Posts Tagged ‘windows’

« Older Entries

Failed to initialize dynamic preprocessor: SF_SDF (IPV6) version 1.1.1

Friday, April 30th, 2010

Today I have tried to update my Snort and rules and when testing I got this error message because IPV6 was not enabled on my computer.

The fix is very simple, just delete sf_sdf.dll file from C:\Snort\lib\snort_dynamicpreprocessor directory and start snort again.

Update of snort is very simple and it can be described in few simple steps which can be used for fresh install as well:

  • download Snort 2.8.6 from the www.snort.org site
  • download WinPcap 4.1.1 from the www.winpcap.org
  • install both of them on the target machine
  • download the latest community rules from www.snort.org (you need to register and log in to be able to download them)
  • extract rules to C:\Snort overwriting existing files and open Snort.conf file in the etc map
  • find line nr. 155 and replace it to this dynamicpreprocessor directory C:\Snort\lib\snort_dynamicpreprocessor
  • then replace line 158 to this dynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll
  • and then comment out line 161 if you don’t have dynamic rules #dynamicdetection directory /usr/local/lib/snort_dynamicrules
  • now when you are done if you are not using IPV6 delete sf_sdf.dll file from C:\Snort\lib\snort_dynamicpreprocessor to avoid this error
  • start Snort to test it
  • start Snort as service if test is OK

Tags: , , , , , ,
Posted in Tips and tricks | 2 Comments »

How to install Snort Intrusion Detection System on Windows

Tuesday, December 22nd, 2009

First short explanation what is Snort from Snort official website:

Snort® is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Combining the benefits of signature, protocol and anomaly-based inspection, Snort is the most widely deployed IDS/IPS technology worldwide.

Installation of Snort on Windows is pretty simple.

First, you need to download and install few things. For Snort to be able to act as sniffer and IDS it needs Windows Packet Capture Library which is WinPcap. The stable latest version on the site is 4.1.1 and you can download it here.

Now when we have WinPcap installed the next step will be to download Snort. The latest version for Windows is 2.8.5.1 and you can download it here. Installation shouldn’t be a problem, if you need IPv6 support and logging to Microsoft SQL or Oracle database then you need to select proper radio and check boxes and if don’t then just go next and next to the end and that’s it. Default installation directory is C:\Snort so remember it because it will be our working dir all the time.

So we have installed WinPcap and Snort but we are not finished with installation yet. We have one more thing to download and install. The Snort rules. These rules are those small files that tells Snort what it should search for in captured packages and how to identify them, as a threat, information disclosure or something else. For us to be able to download Snort rules we have to be registered on Snort site. Registration is free and rules are one month old for free users, for those who need the latest threats detected at the same moment when they are published to the community I suggest to buy VRT subscription so you will have the latest rules directly as they are announced. So now we will download snortrules-snapshot-2.8.tar.gz rules archive file.  When you open archive file you will get following structure:

Snort rules

Copy all four directories over those in C:\Snort replacing contents that already exists on the hard drive.

Now when we are done with easy part we need to configure Snort to run. Because these rules are written for unixoid systems we need to change some things in the main config file C:\Snort\etc\snort.conf so that Snort can start at all.

Here are the things that you need to edit to be able to run snort:

Find lines 269 and 270. These lines will not allow Snort to start, at least not on Windows because Snort detects the second one as double config detection line so we need to change this.

Change from this:

config detection: search-method ac-bnfa
config detection: max_queue_events 5

To this:

config detection: search-method ac-bnfa max_queue_events 5

Now, the next thing that we need to change is lines where we say to Snort where to find dynamic preprocessor files. On lines from 298 to 303 change this:

dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so
dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so
dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so
dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so
dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so
dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so

To this:

dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_dce2.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_dcerpc.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_dns.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_ftptelnet.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_smtp.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_ssh.dll
dynamicpreprocessor file C:\Snort\lib\snort_dynamicpreprocessor\sf_ssl.dll

