Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Problem: Win32 v2.4.3 does not start as a Service

From: Rich Adamson <radamson () routers com>
Date: Tue, 27 Dec 2005 17:25:30 -0600
Just tried the suggestion using the 'config interface: ' option with
winpcap v3.1; didn't fix it. Dropping back to v3.0 and the same config
interface option in snort.conf does work (proving only that I configed
snort.conf correctly). I've never played with specifing the interface in
the conf file, so I've learned something new with that.

Looks like the only valid options thus far is to either stay with v3.0
or manually add the winpcap dependency options to the registry.

------------------------


I've been using 3.1 for some time now with no issues. However, I do not
specify -I #, but use the config file to specifiy an interface to listen on.
Perhaps you could try doing that if you'd like to keep (or go back to) 3.1.


From my config file: config interface: \Device\<removed>


Hope that helps. 

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Rich Adamson
Sent: Tuesday, December 27, 2005 12:14 PM
To: Michael Steele; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Problem: Win32 v2.4.3 does not start as a Service

Okay, the problem "is" with WinPcap v3.1; reverting to v3.0 allows snort to
start correctly as a Service after a reboot. Also tried v3.2 alpha 1, but it
created the same problem as v3.1.

Based on the winpcap url (provided below), there "is" a dependency that
apparently causes snort not to start.

As a side effect, reverting to winpcap v3.0 causes all of the interface
numbering (snort -W) to chanage, therefore the snort service will need to be
removed and reinstalled with an appropriate "-i" specification. Bummer.

Does anyone (with development experience) know whether this is an issue with
"service" code in snort, or is strictly a winpcap dependency issue?

Rich

------------------------


Yes, I remember seeing that post somewhere. I think I suggested 
removing 3.1 and reverting back to 3.0.

We are using 3.1 (non-beta) for our new install, and will know in a 
couple of hours it that is the culprit.

Kindest regards,
Michael...

WINSNORT.com Management Team Member
--
****************** Established ~ 2001 *******************
*          Visit Us @ http://www.winsnort.com           *
*      ~~ FREE WinIDS Snort installation guides ~~      *
*               ~~ FREE support forums ~~               *
* Snort: Open Source Network IDS - http://www.snort.org *
*********************************************************


-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Gianluca 
Varenni
Sent: Tuesday, December 27, 2005 8:02 AM
To: Rich Adamson; Michael Steele; snort-users () lists sourceforge net
Subject: Re: [Snort-users] Problem: Win32 v2.4.3 does not start as a 
Service

Hi all.

It could be an issue with a service dependency with WinPcap. Another 
user reported a similar issue some weeks ago on the WinPcap-bugs mailing

list.


You can find the mail and a possible workaround here:

http://www.winpcap.org/pipermail/winpcap-bugs/2005-December/000133.htm
l


Hope it helps

Gianluca Varenni
WinPcap Team

----- Original Message -----
From: "Rich Adamson" <radamson () routers com>
To: "Michael Steele" <michaels () winsnort com>; 
<snort-users () lists sourceforge net>
Sent: Tuesday, December 27, 2005 5:43 AM
Subject: RE: [Snort-users] Problem: Win32 v2.4.3 does not start as a 
Service



Keep in mind the issue is that snort isn't starting at system bootup 
time, so there isn't any desktop to interact with. It starts just fine

"after"

the system is fully up.

There likely is a 'dependency' issue or an XP service control 
manager issue, but its not obvious from the event log, etc. Changing 
from dhcp to a static IP made no difference either.

The event log messages (as originally stated) seem to imply the 
service control manager is waiting on snort for some sort of 
communications (indicating a successful start) that isn't happening.

Any other thoughts?

------------------------


Rich,

Go into services and allow Snort to interact with the desktop and 
it should display the error:

1) Go into the Services applet
2) Double left-click on the snort entry
3) Left-click the 'Logon' tab
4) Under 'Local system account' make sure that 'Allow service to 
interact with desktop' is checked
5) Left-click the 'Apply' button
6) Left-click the 'General' tab
7) Under 'Service Status' left-click the 'Start' button

Snort will start in a console and should display any problems with 
the startup procedure.

Note: Make sure to reverse the above procedure so Snort does NOT 
interact with the desktop under normal startup conditions.

Kindest regards,
Michael...

