Snort mailing list archives
RE: snort as a service on Windows 2000
From: "Michael Steele" <michaels () silicondefense com>
Date: Fri, 11 Apr 2003 14:07:48 -0700
August, I'm talking it runs fine from the command line. Navigate from a command prompt to snort\bin Remove the service: snort /SERVICE /UNINSTALL Reboot Navigate from a command prompt to snort\bin Type: snort -c c:\snort\etc\snort.conf -l c:\snort\log -i1 Make sure Snort is running with no errors. Type CTRL/C to exit back to the command window. Type: snort /SERVICE /INSTALL -c c:\snort\etc\snort.conf -l c:\snort\log -i1 Type: snort /SERVICE /SHOW Make sure the line reads: -c c:\snort\etc\snort.conf -l c:\snort\log -i1 Go into the services and set snort to automatic, then press the start button. After the service starts go to Taskmanager and make SURE snort is running. -Michael Michael Steele | System Engineer / Support Technician mailto:michaels () silicondefense com Silicon Defense: IDS solutions - http://www.silicondefense.com Snort: Open Source Network IDS - http://www.snort.org -----Original Message----- From: August.K.Kunnecke () pmusa com [mailto:August.K.Kunnecke () pmusa com] Sent: Friday, April 11, 2003 1:49 PM To: michaels () silicondefense com Subject: RE: [Snort-users] snort as a service on Windows 2000 I did that and it the SQL seems to look cleaner. I am still having problems when I start Snort as a service. (I am using the user "root" to be sure I don't have any more MYSQL problems. ) __________________________ C:\Snort\etc>snort /service /show Snort is currently configured to run as a Windows service using the following command-line parameters: -de -c c:\snort\etc\snort.conf -l c:\snort\log -i1 C:\Snort\etc>snort -c c:\snort\etc\snort.conf -l c:\snort\log -i1 -T Log directory = c:\snort\log Initializing Network Interface \ --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface \Device\NPF_{9B922988-4F36-44CF-A041-B399EB0A82E8 } Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file c:\snort\etc\snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Fragment min_ttl: 0 Fragment ttl_limit: 5 Fragment Problems: 0 Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: ACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 0 Self preservation period: 0 Suspend threshold: 0 Suspend period: 0 Stream4_reassemble config: Server reassembly: INACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Ports: 21 23 25 53 80 110 111 143 513 1433 Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 http_decode arguments: Unicode decoding IIS alternate Unicode decoding IIS double encoding vuln Flip backslash to slash Include additional whitespace separators Ports to decode http on: 80 rpc_decode arguments: Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE telnet_decode arguments: Ports to decode telnet on: 21 23 25 119 Conversation Config: KeepStats: 0 Conv Count: 32000 Timeout : 60 Alert Odd?: 0 Allowed IP Protocols: All database: compiled support for ( mysql odbc ) database: configured to use mysql database: user = root database: password is set database: database name = snort database: host = 127.0.0.1 database: port = 3306 database: sensor name = W2K_Snort database: sensor id = 2 database: schema version = 106 database: using the "log" facility database: compiled support for ( mysql odbc ) database: configured to use mysql database: user = root database: password is set database: database name = snort database: host = 127.0.0.1 database: port = 3306 database: sensor name = W2K_Snort database: sensor id = 2 database: schema version = 106 database: using the "alert" facility 1310 Snort rules read... 1310 Option Chains linked into 148 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Rule application order: ->activation->dynamic->alert->pass->log --== Initialization Complete ==-- -*> Snort! <*- Version 1.9.1-ODBC-MySQL-WIN32 (Build 231) By Martin Roesch (roesch () sourcefire com, www.snort.org) 1.7-WIN32 Port By Michael Davis (mike () datanerds net, www.datanerds.net/~mike) 1.8-1.9 WIN32 Port By Chris Reid (chris.reid () codecraftconsultants com) Snort sucessfully loaded all rules and checked all rule chains! database: Closing connection to database "snort" database: Closing connection to database "snort" C:\Snort\etc> ______________________________________
