Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Problem: Win32 v2.4.3 does not start as a Service

From: pure one <securelabs.zapto.org () gmail com>
Date: Mon, 26 Dec 2005 21:18:02 +0000
Hi
Just a wild guess but wouldnt snort fail to start if the device your
trying to make it listen on
has not got a ip address yet? If your using dhcp try with a static ip.

What you could try is sticking a batch file in %userprofile%\Start
Menu\Programs\Startup
to run snort, so you could see the errors if any. Altho this may not
work or be any help... but its worth a shot :)


pureone

On 12/26/05, Rich Adamson <radamson () routers com> wrote:

No databases or any other external app is used. Alerting to syslog in
relatively low traffic environments. As mentioned, all snort functions
have been and continue to function just fine; purely a services startup
issue with no dependencies as best as I can tell.

Might also add that "Restart the Service" in the Recovery tab of the snort
services properties has been set, and that never kicks off. So, presumably
it also is related to the fact the service never started, therefore it
can't be restarted.

------------------------


Question... What are you using for your output? Are you using a Database on
the same server? If so, the problem is probably that Snort is trying to
startup before your DB service is and causing Snort to fail.

Cheers,
Jeff


-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of
Rich Adamson
Sent: Monday, December 26, 2005 10:08 AM
To: Snort Developers Postings; Snort Users Postings
Subject: [Snort-users] Problem: Win32 v2.4.3 does not start
as a Service

Could not find any reference on the snort.org site relative
to reporting
a problem, so posting to both the -users and -devel lists.

Implementation: Snort v2.4.3 on Win XP (all versions) with
WinPcap v3.1

Experience Level:
Been around snort since v1.8 days and have had it running
just fine as
a Service on most Win32 O/S's. I do not have an application
development
system (or development experience) to diagnose the problem.

Issue:
Snort will not start as a Service (for example after a
reboot), however
it runs just fine if started manually. Happens on multiple XP
systems and
has been observed by others (see forums) as well. Viewing the
Services
list indicates the snort service is properly configured to start
"automatically" and log on using the Local System account.

Indicators:
Four event log entries are created following a system reboot.
1. Security Log: Event 592 & 593 (process tracking) are
created for snort.
2. System Log: two events generated including:
   Event 7000: "The Snort service failed to start due to the following
   error: The service did not respond to the start or control
request in
   a timely manner."
   Event 7009: "Timeout (30,000 milliseconds) waiting for the
Snort service
   to connect."

I am not at all sure whether this is an issue with Snort
service code or
some form of new requirement in Win XP service startup code.
Several systems
seem to be restarting correctly on Win 2k Pro and Win 2k
Server, however
these systems are also running pre-v2.4.3 snort code and
cannot be upgrade
at this time.

Consistency:
Snort v2.4.3 on any Win XP system will "always" fail to start
following a
reboot. A manual start via the Services control panel will
"always" be
successful, and, a "net start snort" from the command line
will always be
successful. All other services on these systems start normally.

References:
Microsoft's site suggests: "Within a specified time period
after a new
service starts, it notifies Service Control Manager (SCM)
that it is ready
to connect. In this case, the service did not notify SCM
within the time
period." (Thus generating event 7009.)

Other Observations:
1. Typical Win32 system has 512 meg ram with WinPcap v3.1
2. After manually starting the snort service, task manager indicates
   over 150 meg of available memory.
3. After manually starting the snort service, all alerts and
log entries
   occur properly.
4. The snort service was installed following the examples
displayed when
   executing "snort -?" from the command line.
5. Executing "snort /service /show" indicates the service was properly
   installed with all appropriate startup parameters.

Best Guess:
The two events in the security log suggest the snort service
was actually
starting, however the events in the system log indicate a
timeout. Since
the "process events" (security log) do occur, presumably
snort is starting
and suppose to pass a message or call the services control
manager (or maybe
return some value) indicating to the services control manager
that it has
started. It would appear this second step is not occurring.

Some possibility exists the snort code is using the name "snortsvc" in
some code and "snort" in other services code. Executing "sc
query snortsvc"
from a command line indicates:
  State: 1 stopped
           (not-stoppable, not_pausable, ignores_shutdown)
with no other hints. The above _might_ be related to not
registering the
snort service properly, differences in service names,
incorrect parameters,
etc. Not sure.

If I can provide any other information regarding the problem/symptom,
please contact me.

If there is a better location to report this problem, please
let me know.

Rich Adamson
radamson () routers com




-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep
through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.
DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




---------------End of Original Message-----------------




-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_idv37&alloc_id865&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: