RE: ghosting a snort server???

["Pat Delaney" <Pat.Delaney () inewsroom com>]

This is snort running on Linux. I'm wondering if the hostname of the
original linus server is embeded into the sql database.
 
The snort service seemes to die. How can I turn on debugging to see
where it's failing during startup?
 
Pat

  _____  

From: Jordan, Jason A [mailto:Jason.Jordan () Honeywell com] 
Sent: Saturday, April 03, 2004 10:41 AM
To: Pat Delaney; snort-users () lists sourceforge net.
Subject: RE: [Snort-users] ghosting a snort server???



Disclaimer: I am making a presumption that this is snort on Windows not
Linux.

 

Did you check the account name that the service is running under?  Prior
to imaging the original system, did you run the prep routines on the
system (I believe its sysprep).  If it's a Windows 2000/XP/2003 type of
system the service accounts and system account information can get
mangled during ghosting (i.e. some type of SID conflict).  I'd recommend
going into the Services applet, go into the Snort properties, and verify
the credentials it runs under.  Even better, manually re-select the
account (local/domain) and password which Snort will use as its running
context.

 

You should be able to run snort from the command line and the help files
describe the switches.  

 

Let me know if any of that helps.

 

Jason Jordan

 

 

  _____  

From: Pat Delaney [mailto:Pat.Delaney () inewsroom com] 
Sent: Saturday, April 03, 2004 10:26 AM
To: snort-users () lists sourceforge net.
Subject: [Snort-users] ghosting a snort server???

 

Rather that reinstall SNORT on another PC from scratch, I cloned the
disk, and restored the image to another PC. The snort service seems to
keep failing to start.

 

My question is:

 Is there something keyed in the database to the original host name of
the orginal server?

 

How can I start the snort service up in a debugging mode to see why it
never starts and stays running?

 

Pat