At the mysql CMD prompt type 'show tables;' (less the outside quotes), and tap the 'Enter' key.

The last entry to the screen should show '22 rows in set (0.00 sec)' (less the outside quotes), and drop back to the

mysql prompt.

At the mysql CMD prompt type 'connect archive;' (less the outside quotes), and tap the 'Enter' key.

It will display 'Current database: snort' and drop back to the mysql prompt.

At the mysql CMD prompt type 'source d:/winids/barnyard2/schemas/create_mysql' (less the outside quotes), and tap the

'Enter' key.

It will display multiple 'Query OK, 1 rows affected (0.0? sec)' entries and drop back to the mysql prompt.

At the mysql CMD prompt type 'source d:\winids\inetpub\wwwroot\base\sql\create_base_tbls_mysql.sql' (less the outside

quotes), and tap the 'Enter' key.

The last entry to the screen should show 'Records: 4 Duplicates: 0 Warnings: 0' (less the outside quotes), and drop

back to the mysql prompt.

At the mysql CMD prompt type 'show tables;' (less the outside quotes), and tap the 'Enter' key.

The last entry to the screen should show '22 rows in set (0.00 sec)' (less the outside quotes), and drop back to the

mysql prompt.

Creating the Windows Intrusion Detection System Database Access, and Authenticated Users

At the mysql CMD prompt type 'set password for root@localhost = password('d1ngd0ng');' (less the outside quotes), and tap

the 'Enter' key.

At the mysql CMD prompt type 'grant INSERT,SELECT,UPDATE on snort.* to snort identified by 'l0gg3r';' (less the outside

quotes), and tap the 'Enter' key.

It will display 'Query OK' and drop back to the mysql prompt.

At the mysql CMD prompt type 'grant INSERT,SELECT,UPDATE on snort.* to snort@localhost identified by 'l0gg3r';' (less the

WinIDS - Windows 7 / 2008 / 2012 - IIS 7.5 / 8 - MySQL :: WINSNORT... http://winsnort.com/index.php?module=Pages&func=display&pageid=4...

13 trong 21 6/26/2013 9:11 PM

Page 14: 8 - Mysql __ Winsnort

outside quotes), and tap the 'Enter' key.

It will display 'Query OK' and drop back to the mysql prompt.

At the mysql CMD prompt type 'grant INSERT,SELECT,UPDATE,DELETE,CREATE on snort.* to base identified by 'an@l1st';' (less

the outside quotes), and tap the 'Enter' key.

It will display 'Query OK' and drop back to the mysql prompt.

At the mysql CMD prompt type 'grant INSERT,SELECT,UPDATE,DELETE,CREATE on snort.* to base@localhost identified by

'an@l1st';' (less the outside quotes), and tap the 'Enter' key.

It will display 'Query OK' and drop back to the mysql prompt.

At the mysql CMD prompt type 'grant INSERT,SELECT,UPDATE,DELETE,CREATE on archive.* to base identified by 'an@l1st';'

(less the outside quotes), and tap the 'Enter' key.

It will display 'Query OK' and drop back to the mysql prompt.

At the mysql CMD prompt type 'grant INSERT,SELECT,UPDATE,DELETE,CREATE on archive.* to base@localhost identified by

'an@l1st';' (less the outside quotes), and tap the 'Enter' key.

It will display 'Query OK' and drop back to the mysql prompt.

At the mysql CMD prompt type 'use mysql;' (less the outside quotes), and tap the 'Enter' key.

At the mysql CMD prompt type 'select * from user;' (less the outside quotes), and tap the 'Enter' key.

There should be several users listed, 'root', 'snort', 'snort', 'base', and 'base'.

At the mysql CMD prompt type 'quit;' (less the outside quotes), and tap the 'Enter' key

Confirming MySQL and Snort are operational

At the CMD prompt type 'net stop mysql55 & net start mysql55' (less the outside quotes), and tap the 'Enter'.

