Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Problem: Win32 v2.4.3 does not start as a Service

From: Our World Is Here <info () lucretia ca>
Date: Wed, 28 Dec 2005 18:05:43 -0700
I second this...

Cheers,

James Friesen, CIO

Lucretia Enterprises
"Our World Is Here..."
Info at lucretia dot ca
http://lucretia.ca



-----Original Message-----
From: Rich Adamson [mailto:radamson () routers com]
Sent: Wednesday, December 28, 2005 3:35 AM
To: Gianluca Varenni; snort-users () lists sourceforge net
Subject: Re: [Snort-users] Problem: Win32 v2.4.3 does not
start as a Service

Gianluca,

I see now from the winpcap archives this issue is related to
changes that were made to winpcap between beta 4 and the
official v3.1 release.
I also see the issue resulted from someone electing to use
the Microsoft NetMon COM component from within winpcap, and
the NetMon component is primarily intended to capture packets
from dialup adapters.

I've read your postings relative to editing the registry to
add a startup dependency, but I don't understand why those of
us that don't ever use a dialup adapter are required to be
"dependent" on that component.

Can you help us understand why that dependency became manditory?

Would it be appropriate for the snort win32 distribution to
add the registry entry during the snort installation, ask the
winpcap folks to release v3.1.1 with the registry change in
it, stay with v3.0 in snort documentation and
recommendations, or, is there another "fix" to this service
startup problem?

For those that are actually following this thread, the
suggested registry changes are:
1. Open the registry with regedit.exe
2. go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
and locate the Snort service (it should probably be  named
"Snort" something) 3. right click on the snort key name, and
choose New->Multi-string value 4. name the new key
"DependOnService" (be careful to the spelling and the capital
letters).
5. double click on the newly created key, and add the
following names (one per line):
    NM
    NPF
    Be careful *not* to put any space before/after each name


------------------------

Hi all.

NetMon stands for Microsoft Network Monitor, and it's basically the
(quite
crappy) implementation of packet capture engine provided by

Microsoft.

It is available (but *not* installed) on every 2000/XP/2003

Windows installation.

It's *not* related to QoS.

It's used by WinPcap to capture for dialup/VPN adapters

(the so called

"NDISWAN" adapters), and it was introduced in WinPcap 3.1 (well,
actually it was introduced in WinPcap 3.1 beta1, back in feb '04).

NetMon is installed by default by the WinPcap installer.

netcat.exe is a command line tool provided by Microsoft (I think in
the support pack or something similar), that allows to

capture packets

from the command line and dump them to file (similar to
"tcpdump/windump -w <somefile>").

If I remember well netmon is a simple GUI packet analyzer

provided by

microsoft (I think on the server versions of Windows) that

uses NetMon

to capture packets.

Have a nice day
GV


----- Original Message -----
From: "Lee Clemens" <snort () leeclemens net>
To: "'Rich Adamson'" <radamson () routers com>; "'Michael Steele'"
<michaels () winsnort com>; <snort-users () lists sourceforge net>
Sent: Tuesday, December 27, 2005 8:38 PM
Subject: RE: [Snort-users] Problem: Win32 v2.4.3 does not

start as a

Service



Perhaps someone else knows more about this, but it looks

like NetMon

may be related to QoS. Since you said you don't know what

they are,

I assume you haven't installed NetMon, but it may be related to a
network adapter driver you have installed, or if QoS is

dis/e/nabled

on the interface you are listening to with Snort.

There is a file, NetMonInstaller.exe, in the WinPcap

directory...did

you execute this? (I'm not saying you should.)

Can you try typing "netcap /?" or "netmon /?" at a DOS prompt?

Perhaps playing around with the adapter's settings for

QoS, File and

Print Sharing, and Client for Microsoft Networks could help?

Disclaimer: Pretty much shots in the dark, but shouldn't hurt.

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On

Behalf Of Rich

Adamson
Sent: Tuesday, December 27, 2005 8:34 PM
To: Michael Steele; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Problem: Win32 v2.4.3 does not

start as a

Service



The -i switch is what's killing the Snort service. I'm

guessing the

reason why it's happening to some and not others is that

some are

specifying the -i switch and others are not.


The -i switch has absolutely nothing to do with the problem. Just
proved that by running with/without it in both winpcap v3.0 and
v3.1. Exact same issue; snort will not start after a

reboot with v3.1.



I know in most cases (especially home and small business users)
that the -i can be omitted, but this usually means Snort will
automatically use the first interface in line, and I

believe that

is where the problem

occurs.

Well, I don't think that's true either. Manual start of

snort with

the 'config interface:' did in fact select the proper

interface (of

four entries from snort -W). But, I can't rearrange the interface
numbering to prove that.


If you are running snort as a service, logging to a database and
WinPcap 3.1 uses the first interface in line, then

WinPcap 3.1 may

work, but I don't think so. We are past that point to

check it out

on our

clean install.

The use of a database (or not) has nothing to do with the issue.


Tomorrow we will do another clean install and verify if

it works,

or someone else could check.

I'm sure there is a hack to the registry that can be done to fix
the problem, but its windows :)


There is and it was posted several hours ago (which is actually
included below from previous email postings).


I guess they need to figure out if it's a Snort problem or a
WinPcap problem and fix it. I'm fairly sure it's WinPcap.


Based on the url provided and the summary contained in

that posting,

looks like the issue is a dependency involving winpcap v3.1 and
Microsoft NetMon COM component. Since winpcap v3.0 does

not exhibit

the same problem, there is obviously something different

about v3.1.

Not sure as yet whether the NetMon component is an

XP-only item, or what its associated with.


Rich


-----Original Message-----



I've been using 3.1 for some time now with no issues.

However, I do

not specify -I #, but use the config file to specifiy an

interface

to

listen on.

Perhaps you could try doing that if you'd like to keep

(or go back

to)

3.1.



From my config file: config interface: \Device\<removed>


Hope that helps.

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On

Behalf Of Rich

Adamson
Sent: Tuesday, December 27, 2005 12:14 PM
To: Michael Steele; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Problem: Win32 v2.4.3 does

not start as

a Service

Okay, the problem "is" with WinPcap v3.1; reverting to

v3.0 allows

snort to start correctly as a Service after a reboot. Also tried
v3.2 alpha 1, but it created the same problem as v3.1.

Based on the winpcap url (provided below), there "is" a

dependency

that apparently causes snort not to start.

As a side effect, reverting to winpcap v3.0 causes all of the
interface numbering (snort -W) to chanage, therefore the snort
service will need to be removed and reinstalled with an

appropriate "-i"

specification. Bummer.


Does anyone (with development experience) know whether

this is an

issue with "service" code in snort, or is strictly a winpcap
dependency

issue?


Rich

------------------------


Yes, I remember seeing that post somewhere. I think I

suggested

removing 3.1 and reverting back to 3.0.

We are using 3.1 (non-beta) for our new install, and

will know in

a couple of hours it that is the culprit.

Kindest regards,
Michael...

WINSNORT.com Management Team Member
--
****************** Established ~ 2001 *******************
*          Visit Us @ http://www.winsnort.com           *
*      ~~ FREE WinIDS Snort installation guides ~~      *
*               ~~ FREE support forums ~~               *
* Snort: Open Source Network IDS - http://www.snort.org *
*********************************************************


-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of
Gianluca Varenni
Sent: Tuesday, December 27, 2005 8:02 AM
To: Rich Adamson; Michael Steele;
snort-users () lists sourceforge net
Subject: Re: [Snort-users] Problem: Win32 v2.4.3 does

not start

as a Service

Hi all.

It could be an issue with a service dependency with WinPcap.
Another user reported a similar issue some weeks ago on the
WinPcap-bugs mailing

list.


You can find the mail and a possible workaround here:



http://www.winpcap.org/pipermail/winpcap-bugs/2005-December/00013

3.h
tm
l


Hope it helps

Gianluca Varenni
WinPcap Team

----- Original Message -----
From: "Rich Adamson" <radamson () routers com>
To: "Michael Steele" <michaels () winsnort com>;
<snort-users () lists sourceforge net>
Sent: Tuesday, December 27, 2005 5:43 AM
Subject: RE: [Snort-users] Problem: Win32 v2.4.3 does

not start

as a Service



Keep in mind the issue is that snort isn't starting

at system

bootup time, so there isn't any desktop to interact with. It
starts just fine

"after"

the system is fully up.

There likely is a 'dependency' issue or an XP

service control

manager issue, but its not obvious from the event log, etc.
Changing from dhcp to a static IP made no difference either.

The event log messages (as originally stated) seem

to imply the

service control manager is waiting on snort for some sort of
communications (indicating a successful start) that

isn't happening.


