[Snort-users] Running Snort as a service

Ian Campbell ianc at ...1500...
Thu Mar 15 17:19:53 EST 2001


Hi Abe,

<<I didn't even notice the error in the FAQ.  It looks like the text
that's there, however, was ripped directly from an MS Q article.  Even the
warning about editing the registry is identical to the one they use in all
of their Q's and whitepapers.  Maybe MS is wrong?  I couldn't find it on
their web site to verify.>>

Yep, this section was clipped, but from the docs that come with SRVANY.
Unfortunately, they got a bit wackified with their inclusion in the FAQ. ;-)
Hopefully this may prompt a slight revision by the Snortsters. Take care,

Ian

-----Original Message-----
From: agetchel at ...1525... [mailto:agetchel at ...1525...]
Sent: Thursday, March 15, 2001 2:16 PM
To: Ian Campbell; mike at ...92...
Cc: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Running Snort as a service


Hi Ian,
	I didn't even notice the error in the FAQ.  It looks like the text
that's there, however, was ripped directly from an MS Q article.  Even the
warning about editing the registry is identical to the one they use in all
of their Q's and whitepapers.  Maybe MS is wrong?  I couldn't find it on
their web site to verify.
	Snort does run fine under the LocalSystem context, but I always run
user-installed services under a different local account for auditing and
debugging purposes.  The account the snort service was running under didn't
have access to the crypto keys it needed to read and write to the EFS
encrypted directory it was trying to log to (which was encrypted by a
different user) and wasn't specified as a DRA.  Changing the service to run
under the account of the user who encrypted the data, or to an account who
is specified as a DRA in the security policy, fixes the problem.

Thanks,
Abe

Abe L. Getchell - Security Engineer
Division of System Support Services
Kentucky Department of Education
Voice   502-564-2020x225
E-mail  agetchel at ...1525...
Web     http://www.kde.state.ky.us/



> -----Original Message-----
> From: Ian Campbell [mailto:ianc at ...1500...]
> Sent: Thursday, March 15, 2001 4:38 PM
> To: 'agetchel at ...1525...'; mike at ...92...
> Cc: snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] Running Snort as a service
> 
> 
> Hi guys,
> 
> Michael, sorry for not reporting this. The error in the FAQ 
> is the section
> as follows:
> 
> <<You must use the SRVANY.EXE and INSTSRV.exe that come with 
> the Windows
>    NT/2000 Resource Kit.
>    
>    You first must install the SRVANY service. At a command 
> prompt type:
>    INSTSRV SrvAny <PATH TO RESKIT>\srvany.exe.
>    
>    Now you can install and configure the snort service.
>    
>    At a command prompt, type the following command:
>    <path>\INSTSRV.EXE snort <path>\SRVANY.EXE
>    where <path> is the drive and directory of the Windows NT 
> Resource Kit
>    (i.e., C:\RESKIT).>>
> 
> This implies that you must run INSTSRV twice, which is not 
> the case. This
> will actually install two services, one called 'SrvAny', and 
> one called
> 'snort' one of which will be useless. The syntax 
> <path>\INSTSRV.EXE snort
> <path>\SRVANY.EXE is all that's required, and this will 
> actually create a
> service called snort for you.
> 
> You can then proceed to follow the balance of the 
> instructions regarding the
> creation of the Parameters key, then the addition of the 
> Application and
> AppParameters REG_SZ values. I did this, and it is correct, 
> but it still
> didn't work for me.
> 
> After glancing at the SRVANY docs that come with the reskit, 
> they mention a
> third REG_SZ value called AppDirectory that can be used to 
> specify a path to
> the working directory for the app. Once I added this, snort 
> fired right up
> on reboot or manually starting the service, so I'd suggest 
> you add this last
> step to the FAQ as well.
> 
> Snort seems to operate just fine under the 'LocalSystem' 
> security context.
> HTH,
> 
> Ian 
> 
> -----Original Message-----
> From: agetchel at ...1525... [mailto:agetchel at ...1525...]
> Sent: Thursday, March 15, 2001 8:57 AM
> To: mike at ...92...; Ian Campbell
> Cc: snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] Running Snort as a service
> 
> 
> Hi Michael,
> 	FWIW, I setup Snort last night on my Win2k Pro laptop 
> to run as a
> service, followed the instructions in the FAQ to the letter, 
> and it worked
> perfectly.  I had a problem with the context the service was 
> running in
> because I was writing the logs to an EFS encrypted directory, 
> but that's
> just my own bone-headed mistake... which was resolved by 
> running it under a
> user who had access too the crypto keys.
> 
> Thanks,
> Abe
> 
> Abe L. Getchell - Security Engineer
> Division of System Support Services
> Kentucky Department of Education
> Voice   502-564-2020x225
> E-mail  agetchel at ...1525...
> Web     http://www.kde.state.ky.us/
> 
> 
> 
> > -----Original Message-----
> > From: Michael Davis [mailto:mike at ...92...]
> > Sent: Thursday, March 15, 2001 11:29 AM
> > To: Ian Campbell
> > Cc: 'snort-users at lists.sourceforge.net'
> > Subject: Re: [Snort-users] Running Snort as a service
> > 
> > 
> > > followed the docs that came with it (those in the 
> win32_faq.txt file
> > > are
> > > incorrect).
> > 
> > I wish people would report problems like this.
> > 
> > I followed the instructions and it worked for me. Let me try 
> > and duplicate it 
> > againa nd see if I need to fix the FAQ.
> > 
> > Thanks,
> > Michael Davis
> > Chief Technical Officer
> > Data Nerds, LLC.
> > http://www.datanerds.net
> > 
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > 
> 




More information about the Snort-users mailing list