WINSNORT.com Management Team Member
--
Pick up your FREE Windows or UNIX Snort installation guides 
mailto:support () winsnort com
Website: http://www.winsnort.com
Snort: Open Source Network IDS - http://www.snort.org

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Rich 
Adamson
Sent: Monday, December 26, 2005 7:08 AM
To: Snort Developers Postings; Snort Users Postings
Subject: [Snort-users] Problem: Win32 v2.4.3 does not start as a 
Service

Could not find any reference on the snort.org site relative to 
reporting a problem, so posting to both the -users and -devel lists.

Implementation: Snort v2.4.3 on Win XP (all versions) with WinPcap 
v3.1

Experience Level:
Been around snort since v1.8 days and have had it running just fine 
as a Service on most Win32 O/S's. I do not have an application 
development system (or development experience) to diagnose the problem.

Issue:
Snort will not start as a Service (for example after a reboot), 
however it runs just fine if started manually. Happens on multiple 
XP systems and has been observed by others (see forums) as well. 
Viewing the Services list indicates the snort service is properly 
configured to start "automatically" and log on using the Local System

account.


Indicators:
Four event log entries are created following a system reboot.
1. Security Log: Event 592 & 593 (process tracking) are created for 
snort.
2. System Log: two events generated including:
   Event 7000: "The Snort service failed to start due to the following
   error: The service did not respond to the start or control request

in

   a timely manner."
   Event 7009: "Timeout (30,000 milliseconds) waiting for the Snort 
service
   to connect."

I am not at all sure whether this is an issue with Snort service 
code or some form of new requirement in Win XP service startup 
code. Several systems seem to be restarting correctly on Win 2k Pro 
and Win 2k Server, however these systems are also running 
pre-v2.4.3 snort code and cannot be upgrade at this time.

Consistency:
Snort v2.4.3 on any Win XP system will "always" fail to start 
following a reboot. A manual start via the Services control panel 
will "always" be successful, and, a "net start snort" from the 
command line will always be successful. All other services on these

systems start normally.


References:
Microsoft's site suggests: "Within a specified time period after a 
new service starts, it notifies Service Control Manager (SCM) that 
it is ready to connect. In this case, the service did not notify 
SCM within the time period." (Thus generating event 7009.)

Other Observations:
1. Typical Win32 system has 512 meg ram with WinPcap v3.1 2. After 
manually starting the snort service, task manager indicates
   over 150 meg of available memory.
3. After manually starting the snort service, all alerts and log

entries

   occur properly.
4. The snort service was installed following the examples displayed

when

   executing "snort -?" from the command line.
5. Executing "snort /service /show" indicates the service was properly
   installed with all appropriate startup parameters.

Best Guess:
The two events in the security log suggest the snort service was 
actually starting, however the events in the system log indicate a 
timeout. Since the "process events" (security log) do occur, 
presumably snort is starting and suppose to pass a message or call 
the services control manager (or maybe

return some value) indicating to the services control manager that 
it has started. It would appear this second step is not occurring.

Some possibility exists the snort code is using the name "snortsvc" 
in some code and "snort" in other services code. Executing "sc 
query snortsvc"
from a command line indicates:
  State: 1 stopped
           (not-stoppable, not_pausable, ignores_shutdown) with no 
other hints. The above _might_ be related to not registering the 
snort service properly, differences in service names, incorrect 
parameters, etc. Not sure.

If I can provide any other information regarding the 
problem/symptom, please contact me.

If there is a better location to report this problem, please let me

know.


Rich Adamson
radamson () routers com




-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through 
log files for problems?  Stop!  Download the new AJAX search engine 
that makes searching your log files as easy as surfing the  web.  
DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users







---------------End of Original Message-----------------




-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through 
log files for problems?  Stop!  Download the new AJAX search engine 
that makes searching your log files as easy as surfing the  web.  
DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log 
files for problems?  Stop!  Download the new AJAX search engine that 
makes searching your log files as easy as surfing the  web.  DOWNLOAD

SPLUNK!

http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users







-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log 
files for problems?  Stop!  Download the new AJAX search engine that 
makes searching your log files as easy as surfing the  web.  DOWNLOAD

SPLUNK!

http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



---------------End of Original Message-----------------




-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



---------------End of Original Message-----------------




-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: