Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: ghosting a snort server???

From: <hugh_fraser () dofasco ca>
Date: Sun, 4 Apr 2004 23:59:04 -0400
Are you using dhcp for addresses and in turn name resolution? If you're using fixed IP addresses, you will have a 
problem. If not, Snort will use the system's hostname, and if there isn't a record in the database, it will create one.

        -----Original Message----- 
        From: snort-users-admin () lists sourceforge net on behalf of Pat Delaney 
        Sent: Sat 03/04/2004 11:56 AM 
        To: Jordan, Jason A; snort-users () lists sourceforge net 
        Cc: 
        Subject: RE: [Snort-users] ghosting a snort server???
        
        
        This is snort running on Linux. I'm wondering if the hostname of the original linus server is embeded into the 
sql database.
         
        The snort service seemes to die. How can I turn on debugging to see where it's failing during startup?
         
        Pat

  _____  

        From: Jordan, Jason A [mailto:Jason.Jordan () Honeywell com] 
        Sent: Saturday, April 03, 2004 10:41 AM
        To: Pat Delaney; snort-users () lists sourceforge net.
        Subject: RE: [Snort-users] ghosting a snort server???
        
        

        Disclaimer: I am making a presumption that this is snort on Windows not Linux.

         

        Did you check the account name that the service is running under?  Prior to imaging the original system, did 
you run the prep routines on the system (I believe its sysprep).  If it's a Windows 2000/XP/2003 type of system the 
service accounts and system account information can get mangled during ghosting (i.e. some type of SID conflict).  I'd 
recommend going into the Services applet, go into the Snort properties, and verify the credentials it runs under.  Even 
better, manually re-select the account (local/domain) and password which Snort will use as its running context.

         

        You should be able to run snort from the command line and the help files describe the switches.  

         

        Let me know if any of that helps.

         

        Jason Jordan

         

         

        
  _____  


        From: Pat Delaney [mailto:Pat.Delaney () inewsroom com] 
        Sent: Saturday, April 03, 2004 10:26 AM
        To: snort-users () lists sourceforge net.
        Subject: [Snort-users] ghosting a snort server???

         

        Rather that reinstall SNORT on another PC from scratch, I cloned the disk, and restored the image to another 
PC. The snort service seems to keep failing to start.

         

        My question is:

         Is there something keyed in the database to the original host name of the orginal server?

         

        How can I start the snort service up in a debugging mode to see why it never starts and stays running?

         

        Pat
Previous By Date Next
Previous By Thread Next

Current thread: