RE: snort as a service on Windows 2000

["Michael Steele" <michaels () silicondefense com>]

August,

I'm talking it runs fine from the command line.

Navigate from a command prompt to snort\bin

Remove the service: snort /SERVICE /UNINSTALL

Reboot

Navigate from a command prompt to snort\bin

Type: snort -c c:\snort\etc\snort.conf -l c:\snort\log -i1

Make sure Snort is running with no errors.

Type CTRL/C to exit back to the command window.

Type: snort /SERVICE /INSTALL -c c:\snort\etc\snort.conf -l c:\snort\log -i1

Type: snort /SERVICE /SHOW

Make sure the line reads: -c c:\snort\etc\snort.conf -l c:\snort\log -i1

Go into the services and set snort to automatic, then press the start
button. After the service starts go to Taskmanager and make SURE snort is
running.

 -Michael

 Michael Steele | System Engineer / Support Technician
 mailto:michaels () silicondefense com
 Silicon Defense: IDS solutions - http://www.silicondefense.com
 Snort: Open Source Network IDS - http://www.snort.org


-----Original Message-----
From: August.K.Kunnecke () pmusa com [mailto:August.K.Kunnecke () pmusa com] 
Sent: Friday, April 11, 2003 1:49 PM
To: michaels () silicondefense com
Subject: RE: [Snort-users] snort as a service on Windows 2000

I did that and it the SQL seems to look cleaner. 

I am still having problems when I start Snort as a service. 

(I am using the user "root" to be sure I don't have any more MYSQL problems.
)
__________________________

C:\Snort\etc>snort /service /show

Snort is currently configured to run as a Windows service using the
following
command-line parameters:

     -de -c c:\snort\etc\snort.conf -l c:\snort\log -i1

C:\Snort\etc>snort -c c:\snort\etc\snort.conf -l c:\snort\log -i1 -T
Log directory = c:\snort\log

Initializing Network Interface \

        --== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface
\Device\NPF_{9B922988-4F36-44CF-A041-B399EB0A82E8
}
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file c:\snort\etc\snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
    State Protection: 0
    Self preservation threshold: 0
    Self preservation period: 0
    Suspend threshold: 0
    Suspend period: 0
Stream4_reassemble config:
    Server reassembly: INACTIVE
    Client reassembly: ACTIVE
    Reassembler alerts: ACTIVE
    Ports: 21 23 25 53 80 110 111 143 513 1433
    Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
    alert_fragments: INACTIVE
    alert_large_fragments: ACTIVE
    alert_incomplete: ACTIVE
    alert_multiple_requests: ACTIVE
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119
Conversation Config:
   KeepStats: 0
   Conv Count: 32000
   Timeout   : 60
   Alert Odd?: 0
   Allowed IP Protocols:  All

database: compiled support for ( mysql odbc )
database: configured to use mysql
database:          user = root
database: password is set
database: database name = snort
database:          host = 127.0.0.1
database:          port = 3306
database:   sensor name = W2K_Snort
database:     sensor id = 2
database: schema version = 106
database: using the "log" facility
database: compiled support for ( mysql odbc )
database: configured to use mysql
database:          user = root
database: password is set
database: database name = snort
database:          host = 127.0.0.1
database:          port = 3306
database:   sensor name = W2K_Snort
database:     sensor id = 2
database: schema version = 106
database: using the "alert" facility
1310 Snort rules read...
1310 Option Chains linked into 148 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Rule application order: ->activation->dynamic->alert->pass->log

        --== Initialization Complete ==--

-*> Snort! <*-
Version 1.9.1-ODBC-MySQL-WIN32 (Build 231)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
1.7-WIN32 Port By Michael Davis (mike () datanerds net,
www.datanerds.net/~mike)
1.8-1.9 WIN32 Port By Chris Reid (chris.reid () codecraftconsultants com)

Snort sucessfully loaded all rules and checked all rule chains!
database: Closing connection to database "snort"
database: Closing connection to database "snort"

