[Snort-users] Problem: Win32 v2.4.3 does not start as a Service
jdell at ...1095...
Mon Dec 26 08:59:03 EST 2005
Question... What are you using for your output? Are you using a Database on
the same server? If so, the problem is probably that Snort is trying to
startup before your DB service is and causing Snort to fail.
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of
> Rich Adamson
> Sent: Monday, December 26, 2005 10:08 AM
> To: Snort Developers Postings; Snort Users Postings
> Subject: [Snort-users] Problem: Win32 v2.4.3 does not start
> as a Service
> Could not find any reference on the snort.org site relative
> to reporting
> a problem, so posting to both the -users and -devel lists.
> Implementation: Snort v2.4.3 on Win XP (all versions) with
> WinPcap v3.1
> Experience Level:
> Been around snort since v1.8 days and have had it running
> just fine as
> a Service on most Win32 O/S's. I do not have an application
> system (or development experience) to diagnose the problem.
> Snort will not start as a Service (for example after a
> reboot), however
> it runs just fine if started manually. Happens on multiple XP
> systems and
> has been observed by others (see forums) as well. Viewing the
> list indicates the snort service is properly configured to start
> "automatically" and log on using the Local System account.
> Four event log entries are created following a system reboot.
> 1. Security Log: Event 592 & 593 (process tracking) are
> created for snort.
> 2. System Log: two events generated including:
> Event 7000: "The Snort service failed to start due to the following
> error: The service did not respond to the start or control
> request in
> a timely manner."
> Event 7009: "Timeout (30,000 milliseconds) waiting for the
> Snort service
> to connect."
> I am not at all sure whether this is an issue with Snort
> service code or
> some form of new requirement in Win XP service startup code.
> Several systems
> seem to be restarting correctly on Win 2k Pro and Win 2k
> Server, however
> these systems are also running pre-v2.4.3 snort code and
> cannot be upgrade
> at this time.
> Snort v2.4.3 on any Win XP system will "always" fail to start
> following a
> reboot. A manual start via the Services control panel will
> "always" be
> successful, and, a "net start snort" from the command line
> will always be
> successful. All other services on these systems start normally.
> Microsoft's site suggests: "Within a specified time period
> after a new
> service starts, it notifies Service Control Manager (SCM)
> that it is ready
> to connect. In this case, the service did not notify SCM
> within the time
> period." (Thus generating event 7009.)
> Other Observations:
> 1. Typical Win32 system has 512 meg ram with WinPcap v3.1
> 2. After manually starting the snort service, task manager indicates
> over 150 meg of available memory.
> 3. After manually starting the snort service, all alerts and
> log entries
> occur properly.
> 4. The snort service was installed following the examples
> displayed when
> executing "snort -?" from the command line.
> 5. Executing "snort /service /show" indicates the service was properly
> installed with all appropriate startup parameters.
> Best Guess:
> The two events in the security log suggest the snort service
> was actually
> starting, however the events in the system log indicate a
> timeout. Since
> the "process events" (security log) do occur, presumably
> snort is starting
> and suppose to pass a message or call the services control
> manager (or maybe
> return some value) indicating to the services control manager
> that it has
> started. It would appear this second step is not occurring.
> Some possibility exists the snort code is using the name "snortsvc" in
> some code and "snort" in other services code. Executing "sc
> query snortsvc"
> from a command line indicates:
> State: 1 stopped
> (not-stoppable, not_pausable, ignores_shutdown)
> with no other hints. The above _might_ be related to not
> registering the
> snort service properly, differences in service names,
> incorrect parameters,
> etc. Not sure.
> If I can provide any other information regarding the problem/symptom,
> please contact me.
> If there is a better location to report this problem, please
> let me know.
> Rich Adamson
> radamson at ...2127...
> This SF.net email is sponsored by: Splunk Inc. Do you grep
> through log files
> for problems? Stop! Download the new AJAX search engine that makes
> searching your log files as easy as surfing the web.
> DOWNLOAD SPLUNK!
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users