[Snort-users] Problem: Win32 v2.4.3 does not start as a Service

Gianluca Varenni gianluca.varenni at ...11827...
Tue Dec 27 08:03:02 EST 2005


Hi all.

It could be an issue with a service dependency with WinPcap. Another user 
reported a similar issue some weeks ago on the WinPcap-bugs mailing list.

You can find the mail and a possible workaround here:

http://www.winpcap.org/pipermail/winpcap-bugs/2005-December/000133.html


Hope it helps

Gianluca Varenni
WinPcap Team

----- Original Message ----- 
From: "Rich Adamson" <radamson at ...2127...>
To: "Michael Steele" <michaels at ...9077...>; 
<snort-users at lists.sourceforge.net>
Sent: Tuesday, December 27, 2005 5:43 AM
Subject: RE: [Snort-users] Problem: Win32 v2.4.3 does not start as a Service


> Keep in mind the issue is that snort isn't starting at system bootup time,
> so there isn't any desktop to interact with. It starts just fine "after"
> the system is fully up.
>
> There likely is a 'dependency' issue or an XP service control manager 
> issue,
> but its not obvious from the event log, etc. Changing from dhcp to a 
> static
> IP made no difference either.
>
> The event log messages (as originally stated) seem to imply the service
> control manager is waiting on snort for some sort of communications
> (indicating a successful start) that isn't happening.
>
> Any other thoughts?
>
> ------------------------
>
>> Rich,
>>
>> Go into services and allow Snort to interact with the desktop and it 
>> should
>> display the error:
>>
>> 1) Go into the Services applet
>> 2) Double left-click on the snort entry
>> 3) Left-click the 'Logon' tab
>> 4) Under 'Local system account' make sure that 'Allow service to interact
>> with desktop' is checked
>> 5) Left-click the 'Apply' button
>> 6) Left-click the 'General' tab
>> 7) Under 'Service Status' left-click the 'Start' button
>>
>> Snort will start in a console and should display any problems with the
>> startup procedure.
>>
>> Note: Make sure to reverse the above procedure so Snort does NOT interact
>> with the desktop under normal startup conditions.
>>
>> Kindest regards,
>> Michael...
>>
>> WINSNORT.com Management Team Member
>> --
>> Pick up your FREE Windows or UNIX Snort installation guides
>> mailto:support at ...9077...
>> Website: http://www.winsnort.com
>> Snort: Open Source Network IDS - http://www.snort.org
>>
>> -----Original Message-----
>> From: snort-users-admin at lists.sourceforge.net
>> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Rich 
>> Adamson
>> Sent: Monday, December 26, 2005 7:08 AM
>> To: Snort Developers Postings; Snort Users Postings
>> Subject: [Snort-users] Problem: Win32 v2.4.3 does not start as a Service
>>
>> Could not find any reference on the snort.org site relative to reporting
>> a problem, so posting to both the -users and -devel lists.
>>
>> Implementation: Snort v2.4.3 on Win XP (all versions) with WinPcap v3.1
>>
>> Experience Level:
>> Been around snort since v1.8 days and have had it running just fine as
>> a Service on most Win32 O/S's. I do not have an application development
>> system (or development experience) to diagnose the problem.
>>
>> Issue:
>> Snort will not start as a Service (for example after a reboot), however
>> it runs just fine if started manually. Happens on multiple XP systems and
>> has been observed by others (see forums) as well. Viewing the Services
>> list indicates the snort service is properly configured to start
>> "automatically" and log on using the Local System account.
>>
>> Indicators:
>> Four event log entries are created following a system reboot.
>> 1. Security Log: Event 592 & 593 (process tracking) are created for 
>> snort.
>> 2. System Log: two events generated including:
>>    Event 7000: "The Snort service failed to start due to the following
>>    error: The service did not respond to the start or control request in
>>    a timely manner."
>>    Event 7009: "Timeout (30,000 milliseconds) waiting for the Snort 
>> service
>>    to connect."
>>
>> I am not at all sure whether this is an issue with Snort service code or
>> some form of new requirement in Win XP service startup code. Several 
>> systems
>> seem to be restarting correctly on Win 2k Pro and Win 2k Server, however
>> these systems are also running pre-v2.4.3 snort code and cannot be 
>> upgrade
>> at this time.
>>
>> Consistency:
>> Snort v2.4.3 on any Win XP system will "always" fail to start following a
>> reboot. A manual start via the Services control panel will "always" be
>> successful, and, a "net start snort" from the command line will always be
>> successful. All other services on these systems start normally.
>>
>> References:
>> Microsoft's site suggests: "Within a specified time period after a new
>> service starts, it notifies Service Control Manager (SCM) that it is 
>> ready
>> to connect. In this case, the service did not notify SCM within the time
>> period." (Thus generating event 7009.)
>>
>> Other Observations:
>> 1. Typical Win32 system has 512 meg ram with WinPcap v3.1
>> 2. After manually starting the snort service, task manager indicates
>>    over 150 meg of available memory.
>> 3. After manually starting the snort service, all alerts and log entries
>>    occur properly.
>> 4. The snort service was installed following the examples displayed when
>>    executing "snort -?" from the command line.
>> 5. Executing "snort /service /show" indicates the service was properly
>>    installed with all appropriate startup parameters.
>>
>> Best Guess:
>> The two events in the security log suggest the snort service was actually
>> starting, however the events in the system log indicate a timeout. Since
>> the "process events" (security log) do occur, presumably snort is 
>> starting
>> and suppose to pass a message or call the services control manager (or 
>> maybe
>>
>> return some value) indicating to the services control manager that it has
>> started. It would appear this second step is not occurring.
>>
>> Some possibility exists the snort code is using the name "snortsvc" in
>> some code and "snort" in other services code. Executing "sc query 
>> snortsvc"
>> from a command line indicates:
>>   State: 1 stopped
>>            (not-stoppable, not_pausable, ignores_shutdown)
>> with no other hints. The above _might_ be related to not registering the
>> snort service properly, differences in service names, incorrect 
>> parameters,
>> etc. Not sure.
>>
>> If I can provide any other information regarding the problem/symptom,
>> please contact me.
>>
>> If there is a better location to report this problem, please let me know.
>>
>> Rich Adamson
>> radamson at ...2127...
>>
>>
>>
>>
>> -------------------------------------------------------
>> This SF.net email is sponsored by: Splunk Inc. Do you grep through log 
>> files
>> for problems?  Stop!  Download the new AJAX search engine that makes
>> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
>> http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>
>>
>>
>>
>
> ---------------End of Original Message-----------------
>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log 
> files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users 





More information about the Snort-users mailing list