C:\Snort\etc>

______________________________________



> -----Original Message-----
> From: Michael Steele [SMTP:michaels () silicondefense com]
> Sent: Tuesday, April 08, 2003 12:28 PM
> To:   August.K.Kunnecke () pmusa com
> Subject:      RE: [Snort-users] snort as a service on Windows 2000
>
> August,
>
> You NEED to add UPDATE to the user snort account.
>
> Passwords:
>
> Snort - This is very low security. The user Snort only needs to write to
> the
> database.
> Acid - This needs to be secured as anyone accessing the console can delete
> alerts.
> Root - This is God to the complete IDS system.
>
> -Michael
> -- 
>  Michael Steele | System Engineer / Support Technician     
>  mailto:michaels () silicondefense com    
>  Silicon Defense - The Cyber-War Defense Company
>  Website: http://www.silicondefense.com
>  Snort: Open Source Network IDS - http://www.snort.org
>
> -----Original Message-----
> From: August.K.Kunnecke () pmusa com [mailto:August.K.Kunnecke () pmusa com] 
> Sent: Tuesday, April 08, 2003 6:55 AM
> To: michaels () silicondefense com
>
> I made those changes and I still have problems. I think it's in the MySQL
> software. I had problems adding users the way the instructions said. I was
> able to add them, but not the way it said. I think I need to reset all of
> the passwords for those accounts. (acid, snort and root) 
>
> What do you think?
>
> > -----Original Message-----
> > From:       Michael Steele [SMTP:michaels () silicondefense com]
> > Sent:       Monday, April 07, 2003 1:49 PM
> > To: August.K.Kunnecke () pmusa com
> > Subject:    RE: [Snort-users] snort as a service on Windows 2000
> >
> > August,
> >
> > I ran into this same problem this weekend. I have a work around for it.
> >
> > In the snort.cond change the user to acid (replacing snort) and password
> > to the associated password for user acid. Do this in both 'output
> > database .....' lines, then restart snort. I have no idea why the user
> > snort is having problems. It worked for me for awhile then just stopped
> > working. I'll look into it.
> >
> > -Michael
> > -- 
> >  Michael Steele | System Engineer / Support Technician     
> >  mailto:michaels () silicondefense com    
> >  Silicon Defense - The Cyber-War Defense Company
> >  Website: http://www.silicondefense.com
> >  Snort: Open Source Network IDS - http://www.snort.org
> >
> >
> > -----Original Message-----
> > From: August.K.Kunnecke () pmusa com [mailto:August.K.Kunnecke () pmusa com] 
> > Sent: Monday, April 07, 2003 7:01 AM
> > To: michaels () silicondefense com
> > Subject: RE: [Snort-users] snort as a service on Windows 2000
> >
> > It looks like the problem is in MySQL. (I think.....)
> >
> >
> > C:\Snort>snort /service /show
> >
> > Snort is currently configured to run as a Windows service using the
> > following
> > command-line parameters:
> >
> >      -de -c c:\snort\etc\snort.conf -l c:\snort\log -i1
> >
> > C:\Snort>
> >
> >
> >
> > C:\Snort>snort -c c:\snort\etc\snort.conf -l c:\snort\log -i1 -T
> > Log directory = c:\snort\log
> >
> > Initializing Network Interface \
> >
> >         --== Initializing Snort ==--
> > Initializing Output Plugins!
> > Decoding Ethernet on interface
> > \Device\NPF_{9B922988-4F36-44CF-A041-B399EB0A82E8
> > }
> > Initializing Preprocessors!
> > Initializing Plug-ins!
> > Parsing Rules file c:\snort\etc\snort.conf
> >
> > +++++++++++++++++++++++++++++++++++++++++++++++++++
> > Initializing rule chains...
> > No arguments to frag2 directive, setting defaults to:
> >     Fragment timeout: 60 seconds
> >     Fragment memory cap: 4194304 bytes
> >     Fragment min_ttl:   0
> >     Fragment ttl_limit: 5
> >     Fragment Problems: 0
> > Stream4 config:
> >     Stateful inspection: ACTIVE
> >     Session statistics: INACTIVE
> >     Session timeout: 30 seconds
> >     Session memory cap: 8388608 bytes
> >     State alerts: INACTIVE
> >     Evasion alerts: INACTIVE
> >     Scan alerts: ACTIVE
