[Snort-users] snort as a service on Windows 2000

Michael Steele michaels at ...155...
Mon Apr 14 11:16:03 EDT 2003


Augie,

Why would you want to monitor multiple NIC's?

HOME_NET [10.0.0.1/24,192.168.1.100/24]

To turn off sending alerts to the event viewer

In snort.conf change:

Original: output alert_syslog: LOG_AUTH LOG_ALERT
Change: # output alert_syslog: LOG_AUTH LOG_ALERT 

Restart Snort

-Michael
-- 
 Michael Steele | System Engineer / Support Technician     
 mailto:michaels at ...155...    
 Silicon Defense - The Cyber-War Defense Company
 Website: http://www.silicondefense.com
 Snort: Open Source Network IDS - http://www.snort.org

-----Original Message-----
From: August.K.Kunnecke at ...8695... [mailto:August.K.Kunnecke at ...8695...] 
Sent: Monday, April 14, 2003 8:44 AM
To: michaels at ...155...


I think I already found the answer to my question. I need to run multiple
instances of Snort, correct?

I do have another question. I am getting my entries into my ACID database,
but I am also seeing Snort entries in my event viewer. How do I get rid of
those in event viewer?

Augie


> -----Original Message-----
> From:	Kunnecke, Augie K. 
> Sent:	Monday, April 14, 2003 11:38 AM
> To:	'Michael Steele'
> Subject:	RE: [Snort-users] snort as a service on Windows 2000
> 
> Michael
> 
> Thanks for all of your help. I know have a working IDS for one network.
> 
> My next project is to configure another box with Windows 2000, Snort 2.0
> and use it to monitor multiple networks. 
> 
> Is there documentation on monitoring more than one network into Snort?
> 
> 
> 	-----Original Message-----
> 	From:	Michael Steele [SMTP:michaels at ...155...]
> 	Sent:	Friday, April 11, 2003 5:08 PM
> 	To:	August.K.Kunnecke at ...8695...;
> snort-users at lists.sourceforge.net
> 	Subject:	RE: [Snort-users] snort as a service on Windows 2000
> 
> 	August,
> 
> 	I'm talking it runs fine from the command line.
> 
> 	Navigate from a command prompt to snort\bin
> 
> 	Remove the service: snort /SERVICE /UNINSTALL
> 
> 	Reboot
> 
> 	Navigate from a command prompt to snort\bin
> 
> 	Type: snort -c c:\snort\etc\snort.conf -l c:\snort\log -i1
> 
> 	Make sure Snort is running with no errors.
> 
> 	Type CTRL/C to exit back to the command window.
> 
> 	Type: snort /SERVICE /INSTALL -c c:\snort\etc\snort.conf -l
> c:\snort\log -i1
> 
> 	Type: snort /SERVICE /SHOW
> 
> 	Make sure the line reads: -c c:\snort\etc\snort.conf -l c:\snort\log
> -i1
> 
> 	Go into the services and set snort to automatic, then press the
> start
> 	button. After the service starts go to Taskmanager and make SURE
> snort is
> 	running.
> 
> 	 -Michael
> 
> 	 Michael Steele | System Engineer / Support Technician
> 	 mailto:michaels at ...155...
> 	 Silicon Defense: IDS solutions - http://www.silicondefense.com
> 	 Snort: Open Source Network IDS - http://www.snort.org
> 
> 
> 	-----Original Message-----
> 	From: August.K.Kunnecke at ...8695...
> [mailto:August.K.Kunnecke at ...8695...] 
> 	Sent: Friday, April 11, 2003 1:49 PM
> 	To: michaels at ...155...
> 	Subject: RE: [Snort-users] snort as a service on Windows 2000
> 
> 	I did that and it the SQL seems to look cleaner. 
> 
> 	I am still having problems when I start Snort as a service. 
> 
> 	(I am using the user "root" to be sure I don't have any more MYSQL
> problems.
> 	)
> 	__________________________
> 
> 	C:\Snort\etc>snort /service /show
> 
> 	Snort is currently configured to run as a Windows service using the
> 	following
> 	command-line parameters:
> 
> 	     -de -c c:\snort\etc\snort.conf -l c:\snort\log -i1
> 
> 	C:\Snort\etc>snort -c c:\snort\etc\snort.conf -l c:\snort\log -i1 -T
> 	Log directory = c:\snort\log
> 
> 	Initializing Network Interface \
> 
> 	        --== Initializing Snort ==--
> 	Initializing Output Plugins!
> 	Decoding Ethernet on interface
> 	\Device\NPF_{9B922988-4F36-44CF-A041-B399EB0A82E8
> 	}
> 	Initializing Preprocessors!
> 	Initializing Plug-ins!
> 	Parsing Rules file c:\snort\etc\snort.conf
> 
> 	+++++++++++++++++++++++++++++++++++++++++++++++++++
> 	Initializing rule chains...
> 	No arguments to frag2 directive, setting defaults to:
> 	    Fragment timeout: 60 seconds
> 	    Fragment memory cap: 4194304 bytes
> 	    Fragment min_ttl:   0
> 	    Fragment ttl_limit: 5
> 	    Fragment Problems: 0
> 	Stream4 config:
> 	    Stateful inspection: ACTIVE
> 	    Session statistics: INACTIVE
> 	    Session timeout: 30 seconds
> 	    Session memory cap: 8388608 bytes
> 	    State alerts: INACTIVE
> 	    Evasion alerts: INACTIVE
> 	    Scan alerts: ACTIVE
> 	    Log Flushed Streams: INACTIVE
> 	    MinTTL: 1
> 	    TTL Limit: 5
> 	    Async Link: 0
> 	    State Protection: 0
> 	    Self preservation threshold: 0
> 	    Self preservation period: 0
> 	    Suspend threshold: 0
> 	    Suspend period: 0
> 	Stream4_reassemble config:
> 	    Server reassembly: INACTIVE
> 	    Client reassembly: ACTIVE
> 	    Reassembler alerts: ACTIVE
> 	    Ports: 21 23 25 53 80 110 111 143 513 1433
> 	    Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
> 	http_decode arguments:
> 	    Unicode decoding
> 	    IIS alternate Unicode decoding
> 	    IIS double encoding vuln
> 	    Flip backslash to slash
> 	    Include additional whitespace separators
> 	    Ports to decode http on: 80
> 	rpc_decode arguments:
> 	    Ports to decode RPC on: 111 32771
> 	    alert_fragments: INACTIVE
> 	    alert_large_fragments: ACTIVE
> 	    alert_incomplete: ACTIVE
> 	    alert_multiple_requests: ACTIVE
> 	telnet_decode arguments:
> 	    Ports to decode telnet on: 21 23 25 119
> 	Conversation Config:
> 	   KeepStats: 0
> 	   Conv Count: 32000
> 	   Timeout   : 60
> 	   Alert Odd?: 0
> 	   Allowed IP Protocols:  All
> 
> 	database: compiled support for ( mysql odbc )
> 	database: configured to use mysql
> 	database:          user = root
> 	database: password is set
> 	database: database name = snort
> 	database:          host = 127.0.0.1
> 	database:          port = 3306
> 	database:   sensor name = W2K_Snort
> 	database:     sensor id = 2
> 	database: schema version = 106
> 	database: using the "log" facility
> 	database: compiled support for ( mysql odbc )
> 	database: configured to use mysql
> 	database:          user = root
> 	database: password is set
> 	database: database name = snort
> 	database:          host = 127.0.0.1
> 	database:          port = 3306
> 	database:   sensor name = W2K_Snort
> 	database:     sensor id = 2
> 	database: schema version = 106
> 	database: using the "alert" facility
> 	1310 Snort rules read...
> 	1310 Option Chains linked into 148 Chain Headers
> 	0 Dynamic rules
> 	+++++++++++++++++++++++++++++++++++++++++++++++++++
> 
> 	Rule application order: ->activation->dynamic->alert->pass->log
> 
> 	        --== Initialization Complete ==--
> 
> 	-*> Snort! <*-
> 	Version 1.9.1-ODBC-MySQL-WIN32 (Build 231)
> 	By Martin Roesch (roesch at ...1935..., www.snort.org)
> 	1.7-WIN32 Port By Michael Davis (mike at ...92...,
> 	www.datanerds.net/~mike)
> 	1.8-1.9 WIN32 Port By Chris Reid
> (chris.reid at ...3029...)
> 
> 	Snort sucessfully loaded all rules and checked all rule chains!
> 	database: Closing connection to database "snort"
> 	database: Closing connection to database "snort"
> 
> 	C:\Snort\etc>
> 
> 	______________________________________
> 
> 
> 
> 	> -----Original Message-----
> 	> From:	Michael Steele [SMTP:michaels at ...155...]
> 	> Sent:	Tuesday, April 08, 2003 12:28 PM
> 	> To:	August.K.Kunnecke at ...8695...
> 	> Subject:	RE: [Snort-users] snort as a service on Windows 2000
> 	> 
> 	> August,
> 	> 
> 	> You NEED to add UPDATE to the user snort account.
> 	> 
> 	> Passwords:
> 	> 
> 	> Snort - This is very low security. The user Snort only needs to
> write to
> 	> the
> 	> database.
> 	> Acid - This needs to be secured as anyone accessing the console
> can delete
> 	> alerts.
> 	> Root - This is God to the complete IDS system.
> 	> 
> 	> -Michael
> 	> -- 
> 	>  Michael Steele | System Engineer / Support Technician     
> 	>  mailto:michaels at ...155...    
> 	>  Silicon Defense - The Cyber-War Defense Company
> 	>  Website: http://www.silicondefense.com
> 	>  Snort: Open Source Network IDS - http://www.snort.org
> 	> 
> 	> -----Original Message-----
> 	> From: August.K.Kunnecke at ...8695...
> [mailto:August.K.Kunnecke at ...8695...] 
> 	> Sent: Tuesday, April 08, 2003 6:55 AM
> 	> To: michaels at ...155...
> 	> 
> 	> I made those changes and I still have problems. I think it's in
> the MySQL
> 	> software. I had problems adding users the way the instructions
> said. I was
> 	> able to add them, but not the way it said. I think I need to reset
> all of
> 	> the passwords for those accounts. (acid, snort and root) 
> 	> 
> 	> What do you think?
> 	> 
> 	> > -----Original Message-----
> 	> > From:	Michael Steele [SMTP:michaels at ...155...]
> 	> > Sent:	Monday, April 07, 2003 1:49 PM
> 	> > To:	August.K.Kunnecke at ...8695...
> 	> > Subject:	RE: [Snort-users] snort as a service on Windows 2000
> 	> > 
> 	> > August,
> 	> > 
> 	> > I ran into this same problem this weekend. I have a work around
> for it.
> 	> > 
> 	> > In the snort.cond change the user to acid (replacing snort) and
> password
> 	> > to the associated password for user acid. Do this in both
> 'output
> 	> > database .....' lines, then restart snort. I have no idea why
> the user
> 	> > snort is having problems. It worked for me for awhile then just
> stopped
> 	> > working. I'll look into it.
> 	> > 
> 	> > -Michael
> 	> > -- 
> 	> >  Michael Steele | System Engineer / Support Technician     
> 	> >  mailto:michaels at ...155...    
> 	> >  Silicon Defense - The Cyber-War Defense Company
> 	> >  Website: http://www.silicondefense.com
> 	> >  Snort: Open Source Network IDS - http://www.snort.org
> 	> > 
> 	> > 
> 	> > -----Original Message-----
> 	> > From: August.K.Kunnecke at ...8695...
> [mailto:August.K.Kunnecke at ...8695...] 
> 	> > Sent: Monday, April 07, 2003 7:01 AM
> 	> > To: michaels at ...155...
> 	> > Subject: RE: [Snort-users] snort as a service on Windows 2000
> 	> > 
> 	> > It looks like the problem is in MySQL. (I think.....)
> 	> > 