At the CMD prompt type 'net start snort' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'taskmgr.exe' (less the outside quotes), and tap the 'Enter' key.

The 'Windows Task Manager' starts, left-click the 'Processes' tab, in the 'Image name' category there should be a 'snort.exe',

and 'mysqld.exe' listed as a process.

Do not proceed until the processes above are running!

eXit the 'Task Manager'.

Configuring the Windows Intrusion Detection Systems (WinIDS) Security Console

At the CMD prompt type 'copy d:\winids\inetpub\wwwroot\base\base_conf.php.dist d:\winids\inetpub\wwwroot

\base\base_conf.php' (less the outside quotes), and tap the 'Enter' key.

Should display '1 file(s) copied.', and return to the CMD prompt.

At the CMD prompt type 'tartool d:\temp\opensource.gz d:\winids\inetpub\wwwroot\base\signatures' (less the outside quotes),

and tap the 'Enter' key.

WinIDS - Windows 7 / 2008 / 2012 - IIS 7.5 / 8 - MySQL :: WINSNORT... http://winsnort.com/index.php?module=Pages&func=display&pageid=4...

14 trong 21 6/26/2013 9:11 PM

Page 15: 8 - Mysql __ Winsnort

The above command may take a few minutes to complete as its moving several thousand files.

At the CMD prompt type 'notepad2 d:\winids\inetpub\wwwroot\base\base_conf.php' (less the outside quotes), and tap the

'Enter' key.

Use the Find in Notepad2 to locate and change the variables below.

Original Line(s): $BASE_urlpath = '';

Change to: $BASE_urlpath = 'http://winids';

Original Line(s): $DBlib_path = '';

Change to: $DBlib_path = 'd:\winids\adodb5';

Original Line(s): $DBtype = '?????';

Change to: $DBtype = 'mysql';

Original Line(s):

$alert_dbname = 'snort_log';$alert_host = 'localhost';$alert_port = '';$alert_user = 'snort';$alert_password = 'mypassword';

Change to:

$alert_dbname = 'snort';$alert_host = 'winids';$alert_port = '';$alert_user = 'base';$alert_password = 'an@l1st';

Original Line(s):

$archive_exists = 0; # Set this to 1 if you have an archive DB$archive_dbname = 'snort_archive';$archive_host = 'localhost';$archive_port = '';$archive_user = 'snort';$archive_password = 'mypassword';

Change to:

$archive_exists = 1; # Set this to 1 if you have an archive DB$archive_dbname = 'archive';$archive_host = 'winids';$archive_port = '';$archive_user = 'base';$archive_password = 'an@l1st';

Original Line(s): $show_rows = 48;

Change to: $show_rows = 90;

Original Line(s): $show_expanded_query = 0;

Change to: $show_expanded_query = 1;

Original Line(s): $colored_alerts = 0;

Change to: $colored_alerts = 1;

Original Line(s): $priority_colors = array ('FF0000','FFFF00','FF9900','999999','FFFFFF','006600');

Change to: $priority_colors = array('000000','FF0000','FF9900','FFFF00','999999');

WinIDS - Windows 7 / 2008 / 2012 - IIS 7.5 / 8 - MySQL :: WINSNORT... http://winsnort.com/index.php?module=Pages&func=display&pageid=4...

15 trong 21 6/26/2013 9:11 PM

Page 16: 8 - Mysql __ Winsnort

Original Line(s): // $graph_font_name = "Verdana";

Change to: $graph_font_name = "Verdana";

Original Line(s): $graph_font_name = "DejaVuSans";

Change to: // $graph_font_name = "DejaVuSans";

Original Line(s): //$Geo_IPfree_file_ascii = "/var/www/html/ips-ascii.txt";

Change to: $Geo_IPfree_file_ascii = "d:\winids\inetpub\wwwroot\base\ips-ascii.txt";

Save the file, and eXit Notepad2.