> >     Log Flushed Streams: INACTIVE
> >     MinTTL: 1
> >     TTL Limit: 5
> >     Async Link: 0
> >     State Protection: 0
> >     Self preservation threshold: 0
> >     Self preservation period: 0
> >     Suspend threshold: 0
> >     Suspend period: 0
> > Stream4_reassemble config:
> >     Server reassembly: INACTIVE
> >     Client reassembly: ACTIVE
> >     Reassembler alerts: ACTIVE
> >     Ports: 21 23 25 53 80 110 111 143 513 1433
> >     Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
> > http_decode arguments:
> >     Unicode decoding
> >     IIS alternate Unicode decoding
> >     IIS double encoding vuln
> >     Flip backslash to slash
> >     Include additional whitespace separators
> >     Ports to decode http on: 80
> > rpc_decode arguments:
> >     Ports to decode RPC on: 111 32771
> >     alert_fragments: INACTIVE
> >     alert_large_fragments: ACTIVE
> >     alert_incomplete: ACTIVE
> >     alert_multiple_requests: ACTIVE
> > telnet_decode arguments:
> >     Ports to decode telnet on: 21 23 25 119
> > Conversation Config:
> >    KeepStats: 0
> >    Conv Count: 32000
> >    Timeout   : 60
> >    Alert Odd?: 0
> >    Allowed IP Protocols:  All
> >
> > database: compiled support for ( mysql odbc )
> > database: configured to use mysql
> > database:          user = snort
> > database: password is set
> > database: database name = snort
> > database:          host = 127.0.0.1
> > database:          port = 3306
> > database:   sensor name = W2K_Snort
> > database:     sensor id = 2
> > database: mysql_error: Access denied for user: 'snort@localhost' to
> > database
> > 'sn
> > ort'
> > SQL=UPDATE sensor SET last_cid = 8043 WHERE sid = 2
> > database: inconsistent cid information for sid=2
> >           Recovering by rolling forward the cid=8043
> > database: schema version = 106
> > database: using the "log" facility
> > database: compiled support for ( mysql odbc )
> > database: configured to use mysql
> > database:          user = snort
> > database: password is set
> > database: database name = snort
> > database:          host = 127.0.0.1
> > database:          port = 3306
> > database:   sensor name = W2K_Snort
> > database:     sensor id = 2
> > database: schema version = 106
> > database: using the "alert" facility
> > 1310 Snort rules read...
> > 1310 Option Chains linked into 148 Chain Headers
> > 0 Dynamic rules
> > +++++++++++++++++++++++++++++++++++++++++++++++++++
> >
> > Rule application order: ->activation->dynamic->alert->pass->log
> >
> >         --== Initialization Complete ==--
> >
> > -*> Snort! <*-
> > Version 1.9.1-ODBC-MySQL-WIN32 (Build 231)
> > By Martin Roesch (roesch () sourcefire com, www.snort.org)
> > 1.7-WIN32 Port By Michael Davis (mike () datanerds net,
> > www.datanerds.net/~mike)
> > 1.8-1.9 WIN32 Port By Chris Reid (chris.reid () codecraftconsultants com)
> >
> > Snort sucessfully loaded all rules and checked all rule chains!
> > database: mysql_error: Access denied for user: 'snort@localhost' to
> > database
> > 'sn
> > ort'
> > SQL=UPDATE sensor SET last_cid = 8043 WHERE sid = 2
> > database: Closing connection to database "snort"
> > database: mysql_error: Access denied for user: 'snort@localhost' to
> > database
> > 'sn
> > ort'
> > SQL=UPDATE sensor SET last_cid = 8043 WHERE sid = 2
> > database: Closing connection to database "snort"
> >
> > C:\Snort>
> >
> > > -----Original Message-----
> > > From:     Michael Steele [SMTP:michaels () silicondefense com]
> > > Sent:     Saturday, April 05, 2003 2:20 PM
> > > To:       August.K.Kunnecke () pmusa com
> > > Cc:       snort-users () lists sourceforge net
> > > Subject:  RE: [Snort-users] snort as a service on Windows 2000
> > >
> > > August,
> > >
> > > Do a:
> > >
> > > Snort /SERVICE /SHOW
> > >
> > > Send the output to me along with your snort.conf.
> > >
> > > Try running:
> > >
> > > Snort -c d:\applications\swnort\etc\snort.conf -l
> > > d:\applications\snort\log
> > > -ix -T
> > >