Next thing to change is line 324 on which we have dynamic engine path, so change it from this:

dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so

To this:

dynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll

I don’t know why, maybe some mistake, but lines bellow should be commented out by default, but they were not so we have to comment them out. Because we are not VRT subscriber and don’t have any dynamic detection files we need to coment lines from 339 to 354, so change this:

dynamicdetection file /usr/local/lib/snort_dynamicrules/bad-traffic.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/chat.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/dos.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/exploit.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/imap.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/misc.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/multimedia.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/netbios.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/nntp.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/p2p.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/smtp.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/sql.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/web-client.so
dynamicdetection file /usr/local/lib/snort_dynamicrules/web-misc.so

To this:

#dynamicdetection file /usr/local/lib/snort_dynamicrules/bad-traffic.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/chat.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/dos.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/exploit.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/imap.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/misc.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/multimedia.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/netbios.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/nntp.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/p2p.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/smtp.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/sql.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/web-client.so
#dynamicdetection file /usr/local/lib/snort_dynamicrules/web-misc.so

Now we need to trim a bit SSH preprocessor to work on Windows as it is different from Linux one, so find line 753 and change this:

preprocessor ssh: server_ports { 22 } \
max_client_bytes 19600 \
max_encrypted_packets 20 \
disable_srvoverflow \
disable_protomismatch \
disable_badmsgdir

To this:

preprocessor ssh: server_ports { 22 } \
max_client_bytes 19600 \
max_encrypted_packets 20

Now we are good to go. We can test snort easily from the command line. So now go on Start->Run and type cmd following by enter key. Now in command prompt type following commands:

c: and then enter key

cd c:\snort\bin and then enter key

snort -v -c C:\snort\etc\snort.conf -l C:\snort\log -K ascii and then enter key

So now we have entered Snort directory and started Snort on command line. You will first see Snort starting and parsing config file snort.conf and then you will see lot of output when Snort start sniffing and controlling packages on the network. If it finds any package that is not regular network traffic it will save info about it in c:\Snort\Log\alert.ids file. Simple output of one captured packet looks like this:

[**] [1:254:7] DNS SPOOF query response with TTL of 1 min. and no authority [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
12/22-12:19:12.577553 192.168.137.206:53 -> 192.168.137.10:55153
UDP TTL:128 TOS:0×0 ID:5399 IpLen:20 DgmLen:79
Len: 51

Now to explain what we have here. The first line says what type of attack is it, the second line says what classification is it and what priority does it have, and the last three lines are data about the attack, attacker IP, your IP, destination and source ports and so on.

Important part of this log is [Priority: 2] because that’s how you can identify the real threat from false one. The threats are divided in three groups, group 3 or [Priority: 3] is the lowest one and it usually means that someone is scanning your network. The second one is a bit serious. It’s information disclosure and it has [Priority: 2]. This means that someone has got some info about services that you are running which is usually the first part of any attack, gaining of information. The most critical one is the one with [Priority: 1] which usually means that right now someone is trying to exploit some of services that you are running. This could mean that you have older version of some service on your server, like IIS that is not updated or Exchange server or something else and that snort has detected some patterns in packages sent to server that could be exploits which can do harm.
Now we can stop Snort with Ctrl+C and Snort will display some statistics. The only thing that we have to do now is to install Snort as a Windows service. To do so we will write following command on command prompt:
snort /service /install -c C:\Snort\etc\snort.conf -l C:\Snort\log -K ascii
After this command service is installed and you can start it from service manager or simply type sc start snortsvc.
So with this Snort is installed on your machine and is logging everything. Now you just need some program to parse alerts and do actions based on the alert priority. There are lot of those available on the Internet.
Note 1: If you have more than one network interface on your machine you need to tell Snort on which one should it listen. First type snort -W command to list all interfaces on your machine (works only on Windows) and then when you find which interface is the one that you will listen on then you need to add -i n where n is number of interface from the list that you got. You need to add that to all Snort commands that you are executing from command prompt and when creating Windows service.
Note 2: If you want Snort to log alerts to Eventlog as well as to log files than add -E (only on Windows) to the command line parameters.
Update:  Here is my snort.conf (210) file which is working on my machine without any problems. It could be something with updated rules that can cause problems with starting of Snort.
Update2:  One trailing / on ssh preprocesor line was left by mistake, now it’s removed.

Tags: , , , , , , , , , , , ,
Posted in Tips and tricks | 30 Comments »

How to install Wine on Snow Leopard

Monday, October 26th, 2009

If you would like to have console Wine installed on your Snow Leopard machine procedure is simple.

