Procedure is simple:

• install backup server on another machine
• configure backup location
• stop the service
• copy all files from old server to new server in configured backup location
• copy C:\Document and Settings\All Users\Application Data\Acronis\Backup server dir to another server overwriting the another one
• start the service
• check if everything is ok with Management Console

The problem was that I didn’t received any .pcf file from admin, I got only group login and password (which I didn’t wrote down).

So after bit of searching on the disk I have found that Cisco VPN client is creating new .pcf file for every connection that you create in it. They are located in /private/etc/opt/cisco-vpnclient/Profiles directory and waiting to be exctracted. So to be able to obtain password from it do like this:

1. open file from that directory, file will have same name as Connection name in Cisco VPN Client
2. in the file find string enc_GroupPwd= and copy everything behind = sign
3. open this site and copy encrypted password there, click decode button and site will return decrypted group password
4. now you have password and you can create new connection on the another mac with details that you have on old one, host ip, group name, password, etc.

Snort® is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Combining the benefits of signature, protocol and anomaly-based inspection, Snort is the most widely deployed IDS/IPS technology worldwide.

Installation of Snort on Windows is pretty simple.

First, you need to download and install few things. For Snort to be able to act as sniffer and IDS it needs Windows Packet Capture Library which is WinPcap. The stable latest version on the site is 4.1.1 and you can download it here.

Now when we have WinPcap installed the next step will be to download Snort. The latest version for Windows is 2.8.5.1 and you can download it here. Installation shouldn’t be a problem, if you need IPv6 support and logging to Microsoft SQL or Oracle database then you need to select proper radio and check boxes and if don’t then just go next and next to the end and that’s it. Default installation directory is C:\Snort so remember it because it will be our working dir all the time.

So we have installed WinPcap and Snort but we are not finished with installation yet. We have one more thing to download and install. The Snort rules. These rules are those small files that tells Snort what it should search for in captured packages and how to identify them, as a threat, information disclosure or something else. For us to be able to download Snort rules we have to be registered on Snort site. Registration is free and rules are one month old for free users, for those who need the latest threats detected at the same moment when they are published to the community I suggest to buy VRT subscription so you will have the latest rules directly as they are announced. So now we will download snortrules-snapshot-2.8.tar.gz rules archive file.  When you open archive file you will get following structure:

Snort rules

Copy all four directories over those in C:\Snort replacing contents that already exists on the hard drive.

Now when we are done with easy part we need to configure Snort to run. Because these rules are written for unixoid systems we need to change some things in the main config file C:\Snort\etc\snort.conf so that Snort can start at all.

Here are the things that you need to edit to be able to run snort:

Find lines 269 and 270. These lines will not allow Snort to start, at least not on Windows because Snort detects the second one as double config detection line so we need to change this.

Change from this:

config detection: search-method ac-bnfa
config detection: max_queue_events 5

To this:

config detection: search-method ac-bnfa max_queue_events 5

Now, the next thing that we need to change is lines where we say to Snort where to find dynamic preprocessor files. On lines from 298 to 303 change this:

dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so
dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so
dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so
dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so
dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so
dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so

To this:

dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_dce2.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_dcerpc.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_dns.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_ftptelnet.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_smtp.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_ssh.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_ssl.dll

Next thing to change is line 324 on which we have dynamic engine path, so change it from this:

dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so

To this:

dynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll

I don’t know why, maybe some mistake, but lines bellow should be commented out by default, but they were not so we have to comment them out. Because we are not VRT subscriber and don’t have any dynamic detection files we need to coment lines from 339 to 354, so change this:

dynamicdetection file /usr/local/lib/snort_dynamicrules/bad-traffic.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/chat.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/dos.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/exploit.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/imap.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/misc.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/multimedia.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/netbios.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/nntp.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/p2p.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/smtp.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/sql.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/web-client.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/web-misc.so

To this:

#dynamicdetection file /usr/local/lib/snort_dynamicrules/bad-traffic.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/chat.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/dos.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/exploit.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/imap.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/misc.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/multimedia.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/netbios.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/nntp.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/p2p.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/smtp.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/sql.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/web-client.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/web-misc.so

Now we need to trim a bit SSH preprocessor to work on Windows as it is different from Linux one, so find line 753 and change this:

preprocessor ssh: server_ports { 22 } \
max_client_bytes 19600 \
max_encrypted_packets 20 \
disable_srvoverflow \
disable_protomismatch \
disable_badmsgdir

To this:

preprocessor ssh: server_ports { 22 } \
max_client_bytes 19600 \
max_encrypted_packets 20

Now we are good to go. We can test snort easily from the command line. So now go on Start->Run and type cmd following by enter key. Now in command prompt type following commands:

c: and then enter key

cd c:\snort\bin and then enter key

snort -v -c C:\snort\etc\snort.conf -l C:\snort\log -K ascii and then enter key

So now we have entered Snort directory and started Snort on command line. You will first see Snort starting and parsing config file snort.conf and then you will see lot of output when Snort start sniffing and controlling packages on the network. If it finds any package that is not regular network traffic it will save info about it in c:\Snort\Log\alert.ids file. Simple output of one captured packet looks like this:

[**] [1:254:7] DNS SPOOF query response with TTL of 1 min. and no authority [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
12/22-12:19:12.577553 192.168.137.206:53 -> 192.168.137.10:55153
UDP TTL:128 TOS:0×0 ID:5399 IpLen:20 DgmLen:79
Len: 51

Now to explain what we have here. The first line says what type of attack is it, the second line says what classification is it and what priority does it have, and the last three lines are data about the attack, attacker IP, your IP, destination and source ports and so on.

snort /service /install -c C:\Snort\etc\snort.conf -l C:\Snort\log -K ascii

The program is called Mirror and is written by Dominik Jain and you can download it here. The latest version is 1.43.

It works very simple like it should, you enter source and destinations dir and that’s it. If you want only to test it w/o any actions taken just add -d (d for demonstration).

Of course it has possibility to enter file mask or regular expressions as well and it’s only 172kb in size.

On his site you can find few more tools and utils that he wrote.

Here is the backup link just in case Mirror 1.43 (19).

1. open notepad
2. write this line in it Forfiles -p “c:\temp” -s -m *.log -d -14 -c “Cmd /C del @FILE”
3. save file and then change it extension from .txt to .bat

So here we have batch file created that will do following:

• find all .log files in c:\temp path
• older than 14 days
• and delete them

Here is small explanation of the command line:

• -p “full path” is used to specify exact path to the destination dir, it can be c:\ or c:\temp
• -s says to forfiles that it will go recursive into subdirs
• -m *.ext creates filter for files of the .ext extension, it can be *.* as well
• -d 7 says to forfiles to filter files from output above to match current date minus number of days
• -c “command” executes command on files that are returned from output of forfiles command
• cmd /c command is saying to cmd that is command prompt to execute command and terminate itself

Now to test this batch file you can delete or comment out command part so you will get output from forfiles only without deleting of the files. Also you can use move command instead of del to move logfiles to another location.

If everything works like it should open Start->Control panel->Scheduled tasks and create new task to executes every day or in any time frame that you want.