RE: Problem: Win32 v2.4.3 does not start as a Service

["Jeff Dell" <jdell () activeworx com>]

Question... What are you using for your output? Are you using a Database on
the same server? If so, the problem is probably that Snort is trying to
startup before your DB service is and causing Snort to fail. 

Cheers,
Jeff 

> -----Original Message-----
> From: snort-users-admin () lists sourceforge net 
> [mailto:snort-users-admin () lists sourceforge net] On Behalf Of 
> Rich Adamson
> Sent: Monday, December 26, 2005 10:08 AM
> To: Snort Developers Postings; Snort Users Postings
> Subject: [Snort-users] Problem: Win32 v2.4.3 does not start 
> as a Service
>
> Could not find any reference on the snort.org site relative 
> to reporting
> a problem, so posting to both the -users and -devel lists.
>
> Implementation: Snort v2.4.3 on Win XP (all versions) with 
> WinPcap v3.1
>
> Experience Level: 
> Been around snort since v1.8 days and have had it running 
> just fine as 
> a Service on most Win32 O/S's. I do not have an application 
> development 
> system (or development experience) to diagnose the problem.
>
> Issue: 
> Snort will not start as a Service (for example after a 
> reboot), however 
> it runs just fine if started manually. Happens on multiple XP 
> systems and 
> has been observed by others (see forums) as well. Viewing the 
> Services 
> list indicates the snort service is properly configured to start 
> "automatically" and log on using the Local System account.
>
> Indicators: 
> Four event log entries are created following a system reboot.
> 1. Security Log: Event 592 & 593 (process tracking) are 
> created for snort.
> 2. System Log: two events generated including:
>    Event 7000: "The Snort service failed to start due to the following
>    error: The service did not respond to the start or control 
> request in
>    a timely manner."
>    Event 7009: "Timeout (30,000 milliseconds) waiting for the 
> Snort service
>    to connect."
>
> I am not at all sure whether this is an issue with Snort 
> service code or
> some form of new requirement in Win XP service startup code. 
> Several systems
> seem to be restarting correctly on Win 2k Pro and Win 2k 
> Server, however
> these systems are also running pre-v2.4.3 snort code and 
> cannot be upgrade
> at this time.
>
> Consistency: 
> Snort v2.4.3 on any Win XP system will "always" fail to start 
> following a 
> reboot. A manual start via the Services control panel will 
> "always" be 
> successful, and, a "net start snort" from the command line 
> will always be 
> successful. All other services on these systems start normally.
>
> References: 
> Microsoft's site suggests: "Within a specified time period 
> after a new 
> service starts, it notifies Service Control Manager (SCM) 
> that it is ready 
> to connect. In this case, the service did not notify SCM 
> within the time 
> period." (Thus generating event 7009.)
>
> Other Observations:
> 1. Typical Win32 system has 512 meg ram with WinPcap v3.1
> 2. After manually starting the snort service, task manager indicates
>    over 150 meg of available memory.
> 3. After manually starting the snort service, all alerts and 
> log entries
>    occur properly.
> 4. The snort service was installed following the examples 
> displayed when
>    executing "snort -?" from the command line.
> 5. Executing "snort /service /show" indicates the service was properly
>    installed with all appropriate startup parameters.
>
> Best Guess:
> The two events in the security log suggest the snort service 
> was actually
> starting, however the events in the system log indicate a 
> timeout. Since
> the "process events" (security log) do occur, presumably 
> snort is starting
> and suppose to pass a message or call the services control 
> manager (or maybe 
> return some value) indicating to the services control manager 
> that it has 
> started. It would appear this second step is not occurring.
>
> Some possibility exists the snort code is using the name "snortsvc" in
> some code and "snort" in other services code. Executing "sc 
> query snortsvc"
> from a command line indicates:
>   State: 1 stopped
>            (not-stoppable, not_pausable, ignores_shutdown)
> with no other hints. The above _might_ be related to not 
> registering the
> snort service properly, differences in service names, 
> incorrect parameters,
> etc. Not sure.
>
> If I can provide any other information regarding the problem/symptom,
> please contact me.
>
> If there is a better location to report this problem, please 
> let me know.
>
> Rich Adamson
> radamson () routers com
>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep 
> through log files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  
> DOWNLOAD SPLUNK!
> http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users