-----Original Message----- From: Michael Steele [SMTP:michaels () silicondefense com] Sent: Tuesday, April 08, 2003 12:28 PM To: August.K.Kunnecke () pmusa com Subject: RE: [Snort-users] snort as a service on Windows 2000 August, You NEED to add UPDATE to the user snort account. Passwords: Snort - This is very low security. The user Snort only needs to write to the database. Acid - This needs to be secured as anyone accessing the console can delete alerts. Root - This is God to the complete IDS system. -Michael -- Michael Steele | System Engineer / Support Technician mailto:michaels () silicondefense com Silicon Defense - The Cyber-War Defense Company Website: http://www.silicondefense.com Snort: Open Source Network IDS - http://www.snort.org -----Original Message----- From: August.K.Kunnecke () pmusa com [mailto:August.K.Kunnecke () pmusa com] Sent: Tuesday, April 08, 2003 6:55 AM To: michaels () silicondefense com I made those changes and I still have problems. I think it's in the MySQL software. I had problems adding users the way the instructions said. I was able to add them, but not the way it said. I think I need to reset all of the passwords for those accounts. (acid, snort and root) What do you think?-----Original Message----- From: Michael Steele [SMTP:michaels () silicondefense com] Sent: Monday, April 07, 2003 1:49 PM To: August.K.Kunnecke () pmusa com Subject: RE: [Snort-users] snort as a service on Windows 2000 August, I ran into this same problem this weekend. I have a work around for it. In the snort.cond change the user to acid (replacing snort) and password to the associated password for user acid. Do this in both 'output database .....' lines, then restart snort. I have no idea why the user snort is having problems. It worked for me for awhile then just stopped working. I'll look into it. -Michael -- Michael Steele | System Engineer / Support Technician mailto:michaels () silicondefense com Silicon Defense - The Cyber-War Defense Company Website: http://www.silicondefense.com Snort: Open Source Network IDS - http://www.snort.org -----Original Message----- From: August.K.Kunnecke () pmusa com [mailto:August.K.Kunnecke () pmusa com] Sent: Monday, April 07, 2003 7:01 AM To: michaels () silicondefense com Subject: RE: [Snort-users] snort as a service on Windows 2000 It looks like the problem is in MySQL. (I think.....) C:\Snort>snort /service /show Snort is currently configured to run as a Windows service using the following command-line parameters: -de -c c:\snort\etc\snort.conf -l c:\snort\log -i1 C:\Snort> C:\Snort>snort -c c:\snort\etc\snort.conf -l c:\snort\log -i1 -T Log directory = c:\snort\log Initializing Network Interface \ --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface \Device\NPF_{9B922988-4F36-44CF-A041-B399EB0A82E8 } Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file c:\snort\etc\snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Fragment min_ttl: 0 Fragment ttl_limit: 5 Fragment Problems: 0 Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: ACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 0 Self preservation period: 0 Suspend threshold: 0 Suspend period: 0 Stream4_reassemble config: Server reassembly: INACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Ports: 21 23 25 53 80 110 111 143 513 1433 Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 http_decode arguments: Unicode decoding IIS alternate Unicode decoding IIS double encoding vuln Flip backslash to slash Include additional whitespace separators Ports to decode http on: 80 rpc_decode arguments: Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE telnet_decode arguments: Ports to decode telnet on: 21 23 25 119 Conversation Config: KeepStats: 0 Conv Count: 32000 Timeout : 60 Alert Odd?: 0 Allowed IP Protocols: All database: compiled support for ( mysql odbc ) database: configured to use mysql database: user = snort database: password is set database: database name = snort database: host = 127.0.0.1 database: port = 3306 database: sensor name = W2K_Snort database: sensor id = 2 database: mysql_error: Access denied for user: 'snort@localhost' to database 'sn ort' SQL=UPDATE sensor SET last_cid = 8043 WHERE sid = 2 database: inconsistent cid information for sid=2 Recovering by rolling forward the cid=8043 database: schema version = 106 database: using the "log" facility database: compiled support for ( mysql odbc ) database: configured to use mysql database: user = snort database: password is set database: database name = snort database: host = 127.0.0.1 database: port = 3306 database: sensor name = W2K_Snort database: sensor id = 2 database: schema version = 106 database: using the "alert" facility 1310 Snort rules read... 1310 Option