> 	> > 
> 	> > C:\Snort>snort /service /show
> 	> > 
> 	> > Snort is currently configured to run as a Windows service using
> the
> 	> > following
> 	> > command-line parameters:
> 	> > 
> 	> >      -de -c c:\snort\etc\snort.conf -l c:\snort\log -i1
> 	> > 
> 	> > C:\Snort>
> 	> > 
> 	> > 
> 	> > 
> 	> > C:\Snort>snort -c c:\snort\etc\snort.conf -l c:\snort\log -i1 -T
> 	> > Log directory = c:\snort\log
> 	> > 
> 	> > Initializing Network Interface \
> 	> > 
> 	> >         --== Initializing Snort ==--
> 	> > Initializing Output Plugins!
> 	> > Decoding Ethernet on interface
> 	> > \Device\NPF_{9B922988-4F36-44CF-A041-B399EB0A82E8
> 	> > }
> 	> > Initializing Preprocessors!
> 	> > Initializing Plug-ins!
> 	> > Parsing Rules file c:\snort\etc\snort.conf
> 	> > 
> 	> > +++++++++++++++++++++++++++++++++++++++++++++++++++
> 	> > Initializing rule chains...
> 	> > No arguments to frag2 directive, setting defaults to:
> 	> >     Fragment timeout: 60 seconds
> 	> >     Fragment memory cap: 4194304 bytes
> 	> >     Fragment min_ttl:   0
> 	> >     Fragment ttl_limit: 5
> 	> >     Fragment Problems: 0
> 	> > Stream4 config:
> 	> >     Stateful inspection: ACTIVE
> 	> >     Session statistics: INACTIVE
> 	> >     Session timeout: 30 seconds
> 	> >     Session memory cap: 8388608 bytes
> 	> >     State alerts: INACTIVE
> 	> >     Evasion alerts: INACTIVE
> 	> >     Scan alerts: ACTIVE
> 	> >     Log Flushed Streams: INACTIVE
> 	> >     MinTTL: 1
> 	> >     TTL Limit: 5
> 	> >     Async Link: 0
> 	> >     State Protection: 0
> 	> >     Self preservation threshold: 0
> 	> >     Self preservation period: 0
> 	> >     Suspend threshold: 0
> 	> >     Suspend period: 0
> 	> > Stream4_reassemble config:
> 	> >     Server reassembly: INACTIVE
> 	> >     Client reassembly: ACTIVE
> 	> >     Reassembler alerts: ACTIVE
> 	> >     Ports: 21 23 25 53 80 110 111 143 513 1433
> 	> >     Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
> 	> > http_decode arguments:
> 	> >     Unicode decoding
> 	> >     IIS alternate Unicode decoding
> 	> >     IIS double encoding vuln
> 	> >     Flip backslash to slash
> 	> >     Include additional whitespace separators
> 	> >     Ports to decode http on: 80
> 	> > rpc_decode arguments:
> 	> >     Ports to decode RPC on: 111 32771
> 	> >     alert_fragments: INACTIVE
> 	> >     alert_large_fragments: ACTIVE
> 	> >     alert_incomplete: ACTIVE
> 	> >     alert_multiple_requests: ACTIVE
> 	> > telnet_decode arguments:
> 	> >     Ports to decode telnet on: 21 23 25 119
> 	> > Conversation Config:
> 	> >    KeepStats: 0
> 	> >    Conv Count: 32000
> 	> >    Timeout   : 60
> 	> >    Alert Odd?: 0
> 	> >    Allowed IP Protocols:  All
> 	> > 
> 	> > database: compiled support for ( mysql odbc )
> 	> > database: configured to use mysql
> 	> > database:          user = snort
> 	> > database: password is set
> 	> > database: database name = snort
> 	> > database:          host = 127.0.0.1
> 	> > database:          port = 3306
> 	> > database:   sensor name = W2K_Snort
> 	> > database:     sensor id = 2
> 	> > database: mysql_error: Access denied for user: 'snort at ...274...'
> to
> 	> > database
> 	> > 'sn
> 	> > ort'
> 	> > SQL=UPDATE sensor SET last_cid = 8043 WHERE sid = 2
> 	> > database: inconsistent cid information for sid=2
> 	> >           Recovering by rolling forward the cid=8043
> 	> > database: schema version = 106
> 	> > database: using the "log" facility
> 	> > database: compiled support for ( mysql odbc )
> 	> > database: configured to use mysql
> 	> > database:          user = snort
> 	> > database: password is set
> 	> > database: database name = snort
> 	> > database:          host = 127.0.0.1
> 	> > database:          port = 3306
> 	> > database:   sensor name = W2K_Snort
> 	> > database:     sensor id = 2
> 	> > database: schema version = 106
> 	> > database: using the "alert" facility
> 	> > 1310 Snort rules read...
> 	> > 1310 Option Chains linked into 148 Chain Headers
> 	> > 0 Dynamic rules
> 	> > +++++++++++++++++++++++++++++++++++++++++++++++++++
> 	> > 
> 	> > Rule application order: ->activation->dynamic->alert->pass->log
> 	> > 
> 	> >         --== Initialization Complete ==--
> 	> > 
> 	> > -*> Snort! <*-
> 	> > Version 1.9.1-ODBC-MySQL-WIN32 (Build 231)
> 	> > By Martin Roesch (roesch at ...1935..., www.snort.org)
> 	> > 1.7-WIN32 Port By Michael Davis (mike at ...92...,
> 	> > www.datanerds.net/~mike)
> 	> > 1.8-1.9 WIN32 Port By Chris Reid
> (chris.reid at ...3029...)
> 	> > 
> 	> > Snort sucessfully loaded all rules and checked all rule chains!
> 	> > database: mysql_error: Access denied for user: 'snort at ...274...'
> to
> 	> > database
> 	> > 'sn
> 	> > ort'
> 	> > SQL=UPDATE sensor SET last_cid = 8043 WHERE sid = 2
> 	> > database: Closing connection to database "snort"
> 	> > database: mysql_error: Access denied for user: 'snort at ...274...'
> to
> 	> > database
> 	> > 'sn
> 	> > ort'
> 	> > SQL=UPDATE sensor SET last_cid = 8043 WHERE sid = 2
> 	> > database: Closing connection to database "snort"
> 	> > 
> 	> > C:\Snort>
> 	> > 
> 	> > > -----Original Message-----
> 	> > > From:	Michael Steele [SMTP:michaels at ...155...]
> 	> > > Sent:	Saturday, April 05, 2003 2:20 PM
> 	> > > To:	August.K.Kunnecke at ...8695...
> 	> > > Cc:	snort-users at lists.sourceforge.net
> 	> > > Subject:	RE: [Snort-users] snort as a service on Windows 2000
> 	> > > 
> 	> > > August,
> 	> > > 
> 	> > > Do a:
> 	> > > 
> 	> > > Snort /SERVICE /SHOW
> 	> > > 
> 	> > > Send the output to me along with your snort.conf.
> 	> > > 
> 	> > > Try running:
> 	> > > 
> 	> > > Snort -c d:\applications\swnort\etc\snort.conf -l
> 	> > > d:\applications\snort\log
> 	> > > -ix -T
> 	> > > 
> 	> > > Make SURE to replace the proper paths and make SURE that the
> '-ix' has
> 	> > the
> 	> > > proper interface in place of the 'x'. Send me that output.
> 	> > > 
> 	> > >  -Michael
> 	> > > 
> 	> > >  Michael Steele | System Engineer / Support Technician
> 	> > >  mailto:michaels at ...155...
> 	> > >  Silicon Defense: IDS solutions -
> http://www.silicondefense.com
> 	> > >  Snort: Open Source Network IDS - http://www.snort.org
> 	> > > 
> 	> > > 
> 	> > > -----Original Message-----
> 	> > > From: snort-users-admin at lists.sourceforge.net
> 	> > > [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of
> 	> > > August.K.Kunnecke at ...8695...
> 	> > > Sent: Thursday, April 03, 2003 11:18 AM
> 	> > > To: snort-users at lists.sourceforge.net
> 	> > > Subject: [Snort-users] snort as a service on Windows 2000
> 	> > > 
> 	> > > I am trying to use Snort on a Windows 2000 server. 
> 	> > > 
> 	> > > Snort works when I type snort -v -ix. I am having problems
> getting it
> 	> > to
> 	> > > run
> 	> > > as a service. It install fine. When I try to start it, I get
> different
> 	> > > errors. I have finally decided to stop and see if I can get
> some help.
> 	> > > This
> 	> > > time I am getting the following message in my event viewer:
> 	> > > 
> 	> > > ------------------------------------------------------------
> 	> > > Event Type:	Error
> 	> > > Event Source:	Service Control Manager
> 	> > > Event Category:	None
> 	> > > Event ID:	7000
> 	> > > Date:		4/3/2003
> 	> > > Time:		1:59:36 PM
> 	> > > User:		N/A
> 	> > > Computer:	XXXXXX
> 	> > > Description:
> 	> > > The Snort service failed to start due to the following error: 
> 	> > > The system cannot find the file specified
> 	> > >
> ---------------------------------------------------------------------
> 	> > > 
> 	> > > It usually tells me that is cannot find the snort.conf file in
> the
> 	> > > application log, but I am not getting any messages in that
> section. 
> 	> > > 
> 	> > > When I run snort at a DOS prompt to try to see what file it is
> 	> > missing, I
> 	> > > get the following:
> 	> > > 
> 	> > > ---------------------------------
> 	> > > WARNING: unknown output plugin: 'alert_syslog'WARNING: unknown
> output
> 	> > > plugin: 'd
> 	> > > atabase'WARNING: unknown output plugin: 'database'1310 Snort
> rules
> 	> > read...
> 	> > > 1310 Option Chains linked into 148 Chain Headers
> 	> > > 0 Dynamic rules
> 	> > > +++++++++++++++++++++++++++++++++++++++++++++++++++
> 	> > > 
> 	> > > Rule application order:
> ->activation->dynamic->alert->pass->log
> 	> > > 
> 	> > >         --== Initializing Snort ==--
> 	> > > Initializing Output Plugins!
> 	> > > 
> 	> > > [!] ERROR: Can not get write access to logging directory
> "log".
> 	> > > (directory doesn't exist or permissions are set incorrectly
> 	> > > or it is not a directory at all)
> 	> > > 
> 	> > > Fatal Error, Quitting..
> 	> > > -------------------------------------------------
> 	> > > 
> 	> > > I followed the instructions from the snort.org web site. I
> tried
> 	> > moving
> 	> > > the
> 	> > > snort.exe to the snort directory. I also tried to move (and
> copy) the
> 	> > > snort.conf file, but I still get the same error.
> 	> > > 
> 	> > > 
> 	> > > I also have some questions about the config files: 
> 	> > > 
> 	> > > One document I read had the path names to the files listed
> with the
> 	> > "/"
> 	> > > character  Another set of instructions said to use the
> standard "\"
> 	> > > backslash character.  Which is the correct convention to use?
> 	> > > 
> 	> > > 
> 	> > > Thanks in advance for any help.
> 	> > > 
> 	> > > 
> 	> > > 
> 	> > > 
> 	> > > -------------------------------------------------------
> 	> > > This SF.net email is sponsored by: ValueWeb: 
> 	> > > Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
> 	> > > No other company gives more support or power for your
> dedicated server
> 	> > > http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
> 	> > > _______________________________________________
> 	> > > Snort-users mailing list
> 	> > > Snort-users at lists.sourceforge.net
> 	> > > Go to this URL to change user options or unsubscribe:
> 	> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> 	> > > Snort-users list archive:
> 	> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 	> > > 
> 	> > > 
> 	> > 
> 	> > 
> 	> 
> 	> 
> 
> 







More information about the Snort-users mailing list