  1. Install MacPorts
  2. In Terminal type sudo port selfupdate, to fetch the latest repository contents
  3. Run sudo port install wine to install all things needed for Wine. You can ignore error at the end regarding Wine version.
  4. Install Git in terminal sudo port install git-core
  5. Fetch the lattest source from winehq with git,  git clone git://source.winehq.org/git/wine.git ~/wine-git
  6. Enter to the ~/wine-git directory and run ./configure, ./make, ./make dep and ./make install commands

That’s it. Wine is now installed on your machine.

Tags: , , , , , , ,
Posted in Tips and tricks | 2 Comments »

Sorting of images by creation date from EXIF

Tuesday, September 15th, 2009

In my working with photographs the first step in postprocessing is moving them from memory card to pc. Usually this is done via Adobe Bridge and it works like a charm, new folders are being created based by date, files renamed and so on, but Adobe bridge lacks a support for importing folders from hdd as source folders which is option that I need right now, as I have founded on my hdd that I have lot of images that are coppied from memory card directly to hdd as they were created on card.

This brings me to the problem that I have lot of folders with lot of images without any order. This has begun to frustrate me, so I started to write program that will sort them based on exif in respective folders, but one night while reading DPreview forum I have founded link to one program that can do exactly what I want on the way I want.

The program is called DIM or Digital Image Mover. It’s exactly what it’s name says, image mover from one place to another. It doesn’t do anything more, just move/copy images from one place to another in the respective folders that are created by the date template that you provide.

Program is written in Java so it works on all platforms that have support for JRE – Java Runtime Enviroment and so far I have tested it on Mac OS and Windows without any problems.

It has support for all major raw files (NEF, CR2, CRW), jpeg, tiff, png and so on.

Here is a link to the site of the Alan Light who is author of the program, where you can find the latest version (4.0 at the moment), download it and send donation to author of the program.

Tags: , , , , , , ,
Posted in Photography, Tips and tricks | No Comments »

Disable IPV6 in Windows 2008 server or Vista

Friday, June 26th, 2009

Today while installing 2008 failover cluster I got error or notification from SQL server that two of my servers have same IPV6 address. Because I don’t use IPV6 and I have disabled it in network properties it was a bit weird to see this message.

Then I run ipconfig command that showed to me lot of Tunnel adapters that were disconnected and created automatically by Vista.

So to have painful installation of new cluster I have disabled IPV6 protocol totally.

Here is solution:

  • start run with win key + r or by start menu
  • regedit
  • go to HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters
  • add new dword (32bit) value DisableComponents with value 1
  • restart
  • enjoy

Tags: , , , , , , , , , , ,
Posted in Tips and tricks | No Comments »

Synchronize directories from command prompt

Wednesday, May 27th, 2009

If you have ever wanted to synchronize 2 directories from command prompt in windows this tool is must-have for you.
It works perfectly from scheduled tasks as well, so it’s easy to write batch script that will execute every night and synchronize files and folders.

The program is called Mirror and is written by Dominik Jain and you can download it here. The latest version is 1.43.

It works very simple like it should, you enter source and destinations dir and that’s it. If you want only to test it w/o any actions taken just add -d (d for demonstration).

Of course it has possibility to enter file mask or regular expressions as well and it’s only 172kb in size.

On his site you can find few more tools and utils that he wrote.

Tags: , , , , , , , , , , , ,
Posted in Tips and tricks | 2 Comments »

Windows snipping tool but for XP

Thursday, April 30th, 2009

While testing Windows Vista long time ago I have noticed new program called Snipping tool that could take screen shots from whole screen or part of the screen.

I have searched a bit to find if it is possible to have it on XP because Vista sucks :-) but is’t only available for Tablet PCs.

Luckily there are free solutions and replacements on the Internet.

Program is called Gadwin PrintScreen and it’s freeware.

When you install it you get a small tray icon and it’s automatically activated with Print Screen key.

In program options you can configure where to save output files, what type of picture they are going to be, resizing options and so on.

You can download program on this link.