Chains linked into 148 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Rule application order: ->activation->dynamic->alert->pass->log --== Initialization Complete ==-- -*> Snort! <*- Version 1.9.1-ODBC-MySQL-WIN32 (Build 231) By Martin Roesch (roesch () sourcefire com, www.snort.org) 1.7-WIN32 Port By Michael Davis (mike () datanerds net, www.datanerds.net/~mike) 1.8-1.9 WIN32 Port By Chris Reid (chris.reid () codecraftconsultants com) Snort sucessfully loaded all rules and checked all rule chains! database: mysql_error: Access denied for user: 'snort@localhost' to database 'sn ort' SQL=UPDATE sensor SET last_cid = 8043 WHERE sid = 2 database: Closing connection to database "snort" database: mysql_error: Access denied for user: 'snort@localhost' to database 'sn ort' SQL=UPDATE sensor SET last_cid = 8043 WHERE sid = 2 database: Closing connection to database "snort" C:\Snort>-----Original Message----- From: Michael Steele [SMTP:michaels () silicondefense com] Sent: Saturday, April 05, 2003 2:20 PM To: August.K.Kunnecke () pmusa com Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] snort as a service on Windows 2000 August, Do a: Snort /SERVICE /SHOW Send the output to me along with your snort.conf. Try running: Snort -c d:\applications\swnort\etc\snort.conf -l d:\applications\snort\log -ix -T Make SURE to replace the proper paths and make SURE that the '-ix' hastheproper interface in place of the 'x'. Send me that output. -Michael Michael Steele | System Engineer / Support Technician mailto:michaels () silicondefense com Silicon Defense: IDS solutions - http://www.silicondefense.com Snort: Open Source Network IDS - http://www.snort.org -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of August.K.Kunnecke () pmusa com Sent: Thursday, April 03, 2003 11:18 AM To: snort-users () lists sourceforge net Subject: [Snort-users] snort as a service on Windows 2000 I am trying to use Snort on a Windows 2000 server. Snort works when I type snort -v -ix. I am having problems getting ittorun as a service. It install fine. When I try to start it, I get different errors. I have finally decided to stop and see if I can get some help. This time I am getting the following message in my event viewer: ------------------------------------------------------------ Event Type: Error Event Source: Service Control Manager Event Category: None Event ID: 7000 Date: 4/3/2003 Time: 1:59:36 PM User: N/A Computer: XXXXXX Description: The Snort service failed to start due to the following error: The system cannot find the file specified --------------------------------------------------------------------- It usually tells me that is cannot find the snort.conf file in the application log, but I am not getting any messages in that section. When I run snort at a DOS prompt to try to see what file it ismissing, Iget the following: --------------------------------- WARNING: unknown output plugin: 'alert_syslog'WARNING: unknown output plugin: 'd atabase'WARNING: unknown output plugin: 'database'1310 Snort rulesread...1310 Option Chains linked into 148 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Rule application order: ->activation->dynamic->alert->pass->log --== Initializing Snort ==-- Initializing Output Plugins! [!] ERROR: Can not get write access to logging directory "log". (directory doesn't exist or permissions are set incorrectly or it is not a directory at all) Fatal Error, Quitting.. ------------------------------------------------- I followed the instructions from the snort.org web site. I triedmovingthe snort.exe to the snort directory. I also tried to move (and copy) the snort.conf file, but I still get the same error. I also have some questions about the config files: One document I read had the path names to the files listed with the"/"character Another set of instructions said to use the standard "\" backslash character. Which is the correct convention to use? Thanks in advance for any help. ------------------------------------------------------- This SF.net email is sponsored by: ValueWeb: Dedicated Hosting for just $79/mo with 500 GB of bandwidth! No other company gives more support or power for your dedicated server http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort as a service on Windows 2000 August . K . Kunnecke (Apr 03)
- RE: snort as a service on Windows 2000 Michael Steele (Apr 05)
- <Possible follow-ups>
- RE: snort as a service on Windows 2000 Michael Steele (Apr 11)
- RE: snort as a service on Windows 2000 Michael Steele (Apr 14)