Configuring Graphing for the Windows Intrusion Detection Systems (WinIDS) Security Console

Open a CMD window and type 'copy d:\temp\go-pear.phar d:\winids\php' (less the outside quotes), and tap the 'Enter' key.

Should display '1 file(s) copied.', and return to the CMD prompt.

At the CMD prompt type 'cd /d d:\winids\php' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'php go-pear.phar' (less the outside quotes), and tap the 'Enter' key.

At the next prompt tap the 'Enter' key to install 'System-Wide' PEAR.

At the next prompt tap the 'Enter' key.

At the 'Press any key to continue . . .', press any key to exit back to the CMD prompt.

At the CMD prompt type 'pear install Image_Color-alpha' (less the outside quotes), and tap the 'Enter' key.

A successful install will display 'install ok: channel://pear.php.net/Image_Color-...' prior to dropping back to the CMD prompt.

At the CMD prompt type 'pear install Image_Canvas-alpha' (less the outside quotes), and tap the 'Enter' key.

A successful install will display 'install ok: channel://pear.php.net/Image_Canvas-...' prior to dropping back to the CMD prompt.

At the CMD prompt type 'pear install Image_Graph-alpha' (less the outside quotes), and tap the 'Enter' key.

A successful install will display 'install ok: channel://pear.php.net/Image_Graph-...' prior to dropping back to the CMD prompt.

At the CMD prompt type 'pear install Log-alpha' (less the outside quotes), and tap the 'Enter' key.

A successful install will display 'install ok: channel://pear.php.net/Log-...' prior to dropping back to the CMD prompt.

At the CMD prompt type 'pear install Math_BigInteger-alpha' (less the outside quotes), and tap the 'Enter' key.

A successful install will display 'install ok: channel://pear.php.net/Math...' prior to dropping back to the CMD prompt.

At the CMD prompt type 'pear install Numbers_Roman-alpha' (less the outside quotes), and tap the 'Enter' key.

A successful install will display 'install ok: channel://pear.php.net/Numbers_Roman-...' prior to dropping back to the CMD

prompt.

At the CMD prompt type 'pear install Numbers_Words-alpha' (less the outside quotes), and tap the 'Enter' key.

A successful install will display 'install ok: channel://pear.php.net/Numbers_Words-...' prior to dropping back to the CMD

prompt.

At the CMD prompt type 'pear install Mail-alpha' (less the outside quotes), and tap the 'Enter' key.

A successful install will display 'install ok: channel://pear.php.net/Mail-...' prior to dropping back to the CMD prompt.

At the CMD prompt type 'pear install Mail_Mime-alpha' (less the outside quotes), and tap the 'Enter' key.

A successful install will display 'install ok: channel://pear.php.net/Mail_Mime-...' prior to dropping back to the CMD prompt.

WinIDS - Windows 7 / 2008 / 2012 - IIS 7.5 / 8 - MySQL :: WINSNORT... http://winsnort.com/index.php?module=Pages&func=display&pageid=4...

16 trong 21 6/26/2013 9:11 PM

Page 17: 8 - Mysql __ Winsnort

At the CMD prompt type 'copy d:\winids\inetpub\wwwroot\base\world_map6.* d:\winids\php\pear\image\graph\images\maps'

(less the outside quotes), and tap the 'Enter' key.

Should display '2 file(s) copied.', and return to the CMD prompt.

Configuring IIS for the Windows Intrusion Detection Security Console

At the CMD prompt type 'c:\windows\system32\inetsrv\iis.msc' (less the outside quotes), and tap the 'Enter' key.

The 'Internet Information Services (IIS) Manager' opens, in the left pane under 'Connections' expand servername.

If the 'Internet Information Services (IIS) Manager' appears asking 'Do you want to get started with...' left-click 'No'.

