[Snort-users] Running Snort as a service

Michael Davis mike at ...92...
Thu Mar 15 22:31:12 EST 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Yep, this section was clipped, but from the docs that come with
> SRVANY.  

Shamelessly ripped ;)

> Unfortunately, they got a bit wackified with their inclusion in the
> FAQ. ;-) Hopefully this may prompt a slight revision by the
> Snortsters. Take care,  

I tried to simplify them, I tested the instructions before release
but something broke.

Who needs documentation? :) 

Michael Davis
Chief Technical Officer
Data Nerds, LLC.
http://www.datanerds.net
> Ian
> 
> -----Original Message-----
> From: agetchel at ...1525... [mailto:agetchel at ...1525...]
> Sent: Thursday, March 15, 2001 2:16 PM
> To: Ian Campbell; mike at ...92...
> Cc: snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] Running Snort as a service
> 
> 
> Hi Ian,
> I didn't even notice the error in the FAQ.  It looks like the text
> that's there, however, was ripped directly from an MS Q article. 
> Even the warning about editing the registry is identical to the one
> they use in all of their Q's and whitepapers.  Maybe MS is wrong? 
> I couldn't find it on their web site to verify.
> Snort does run fine under the LocalSystem context, but I always run
> user-installed services under a different local account for
> auditing and debugging purposes.  The account the snort service was
> running under didn't have access to the crypto keys it needed to
> read and write to the EFS encrypted directory it was trying to log
> to (which was encrypted by a different user) and wasn't specified
> as a DRA.  Changing the service to run under the account of the
> user who encrypted the data, or to an account who is specified as a
> DRA in the security policy, fixes the problem.
> 
> Thanks,
> Abe
> 
> Abe L. Getchell - Security Engineer
> Division of System Support Services
> Kentucky Department of Education
> Voice   502-564-2020x225
> E-mail  agetchel at ...1525...
> Web     http://www.kde.state.ky.us/
> 
> 
> 
> > -----Original Message-----
> > From: Ian Campbell [mailto:ianc at ...1500...]
> > Sent: Thursday, March 15, 2001 4:38 PM
> > To: 'agetchel at ...1525...'; mike at ...92...
> > Cc: snort-users at lists.sourceforge.net
> > Subject: RE: [Snort-users] Running Snort as a service
> > 
> > 
> > Hi guys,
> > 
> > Michael, sorry for not reporting this. The error in the FAQ 
> > is the section
> > as follows:
> > 
> > <<You must use the SRVANY.EXE and INSTSRV.exe that come with 
> > the Windows
> >    NT/2000 Resource Kit.
> >    
> >    You first must install the SRVANY service. At a command 
> > prompt type:
> >    INSTSRV SrvAny <PATH TO RESKIT>\srvany.exe.
> >    
> >    Now you can install and configure the snort service.
> >    
> >    At a command prompt, type the following command:
> >    <path>\INSTSRV.EXE snort <path>\SRVANY.EXE
> >    where <path> is the drive and directory of the Windows NT 
> > Resource Kit
> >    (i.e., C:\RESKIT).>>
> > 
> > This implies that you must run INSTSRV twice, which is not 
> > the case. This
> > will actually install two services, one called 'SrvAny', and 
> > one called
> > 'snort' one of which will be useless. The syntax 
> > <path>\INSTSRV.EXE snort
> > <path>\SRVANY.EXE is all that's required, and this will 
> > actually create a
> > service called snort for you.
> > 
> > You can then proceed to follow the balance of the 
> > instructions regarding the
> > creation of the Parameters key, then the addition of the 
> > Application and
> > AppParameters REG_SZ values. I did this, and it is correct, 
> > but it still
> > didn't work for me.
> > 
> > After glancing at the SRVANY docs that come with the reskit, 
> > they mention a
> > third REG_SZ value called AppDirectory that can be used to 
> > specify a path to
> > the working directory for the app. Once I added this, snort 
> > fired right up
> > on reboot or manually starting the service, so I'd suggest 
> > you add this last
> > step to the FAQ as well.
> > 
> > Snort seems to operate just fine under the 'LocalSystem' 
> > security context.
> > HTH,
> > 
> > Ian 
> > 
> > -----Original Message-----
> > From: agetchel at ...1525... [mailto:agetchel at ...1525...]
> > Sent: Thursday, March 15, 2001 8:57 AM
> > To: mike at ...92...; Ian Campbell
> > Cc: snort-users at lists.sourceforge.net
> > Subject: RE: [Snort-users] Running Snort as a service
> > 
> > 
> > Hi Michael,
> > FWIW, I setup Snort last night on my Win2k Pro laptop 
> > to run as a
> > service, followed the instructions in the FAQ to the letter, 
> > and it worked
> > perfectly.  I had a problem with the context the service was 
> > running in
> > because I was writing the logs to an EFS encrypted directory, 
> > but that's
> > just my own bone-headed mistake... which was resolved by 
> > running it under a
> > user who had access too the crypto keys.
> > 
> > Thanks,
> > Abe
> > 
> > Abe L. Getchell - Security Engineer
> > Division of System Support Services
> > Kentucky Department of Education
> > Voice   502-564-2020x225
> > E-mail  agetchel at ...1525...
> > Web     http://www.kde.state.ky.us/
> > 
> > 
> > 
> > > -----Original Message-----
> > > From: Michael Davis [mailto:mike at ...92...]
> > > Sent: Thursday, March 15, 2001 11:29 AM
> > > To: Ian Campbell
> > > Cc: 'snort-users at lists.sourceforge.net'
> > > Subject: Re: [Snort-users] Running Snort as a service
> > > 
> > > 
> > > > followed the docs that came with it (those in the 
> > win32_faq.txt file
> > > > are
> > > > incorrect).
> > > 
> > > I wish people would report problems like this.
> > > 
> > > I followed the instructions and it worked for me. Let me try 
> > > and duplicate it 
> > > againa nd see if I need to fix the FAQ.
> > > 
> > > Thanks,
> > > Michael Davis
> > > Chief Technical Officer
> > > Data Nerds, LLC.
> > > http://www.datanerds.net
> > > 
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > > 
> > 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBOrGI/viUqZ9dnoKsEQJLGQCfdJyLMBzgEA6p4nlRZYhZC7EBWVYAnRyS
zNyXSknW3mwiSKpnYJbqqlGU
=jp5N
-----END PGP SIGNATURE-----






More information about the Snort-users mailing list