Snort mailing list archives
RE: ghosting a snort server???
From: <hugh_fraser () dofasco ca>
Date: Sun, 4 Apr 2004 23:59:04 -0400
Are you using dhcp for addresses and in turn name resolution? If you're using fixed IP addresses, you will have a problem. If not, Snort will use the system's hostname, and if there isn't a record in the database, it will create one. -----Original Message----- From: snort-users-admin () lists sourceforge net on behalf of Pat Delaney Sent: Sat 03/04/2004 11:56 AM To: Jordan, Jason A; snort-users () lists sourceforge net Cc: Subject: RE: [Snort-users] ghosting a snort server??? This is snort running on Linux. I'm wondering if the hostname of the original linus server is embeded into the sql database. The snort service seemes to die. How can I turn on debugging to see where it's failing during startup? Pat _____ From: Jordan, Jason A [mailto:Jason.Jordan () Honeywell com] Sent: Saturday, April 03, 2004 10:41 AM To: Pat Delaney; snort-users () lists sourceforge net. Subject: RE: [Snort-users] ghosting a snort server??? Disclaimer: I am making a presumption that this is snort on Windows not Linux. Did you check the account name that the service is running under? Prior to imaging the original system, did you run the prep routines on the system (I believe its sysprep). If it's a Windows 2000/XP/2003 type of system the service accounts and system account information can get mangled during ghosting (i.e. some type of SID conflict). I'd recommend going into the Services applet, go into the Snort properties, and verify the credentials it runs under. Even better, manually re-select the account (local/domain) and password which Snort will use as its running context. You should be able to run snort from the command line and the help files describe the switches. Let me know if any of that helps. Jason Jordan _____ From: Pat Delaney [mailto:Pat.Delaney () inewsroom com] Sent: Saturday, April 03, 2004 10:26 AM To: snort-users () lists sourceforge net. Subject: [Snort-users] ghosting a snort server??? Rather that reinstall SNORT on another PC from scratch, I cloned the disk, and restored the image to another PC. The snort service seems to keep failing to start. My question is: Is there something keyed in the database to the original host name of the orginal server? How can I start the snort service up in a debugging mode to see why it never starts and stays running? Pat
Current thread:
- ghosting a snort server??? Pat Delaney (Apr 03)
- <Possible follow-ups>
- RE: ghosting a snort server??? Jordan, Jason A (Apr 03)
- RE: ghosting a snort server??? Pat Delaney (Apr 03)
- RE: ghosting a snort server??? hugh_fraser (Apr 04)