Under servername left-click 'Default Web Site', in the center pane under 'IIS' left-click 'Default Document', under 'Actions'

left-click 'Open Feature', under 'Actions' left-click 'Add...', in the 'Add Default Document' applet appears, in the 'Name:' dialog

box type 'base_main.php' (less the outside quotes), left-click 'OK'.

In the 'Default Document' under the 'Name' column 'base_main.php' (less the outside quotes) should be listed at the

very top, and the 'Entry Type' should be 'Local'.

Under 'Connections' right-click 'Default Web Site', highlight 'Manage Web Site', highlight and left-click 'Advanced Settings', in the

'Advanced Settings' applet under (General) left-click 'Physical Path', in the dialog box to the right of 'Physical Path' type

'd:\winids\inetpub\wwwroot\base' (less the outside quotes), left-click 'OK', and eXit the 'Internet Information Services (IIS)

Manager' applet.

Configuring Barnyard2

At the CMD prompt type 'notepad2 d:\winids\barnyard2\etc\barnyard2.conf' (less the outside quotes), and tap the 'Enter' key.

Use the Find in Notepad2 to locate and change the variables below.

Original Line(s):

config reference_file: /etc/snort/reference.configconfig classification_file: /etc/snort/classification.configconfig gen_file: /etc/snort/gen-msg.mapconfig sid_file: /etc/snort/sid-msg.map

Change to:

config reference_file: d:\winids\snort\etc\reference.configconfig classification_file: d:\winids\snort\etc\classification.configconfig gen_file: d:\winids\snort\etc\gen-msg.mapconfig sid_file: d:\winids\snort\etc\sid-msg.map

Original Line(s): # config event_cache_size: 4096

Change to: config event_cache_size: 32768

Original Line(s): # output database: log, mysql, user=root password=test dbname=db host=localhost

Change to: output database: log, mysql, user=snort password=l0gg3r dbname=snort host=winids

sensor_name=WinIDS-Home

Save the file, and eXit Notepad2.

Testing the Barnyard2 configuration file

WinIDS - Windows 7 / 2008 / 2012 - IIS 7.5 / 8 - MySQL :: WINSNORT... http://winsnort.com/index.php?module=Pages&func=display&pageid=4...

17 trong 21 6/26/2013 9:11 PM

Page 18: 8 - Mysql __ Winsnort

At the CMD prompt type 'd:\winids\activators\by2-test' (less the outside quotes), and tap the 'Enter' key.

Running the above batch file will cause Barnyard2 to start up in self-test mode, checking all the supplied command

line switches that are passed to it and indicating that everything is ready to proceed.

If all the tests are passed, the following is a confirmation that the Barnyard2 configuration file is good.

Barnyard2 successfully loaded configuration file!Snort exitingdatabase: Closing connection to database "snort"

Do not proceed until Barnyard2 has successfully loaded configuration file, eXited Snort, and closed the connection to

database!

Adding Barnyard2 to auto-run on user login

At the CMD window type 'd:\temp\auto-local-barnyard2.reg' (less the outside quotes), and tap the 'Enter' key.

The 'auto-barnyard.reg' file contains the run line for Barnyard2.

The Registry Editor selection box opens and asks; 'Are you sure you want to add...', left-click 'Yes', and at the next input

selection left-click 'OK'.

At the CMD prompt type 'shutdown /r /t 10' (less the outside quotes), and tap the 'Enter' key to reboot.

When the system is rebooted, Barnyard2 will be running in a Minimized window located in the Windows task bar.

Opening the Barnyard2 CMD window will display the events as they are being shuttled to the database.

Starting the Windows Intrusion Detection Systems (WinIDS) Security Console

After the reboot open a web-browser and type 'http://winids' (less the outside quotes) into the URL Address box, and tap the

'Enter' key.

It may take a little while to start seeing events in the Windows Intrusion Detection Systems (WinIDS) Security

Console. If no events start to show up in a reasonable length of time, come visit the forums for help on manually

generating events.

