[Snort-users] Problem: Win32 v2.4.3 does not start as a Service

pure one securelabs.zapto.org at ...11827...
Mon Dec 26 13:19:03 EST 2005


Hi
Just a wild guess but wouldnt snort fail to start if the device your
trying to make it listen on
has not got a ip address yet? If your using dhcp try with a static ip.

What you could try is sticking a batch file in %userprofile%\Start
Menu\Programs\Startup
to run snort, so you could see the errors if any. Altho this may not
work or be any help... but its worth a shot :)


pureone

On 12/26/05, Rich Adamson <radamson at ...2127...> wrote:
> No databases or any other external app is used. Alerting to syslog in
> relatively low traffic environments. As mentioned, all snort functions
> have been and continue to function just fine; purely a services startup
> issue with no dependencies as best as I can tell.
>
> Might also add that "Restart the Service" in the Recovery tab of the snort
> services properties has been set, and that never kicks off. So, presumably
> it also is related to the fact the service never started, therefore it
> can't be restarted.
>
> ------------------------
>
> > Question... What are you using for your output? Are you using a Database on
> > the same server? If so, the problem is probably that Snort is trying to
> > startup before your DB service is and causing Snort to fail.
> >
> > Cheers,
> > Jeff
> >
> > > -----Original Message-----
> > > From: snort-users-admin at lists.sourceforge.net
> > > [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of
> > > Rich Adamson
> > > Sent: Monday, December 26, 2005 10:08 AM
> > > To: Snort Developers Postings; Snort Users Postings
> > > Subject: [Snort-users] Problem: Win32 v2.4.3 does not start
> > > as a Service
> > >
> > > Could not find any reference on the snort.org site relative
> > > to reporting
> > > a problem, so posting to both the -users and -devel lists.
> > >
> > > Implementation: Snort v2.4.3 on Win XP (all versions) with
> > > WinPcap v3.1
> > >
> > > Experience Level:
> > > Been around snort since v1.8 days and have had it running
> > > just fine as
> > > a Service on most Win32 O/S's. I do not have an application
> > > development
> > > system (or development experience) to diagnose the problem.
> > >
> > > Issue:
> > > Snort will not start as a Service (for example after a
> > > reboot), however
> > > it runs just fine if started manually. Happens on multiple XP
> > > systems and
> > > has been observed by others (see forums) as well. Viewing the
> > > Services
> > > list indicates the snort service is properly configured to start
> > > "automatically" and log on using the Local System account.
> > >
> > > Indicators:
> > > Four event log entries are created following a system reboot.
> > > 1. Security Log: Event 592 & 593 (process tracking) are
> > > created for snort.
> > > 2. System Log: two events generated including:
> > >    Event 7000: "The Snort service failed to start due to the following
> > >    error: The service did not respond to the start or control
> > > request in
> > >    a timely manner."
> > >    Event 7009: "Timeout (30,000 milliseconds) waiting for the
> > > Snort service
> > >    to connect."
> > >
> > > I am not at all sure whether this is an issue with Snort
> > > service code or
> > > some form of new requirement in Win XP service startup code.
> > > Several systems
> > > seem to be restarting correctly on Win 2k Pro and Win 2k
> > > Server, however
> > > these systems are also running pre-v2.4.3 snort code and
> > > cannot be upgrade
> > > at this time.
> > >
> > > Consistency:
> > > Snort v2.4.3 on any Win XP system will "always" fail to start
> > > following a
> > > reboot. A manual start via the Services control panel will
> > > "always" be
> > > successful, and, a "net start snort" from the command line
> > > will always be
> > > successful. All other services on these systems start normally.
> > >
> > > References:
> > > Microsoft's site suggests: "Within a specified time period
> > > after a new
> > > service starts, it notifies Service Control Manager (SCM)
> > > that it is ready
> > > to connect. In this case, the service did not notify SCM
> > > within the time
> > > period." (Thus generating event 7009.)
> > >
> > > Other Observations:
> > > 1. Typical Win32 system has 512 meg ram with WinPcap v3.1
> > > 2. After manually starting the snort service, task manager indicates
> > >    over 150 meg of available memory.
> > > 3. After manually starting the snort service, all alerts and
> > > log entries
> > >    occur properly.
> > > 4. The snort service was installed following the examples
> > > displayed when
> > >    executing "snort -?" from the command line.
> > > 5. Executing "snort /service /show" indicates the service was properly
> > >    installed with all appropriate startup parameters.
> > >
> > > Best Guess:
> > > The two events in the security log suggest the snort service
> > > was actually
> > > starting, however the events in the system log indicate a
> > > timeout. Since
> > > the "process events" (security log) do occur, presumably
> > > snort is starting
> > > and suppose to pass a message or call the services control
> > > manager (or maybe
> > > return some value) indicating to the services control manager
> > > that it has
> > > started. It would appear this second step is not occurring.
> > >
> > > Some possibility exists the snort code is using the name "snortsvc" in
> > > some code and "snort" in other services code. Executing "sc
> > > query snortsvc"
> > > from a command line indicates:
> > >   State: 1 stopped
> > >            (not-stoppable, not_pausable, ignores_shutdown)
> > > with no other hints. The above _might_ be related to not
> > > registering the
> > > snort service properly, differences in service names,
> > > incorrect parameters,
> > > etc. Not sure.
> > >
> > > If I can provide any other information regarding the problem/symptom,
> > > please contact me.
> > >
> > > If there is a better location to report this problem, please
> > > let me know.
> > >
> > > Rich Adamson
> > > radamson at ...2127...
> > >
> > >
> > >
> > >
> > > -------------------------------------------------------
> > > This SF.net email is sponsored by: Splunk Inc. Do you grep
> > > through log files
> > > for problems?  Stop!  Download the new AJAX search engine that makes
> > > searching your log files as easy as surfing the  web.
> > > DOWNLOAD SPLUNK!
> > > http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
> ---------------End of Original Message-----------------
>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list