[Snort-users] ghosting a snort server???

hugh_fraser at ...2804... hugh_fraser at ...2804...
Sun Apr 4 21:00:01 EDT 2004

Are you using dhcp for addresses and in turn name resolution? If you're using fixed IP addresses, you will have a problem. If not, Snort will use the system's hostname, and if there isn't a record in the database, it will create one.

	-----Original Message----- 
	From: snort-users-admin at lists.sourceforge.net on behalf of Pat Delaney 
	Sent: Sat 03/04/2004 11:56 AM 
	To: Jordan, Jason A; snort-users at lists.sourceforge.net 
	Subject: RE: [Snort-users] ghosting a snort server???
	This is snort running on Linux. I'm wondering if the hostname of the original linus server is embeded into the sql database.
	The snort service seemes to die. How can I turn on debugging to see where it's failing during startup?


	From: Jordan, Jason A [mailto:Jason.Jordan at ...10803...] 
	Sent: Saturday, April 03, 2004 10:41 AM
	To: Pat Delaney; snort-users at ...314...
	Subject: RE: [Snort-users] ghosting a snort server???

	Disclaimer: I am making a presumption that this is snort on Windows not Linux.


	Did you check the account name that the service is running under?  Prior to imaging the original system, did you run the prep routines on the system (I believe its sysprep).  If it's a Windows 2000/XP/2003 type of system the service accounts and system account information can get mangled during ghosting (i.e. some type of SID conflict).  I'd recommend going into the Services applet, go into the Snort properties, and verify the credentials it runs under.  Even better, manually re-select the account (local/domain) and password which Snort will use as its running context.


	You should be able to run snort from the command line and the help files describe the switches.  


	Let me know if any of that helps.


	Jason Jordan




	From: Pat Delaney [mailto:Pat.Delaney at ...11558...] 
	Sent: Saturday, April 03, 2004 10:26 AM
	To: snort-users at ...314...
	Subject: [Snort-users] ghosting a snort server???


	Rather that reinstall SNORT on another PC from scratch, I cloned the disk, and restored the image to another PC. The snort service seems to keep failing to start.


	My question is:

	 Is there something keyed in the database to the original host name of the orginal server?


	How can I start the snort service up in a debugging mode to see why it never starts and stays running?



More information about the Snort-users mailing list