In Conclusion

Congratulations, you have just completed setting up your first complete Windows Intrusion Detection System (WinIDS), and I

hope this guided install has been of great assistance.

At this point you are done with this guided install, events should be arriving into the database, and you should be seeing events

in the local Windows Intrusion Detection Systems (WinIDS) Security Console. I encourage you to perform some post-installation

tasks needed to get a fully production-ready 'Windows Intrusion Detection System (WinIDS)'.

This includes:

Tuning your rules and preprocessors.

Tuning Snort thresholds and limit values.

Adding user authentication to the Windows Intrusion Detection Systems (WinIDS) Security Console.

Securing your host (Maybe changing the default database user access, disabling unneeded services, etc.).

Configure a system, such as PulledPork to auto-update the Windows Intrusinon Detection Systems (WinIDS) rules and

signatures.

WinIDS - Windows 7 / 2008 / 2012 - IIS 7.5 / 8 - MySQL :: WINSNORT... http://winsnort.com/index.php?module=Pages&func=display&pageid=4...

18 trong 21 6/26/2013 9:11 PM

Page 19: 8 - Mysql __ Winsnort

Security Issues

Lets review what has happens so far:

All support programs, including 'IIS 7.5/8' have been installed to a separate partition, which closed a multitude of security

holes.

The Windows Intrusion Detection Systems (WinIDS) Security Console can ONLY be accessed locally.

Optional Companion Documents

Be SURE to check out the other 'Companion Documents' located in the WinIDS Guided Installs area of

'WINSNORT.com' to enhance your Windows Intrusion Detection System (WinIDS).

Manually updating the rules, signatures, and sig-msg.map file [6]

This guided install will show how to manually update the rules, signatures, and the 'sig-msg.map' file on an existing

Windows Intrusion Detection System (WinIDS).

Automatically updating the rules, signatures, and sig-msg.map file using PulledPorkThis guided install will show how to automatically update the rules, signatures, and the 'sig-msg.map' file using PulledPork

on an existing Windows Intrusion Detection System (WinIDS).

Installing an eMail alerting client (EventWatchNT) [7]

This guided install will show how to send user defined priority events sent to a Windows Application Log file being eMailed

to user defined eMail accounts, on an existing Windows Intrusion Detection System (WinIDS).

Sending events to a remote Unix Syslog Server [8]

This guided install will show how to configure Snort to send events to a remote UNIX syslog server, on an existing

Windows Intrusion Detection System (WinIDS).

Installing MySQL Tools as an add-in to a MySQL enabled Windows Intrusion Detection System (WinIDS) [9]

This guided install will show how to install the 'MySQL System Tray Monitor' as a service to monitor the condition of the

MySQL database in real time, on an existing Windows Intrusion Detection System (WinIDS). This will allow starting and

stopping of the database. The 'MySQL System Tray Monitor' has two tools associated with it that can be accessed directly

from the 'MySQL System Tray Monitor'. These tools will allow editing, maintaining, and repairing of the MySQL database.

Use extreme caution using these tools.

Compiling Barnyard2 on Windows using Cygwin [10]

This guided install will show how to manually or automatically compile your very own copy of Barnyard2 on any modern

Windows system.

Debugging Installation errors

Check the Event Viewer as most of the support programs will throw FATAL errors into the Application log.

General problems

Please visit the support forums [11] if you have problems.

Places of interest

Websites Users Mailing Lists Support Programs Security tools and info

WinIDS - Windows 7 / 2008 / 2012 - IIS 7.5 / 8 - MySQL :: WINSNORT... http://winsnort.com/index.php?module=Pages&func=display&pageid=4...