> > > Make SURE to replace the proper paths and make SURE that the '-ix' has
> > the
> > > proper interface in place of the 'x'. Send me that output.
> > >
> > >  -Michael
> > >
> > >  Michael Steele | System Engineer / Support Technician
> > >  mailto:michaels () silicondefense com
> > >  Silicon Defense: IDS solutions - http://www.silicondefense.com
> > >  Snort: Open Source Network IDS - http://www.snort.org
> > >
> > >
> > > -----Original Message-----
> > > From: snort-users-admin () lists sourceforge net
> > > [mailto:snort-users-admin () lists sourceforge net] On Behalf Of
> > > August.K.Kunnecke () pmusa com
> > > Sent: Thursday, April 03, 2003 11:18 AM
> > > To: snort-users () lists sourceforge net
> > > Subject: [Snort-users] snort as a service on Windows 2000
> > >
> > > I am trying to use Snort on a Windows 2000 server. 
> > >
> > > Snort works when I type snort -v -ix. I am having problems getting it
> > to
> > > run
> > > as a service. It install fine. When I try to start it, I get different
> > > errors. I have finally decided to stop and see if I can get some help.
> > > This
> > > time I am getting the following message in my event viewer:
> > >
> > > ------------------------------------------------------------
> > > Event Type:       Error
> > > Event Source:     Service Control Manager
> > > Event Category:   None
> > > Event ID: 7000
> > > Date:             4/3/2003
> > > Time:             1:59:36 PM
> > > User:             N/A
> > > Computer: XXXXXX
> > > Description:
> > > The Snort service failed to start due to the following error: 
> > > The system cannot find the file specified
> > > ---------------------------------------------------------------------
> > >
> > > It usually tells me that is cannot find the snort.conf file in the
> > > application log, but I am not getting any messages in that section. 
> > >
> > > When I run snort at a DOS prompt to try to see what file it is
> > missing, I
> > > get the following:
> > >
> > > ---------------------------------
> > > WARNING: unknown output plugin: 'alert_syslog'WARNING: unknown output
> > > plugin: 'd
> > > atabase'WARNING: unknown output plugin: 'database'1310 Snort rules
> > read...
> > > 1310 Option Chains linked into 148 Chain Headers
> > > 0 Dynamic rules
> > > +++++++++++++++++++++++++++++++++++++++++++++++++++
> > >
> > > Rule application order: ->activation->dynamic->alert->pass->log
> > >
> > >         --== Initializing Snort ==--
> > > Initializing Output Plugins!
> > >
> > > [!] ERROR: Can not get write access to logging directory "log".
> > > (directory doesn't exist or permissions are set incorrectly
> > > or it is not a directory at all)
> > >
> > > Fatal Error, Quitting..
> > > -------------------------------------------------
> > >
> > > I followed the instructions from the snort.org web site. I tried
> > moving
> > > the
> > > snort.exe to the snort directory. I also tried to move (and copy) the
> > > snort.conf file, but I still get the same error.
> > >
> > >
> > > I also have some questions about the config files: 
> > >
> > > One document I read had the path names to the files listed with the
> > "/"
> > > character  Another set of instructions said to use the standard "\"
> > > backslash character.  Which is the correct convention to use?
> > >
> > >
> > > Thanks in advance for any help.
> > >
> > >
> > >
> > >
> > > -------------------------------------------------------
> > > This SF.net email is sponsored by: ValueWeb: 
> > > Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
> > > No other company gives more support or power for your dedicated server
> > > http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users





-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger
for complex code. Debugging C/C++ programs can leave you feeling lost and
disoriented. TotalView can help you find your way. Available on major UNIX
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users