[Snort-users] RE: Installing SNORT 1.8.3 on win2k server

Michael Steele michaels at ...155...
Tue Mar 12 10:51:04 EST 2002


I apologize if this is not a Sourcefire associated installer. I was
under the impression that it was, because of the path "Sourcefire" when
it's installed. This is very confusing. I believe the Sourcefire name is
protected and not just anyone is authorized to use it, without
permission of whomever the name belongs. My mistake and I do sincerely

However, now that I know you are the person responsible for authoring
this piece of software, I now have someone to point users to for support
for this particular program. I will send them your way if I get stumped
on an installation issue.

I have received a lot of emails concerning this particular piece of
software and it has had this one particular problem from it's inception
to the Snort community, among others.

In this case, which is not at all uncommon for this installer, Y P Chien
had a specific problem with WinPcap and the version he referred to was
"2.3 beta". It's always my first inclination to revert back to a release
version of a particular program if it's a beta they are running, and
then start trouble shooting.

Usually, if they have used an installer type of program, I instruct them
to completely remove the installation and do a manual install. Which in
my opinion is far superior, and they get a first had look and the
experience of actually installing an IDS, along with a lot of
documentation for running Snort on Windows.

I apologize to Y P Chien for not offering this path. I do know there are
a few people that really need an installer type of program and that's
why we here at Silicon Defense, also have one available on our website.

Here at Silicon Defense (not "silidef" as you pointed out in your
response) we have spent many many hours putting Snort support together
for the Windows community. All the way from documenting installations
for step by step procedures, to making sure we have the latest compiled
CVS versions of snort available to download from our website, and in 5
flavors, for Windows. This, in all reality, is a one stop shop for the
Windows user to get everything they will need to get a functional IDS up
and running. This has been at a cost that has been absorbed by us
(Silicon Defense) for the Snort community. 


- Mike

Commercial Snort Support <<->> 1.866.41.SNORT
 Silicon Defense -- <www.silicondefense.com>
    Home of the new SENTRUS Snort sensor!
  Michael Steele - Snort Support Technician

-----Original Message-----
From: Dragos Ruiu [mailto:dr at ...381...] 
Sent: Monday, March 11, 2002 12:54 PM
To: Michael Steele
Cc: ypchien at ...5290...; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] RE: Installing SNORT 1.8.3 on win2k server

This advice from Michael is incorrect.

The latest version of pcap is superior in stability to the old one.

Sorry to dissapoint Michael and the guys at silidef, but this does
not look like a problem with the installer.

You are seeing this error message because of some of the settings
in IDScenter.  When I built the combined Win32 installer that is 
distributed on snort.org, I tried to compensate for new users by
preloading some registry keys with common default values and settings
for IDScenter so it might have a hope of working out of the box
without configuration.  This falls short in some areas (like if you
have your Program Files directory on a drive other C: for instance)
and you may have to fiddle with the IDScenter settings to make 
it work for your particular setup (which you would have had to do 
anyway if you had installed the components yourself separately).
I am trying to further improve some of these settings on the next 
release of the Win32 installer which will be out released after
some more testing.

Though I cannot ascertain exactly what settings are incorrect 
from your error message, I would suspect  you might want to look
at what you might have your interface setting at under the IDScenter
general setup screen.

Send me some e-mail directly and I can try to help you work through 
this issue.

Another option you might want to try is debugging your setup using
the command line version of snort. Send me some more information 
about your ssetup and results and let's see what we can figure out 
about your problem.


On Mon, 11 Mar 2002 18:56:00 -0800
"Michael Steele" <michaels at ...155...> wrote:

> YP,
> This is an installation from Sourcefire. You might want to contact
> and find out why?  I would be more then happy to help you if you were
> using the installation documentation written by me located on our
> website as I have never installed the Sourcefire installation. It's
> usually a problem with WinPcap. You might try going back one version
> (2.2 Non Beta). 
> - Mike
> Commercial Snort Support <<->> 1.866.41.SNORT
> Silicon Defense -- <www.silicondefense.com>
> Home of the new SENTRUS Snort sensor!
> Michael Steele - Snort Support Technician
> -----Original Message-----
> From: Y P Chien [mailto:ypchien at ...5290...] 
> Sent: Monday, March 11, 2002 4:30 PM
> To: michaels at ...155...
> Subject: Installing SNORT 1.8.3 on win2k server
> Dear Sir: 
> I saw your email address and post replies on Snort discussion forum. 
> It seems that I have the similar problems that most users have with
> installing Snort on Win2K system. 
> I am trying to install Snort on a Win2K server with SP2.  I am using
> WinPcap 2.3 beta.  I am getting the following errors:
> Initializing Network Interface \ 
> ERROR: OpenPcap() FSM compilation failed: 
>         syntax error 
> PCAP command: Files\Sourcefire\Snort\snort.conf -l C:\Program
> Files\Sourcefire\Snort -A full -h any 
> Fatal Error, Quitting.. 
> Please help. 
> YP 

--dr                  pgpkey: http://dragos.com/dr-dursec.asc
      CanSecWest/core02 - May 1-3 2002 - Vancouver B.C. -

More information about the Snort-users mailing list