19 trong 21 6/26/2013 9:11 PM

Page 20: 8 - Mysql __ Winsnort

Snort Home Page [12]

Snort FAQ [13]

Snort Users Manual [14]

Official Snort Blog Site [15]

Snort-users list archive [16]

Snort.conf Configurations [17]

PulledPork and Flowbits

[18]

Barnyard2-users [19]

pulledpork-users [20]

Snort-announce [21]

Snort-users [22]

Snort-sigs [23]

Snort-devel [24]

BASE Home Page [25]

Barnyard2 Home Page [26]

MySQL Home Page [27]

PostgreSQL Home Page [28]

PulledPork Home Page [29]

MySQL Tools [30]

PHP Home Page [31]

ADODB Home Page [32]

WinPcap Home Page [33]

Apache2 Home Page [34]

XP Security Checklist [35]

NSA Securing XP [36]

Michael E. Steele | Microsoft Certified System Engineer (MCSE)

Email Me: : [email protected] [37]

Our Support Forums - www.winsnort.com [38]

Snort: Open Source Network IDS - www.snort.org [39]

Links

http://winsnort.com/index.php?module=PNphpbb21.

http://www.winsnort.com/2.

http://www.microsoft.com/technet/security/tools/mbsahome.mspx3.

http://www.subnet-calculator.com/cidr.php4.

http://php.net/timezones5.

http://winsnort.com/index.php?module=Pages&func=display&pageid=516.

http://winsnort.com/index.php?module=Pages&func=display&pageid=527.

http://winsnort.com/index.php?module=Pages&func=display&pageid=218.

http://winsnort.com/index.php?module=Pages&func=display&pageid=29.

http://winsnort.com/index.php?module=Pages&func=display&pageid=5010.

http://winsnort.com/index.php?module=PNphpbb211.

http://www.snort.org/12.

http://www.snort.org/docs/faq.html13.

http://www.snort.org/docs/writing_rules/14.

http://blog.snort.org/15.

http://www.geocrawler.com/redir-sf.php3?list=snort-users16.

http://winsnort.com/https://www.snort.org/vrt/snort-conf-configurations/17.

http://blog.snort.org/2012/01/importance-of-pulledpork.html18.

http://winsnort.com/https://groups.google.com/forum/#!forum/barnyard2-users19.

http://groups.google.com/group/pulledpork-users20.

http://lists.sourceforge.net/mailman/listinfo/snort-announce21.

http://lists.sourceforge.net/mailman/listinfo/snort-users22.

http://lists.sourceforge.net/mailman/listinfo/snort-sigs23.

http://lists.sourceforge.net/mailman/listinfo/snort-devel24.

http://sourceforge.net/projects/secureideas/25.

http://winsnort.com/https://github.com/firnsy/barnyard226.

http://www.mysql.com/27.

http://www.postgresql.org/28.

http://code.google.com/p/pulledpork/29.

http://dev.mysql.com/downloads/administrator/1.0.html30.

http://www.php.net31.

http://php.weblogs.com/adodb32.

http://winpcap.polito.it/33.

http://httpd.apache.org/download.cgi34.

http://www.labmice.net/articles/winxpsecuritychecklist.htm35.

http://nsa1.www.conxion.com/winxp/guides/wxp-1.pdf36.

http://winsnort.com/mailto:[email protected]?subject=General%20Support37.

http://winsnort.com/index.php?module=PNphpbb238.

7894 total words in this text | 9787 reads [40]

WinIDS - Windows 7 / 2008 / 2012 - IIS 7.5 / 8 - MySQL :: WINSNORT... http://winsnort.com/index.php?module=Pages&func=display&pageid=4...

20 trong 21 6/26/2013 9:11 PM

Page 21: 8 - Mysql __ Winsnort

http://www.snort.org39.

http://winsnort.com/index.php?module=Pages&func=display&pageid=49&theme=Printer40.

WinIDS - Windows 7 / 2008 / 2012 - IIS 7.5 / 8 - MySQL :: WINSNORT... http://winsnort.com/index.php?module=Pages&func=display&pageid=4...

21 trong 21 6/26/2013 9:11 PM