Tags: , , , , , , , , , ,
Posted in Tips and tricks | No Comments »

How to jailbreak Iphone 2G (untethered solution)

Thursday, March 12th, 2009

Yesterday I have found on iPod Touch Fans forums instructions how to jailbreak iPod touch 2G. Instructions are on link here tnx to shortperson1026 who created this tutorial.

BEFORE you begin, restore your iPod Touch clean to it’s factory state.
As with every other tutorial you need the C++ redistributable and LIBusb.

1. Download unofficialsn0w 2.0 for Windows from here Download

2. Get the 2.2.1 iPod Touch Firmware HERE

3. Rename the 2.2.1 ipsw to OriginalFW, or OriginalFW.ipsw IF you have file extensions visible, and place it in /IPSW

4. Run IPSW.bat (It will take a while)

5.
a.Right click on the jb.ispw and either open with Winrar or 7.zip

b.Go into Firmware\all_flash\all_flash.n72ap.production\

c. Delete the LLB file.(optional since it will be replaced by the new one)

d. Replace (by dragging) with the LLB file that’s in the same folder as the jb.ipsw.

e. Exit, continue to step 6

6. Place your iPod Touch 2G into DFU mode, plug it in and run RUNME.exe

7. Shift + Restore to JB.ipsw in iTunes and your done!!!

Although I have done all that is written there, during flashing I would receive error and iPod would stay in recovery mode.

Then I have found one small program – QuickFreedom – Untethered GUI that has created firmware for me that I could flash latter with iTunes and jailbreak my iPod. So if you have problems with first solution try the program and also if you want to change boot logos you can do it with this program. For original firmware you can use one that you have downloaded from link above.

Some notes.

Note 1.

You will need libusb for first solution (and I think for second one as well) and you can download it here.

Note 2.

Entering DFU mode is not that simple as someone would say it is. Here are steps to enter it:

  • Power off iPod.
  • Press and hold power and home buttons.
  • Ipod will start and then it will shut down again. When this happens release power button and hold home button for 15-20 seconds.
  • You will have blank black screen and it means that you have entered in DFU mode.

Tags: , , , , , , , , , , , , , , , , , , ,
Posted in Tips and tricks | No Comments »

Lenovo/IBM Cisco VPN problem

Wednesday, November 26th, 2008

Yesterday I tried to connect to my work network with Cisco VPN client after recent reinstallation of my laptop but without success.

Error that I was getting was PEER_DELETE-IKE_DELETE_UNSPECIFIED. I tried to find some with similar problem on Google but that wasn’t successful either.

So the only thing to do was to install Windows from scratch and begin from start again with elimination of software.

After a while I have found that new version of Thinkpad Fingerprint Software 5.8 was cause of my agony. It took me almost 2 days to find this error but reverting on older version 5.6 solved the problem.

I hope that this will help someone with similar problem like I had.

Tags: , , , , , , , , , , , ,
Posted in Tips and tricks | 2 Comments »

Creating simple cleanup scripts on Windows 2003

Monday, November 10th, 2008

Here is one short tip. If you had problem with old log files that are being held on system after too much time and wanted to delete all of them automatically here is explanation how to do it.

  1. open notepad
  2. write this line in it Forfiles -p “c:\temp” -s -m *.log -d -14 -c “Cmd /C del @FILE”
  3. save file and then change it extension from .txt to .bat

So here we have batch file created that will do following:

  • find all .log files in c:\temp path
  • older than 14 days
  • and delete them

Here is small explanation of the command line:

  • -p “full path” is used to specify exact path to the destination dir, it can be c:\ or c:\temp
  • -s says to forfiles that it will go recursive into subdirs
  • -m *.ext creates filter for files of the .ext extension, it can be *.* as well
  • -d 7 says to forfiles to filter files from output above to match current date minus number of days
  • -c “command” executes command on files that are returned from output of forfiles command
  • cmd /c command is saying to cmd that is command prompt to execute command and terminate itself

Now to test this batch file you can delete or comment out command part so you will get output from forfiles only without deleting of the files. Also you can use move command instead of del to move logfiles to another location.

If everything works like it should open Start->Control panel->Scheduled tasks and create new task to executes every day or in any time frame that you want.

Tags: , , , , , , , , ,
Posted in Tips and tricks | No Comments »

« Older Entries