Any other thoughts?

------------------------


Rich,

Go into services and allow Snort to interact with

the desktop

and it should display the error:

1) Go into the Services applet
2) Double left-click on the snort entry
3) Left-click the 'Logon' tab
4) Under 'Local system account' make sure that

'Allow service

to interact with desktop' is checked
5) Left-click the 'Apply' button
6) Left-click the 'General' tab
7) Under 'Service Status' left-click the 'Start' button

Snort will start in a console and should display

any problems

with the startup procedure.

Note: Make sure to reverse the above procedure so

Snort does

NOT interact with the desktop under normal startup

conditions.


Kindest regards,
Michael...

WINSNORT.com Management Team Member
--
Pick up your FREE Windows or UNIX Snort installation guides
mailto:support () winsnort com
Website: http://www.winsnort.com
Snort: Open Source Network IDS - http://www.snort.org

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On

Behalf Of

Rich Adamson
Sent: Monday, December 26, 2005 7:08 AM
To: Snort Developers Postings; Snort Users Postings
Subject: [Snort-users] Problem: Win32 v2.4.3 does

not start as

a Service

Could not find any reference on the snort.org site

relative to

reporting a problem, so posting to both the -users

and -devel lists.


Implementation: Snort v2.4.3 on Win XP (all versions) with
WinPcap
v3.1

Experience Level:
Been around snort since v1.8 days and have had it

running just

fine as a Service on most Win32 O/S's. I do not have an
application development system (or development

experience) to

diagnose the problem.


Issue:
Snort will not start as a Service (for example after a
reboot), however it runs just fine if started manually.
Happens on multiple XP systems and has been

observed by others

(see forums) as

well.

Viewing the Services list indicates the snort service is
properly configured to start "automatically" and

log on using

the Local System

account.


Indicators:
Four event log entries are created following a

system reboot.

1. Security Log: Event 592 & 593 (process tracking) are
created for snort.
2. System Log: two events generated including:
   Event 7000: "The Snort service failed to start due to the

following

   error: The service did not respond to the start

or control

request

in

   a timely manner."
   Event 7009: "Timeout (30,000 milliseconds)

waiting for the

Snort service
   to connect."

I am not at all sure whether this is an issue with Snort
service code or some form of new requirement in Win

XP service

startup code. Several systems seem to be restarting

correctly

on Win 2k Pro and Win 2k Server, however these systems are
also running
pre-v2.4.3 snort code and cannot be upgrade at this time.

Consistency:
Snort v2.4.3 on any Win XP system will "always"

fail to start

following a reboot. A manual start via the Services control
panel will "always" be successful, and, a "net start snort"
from the command line will always be successful. All other
services on these

systems start normally.


References:
Microsoft's site suggests: "Within a specified time period
after a new service starts, it notifies Service Control
Manager (SCM) that it is ready to connect. In this

case, the

service did not notify SCM within the time period." (Thus
generating event 7009.)

Other Observations:
1. Typical Win32 system has 512 meg ram with WinPcap v3.1 2.
After manually starting the snort service, task

manager indicates

   over 150 meg of available memory.
3. After manually starting the snort service, all

alerts and

log

entries

   occur properly.
4. The snort service was installed following the examples
displayed

when

   executing "snort -?" from the command line.
5. Executing "snort /service /show" indicates the

service was

properly

   installed with all appropriate startup parameters.

Best Guess:
The two events in the security log suggest the

snort service

was actually starting, however the events in the system log
indicate a timeout. Since the "process events"

(security log)

do occur, presumably snort is starting and suppose

to pass a

message or call the services control manager (or maybe

return some value) indicating to the services

control manager

that it has started. It would appear this second step is not

occurring.


Some possibility exists the snort code is using the

name "snortsvc"

in some code and "snort" in other services code.

Executing "sc

query snortsvc"
from a command line indicates:
  State: 1 stopped
           (not-stoppable, not_pausable, ignores_shutdown)
with no other hints. The above _might_ be related to not
registering the snort service properly, differences

in service

names, incorrect parameters, etc. Not sure.

If I can provide any other information regarding the
problem/symptom, please contact me.

If there is a better location to report this

problem, please

let me

know.


Rich Adamson
radamson () routers com







-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep
through log files for problems?  Stop!  Download the new AJAX
search engine that makes searching your log files as easy as
surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users







-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: