[Snort-users] Problem: Win32 v2.4.3 does not start as a Service

Rich Adamson radamson at ...2127...
Tue Dec 27 09:29:30 EST 2005


Okay, the problem "is" with WinPcap v3.1; reverting to v3.0 allows snort
to start correctly as a Service after a reboot. Also tried v3.2 alpha 1, 
but it created the same problem as v3.1.

Based on the winpcap url (provided below), there "is" a dependency that
apparently causes snort not to start.

As a side effect, reverting to winpcap v3.0 causes all of the interface
numbering (snort -W) to chanage, therefore the snort service will need to
be removed and reinstalled with an appropriate "-i" specification. Bummer.

Does anyone (with development experience) know whether this is an issue
with "service" code in snort, or is strictly a winpcap dependency issue?

Rich

------------------------

> Yes, I remember seeing that post somewhere. I think I suggested removing 3.1
> and reverting back to 3.0.
> 
> We are using 3.1 (non-beta) for our new install, and will know in a couple
> of hours it that is the culprit. 
> 
> Kindest regards,
> Michael...
> 
> WINSNORT.com Management Team Member
> --
> ****************** Established ~ 2001 *******************
> *          Visit Us @ http://www.winsnort.com           *
> *      ~~ FREE WinIDS Snort installation guides ~~      *
> *               ~~ FREE support forums ~~               *
> * Snort: Open Source Network IDS - http://www.snort.org *
> *********************************************************
> 
> 
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Gianluca
> Varenni
> Sent: Tuesday, December 27, 2005 8:02 AM
> To: Rich Adamson; Michael Steele; snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Problem: Win32 v2.4.3 does not start as a Service
> 
> Hi all.
> 
> It could be an issue with a service dependency with WinPcap. Another user 
> reported a similar issue some weeks ago on the WinPcap-bugs mailing list.
> 
> You can find the mail and a possible workaround here:
> 
> http://www.winpcap.org/pipermail/winpcap-bugs/2005-December/000133.html
> 
> 
> Hope it helps
> 
> Gianluca Varenni
> WinPcap Team
> 
> ----- Original Message ----- 
> From: "Rich Adamson" <radamson at ...2127...>
> To: "Michael Steele" <michaels at ...9077...>; 
> <snort-users at lists.sourceforge.net>
> Sent: Tuesday, December 27, 2005 5:43 AM
> Subject: RE: [Snort-users] Problem: Win32 v2.4.3 does not start as a Service
> 
> 
> > Keep in mind the issue is that snort isn't starting at system bootup time,
> > so there isn't any desktop to interact with. It starts just fine "after"
> > the system is fully up.
> >
> > There likely is a 'dependency' issue or an XP service control manager 
> > issue,
> > but its not obvious from the event log, etc. Changing from dhcp to a 
> > static
> > IP made no difference either.
> >
> > The event log messages (as originally stated) seem to imply the service
> > control manager is waiting on snort for some sort of communications
> > (indicating a successful start) that isn't happening.
> >
> > Any other thoughts?
> >
> > ------------------------
> >
> >> Rich,
> >>
> >> Go into services and allow Snort to interact with the desktop and it 
> >> should
> >> display the error:
> >>
> >> 1) Go into the Services applet
> >> 2) Double left-click on the snort entry
> >> 3) Left-click the 'Logon' tab
> >> 4) Under 'Local system account' make sure that 'Allow service to interact
> >> with desktop' is checked
> >> 5) Left-click the 'Apply' button
> >> 6) Left-click the 'General' tab
> >> 7) Under 'Service Status' left-click the 'Start' button
> >>
> >> Snort will start in a console and should display any problems with the
> >> startup procedure.
> >>
> >> Note: Make sure to reverse the above procedure so Snort does NOT interact
> >> with the desktop under normal startup conditions.
> >>
> >> Kindest regards,
> >> Michael...
> >>
> >> WINSNORT.com Management Team Member
> >> --
> >> Pick up your FREE Windows or UNIX Snort installation guides
> >> mailto:support at ...9077...
> >> Website: http://www.winsnort.com
> >> Snort: Open Source Network IDS - http://www.snort.org
> >>
> >> -----Original Message-----
> >> From: snort-users-admin at lists.sourceforge.net
> >> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Rich 
> >> Adamson
> >> Sent: Monday, December 26, 2005 7:08 AM
> >> To: Snort Developers Postings; Snort Users Postings
> >> Subject: [Snort-users] Problem: Win32 v2.4.3 does not start as a Service
> >>
> >> Could not find any reference on the snort.org site relative to reporting
> >> a problem, so posting to both the -users and -devel lists.
> >>
> >> Implementation: Snort v2.4.3 on Win XP (all versions) with WinPcap v3.1
> >>
> >> Experience Level:
> >> Been around snort since v1.8 days and have had it running just fine as
> >> a Service on most Win32 O/S's. I do not have an application development
> >> system (or development experience) to diagnose the problem.
> >>
> >> Issue:
> >> Snort will not start as a Service (for example after a reboot), however
> >> it runs just fine if started manually. Happens on multiple XP systems and
> >> has been observed by others (see forums) as well. Viewing the Services
> >> list indicates the snort service is properly configured to start
> >> "automatically" and log on using the Local System account.
> >>
> >> Indicators:
> >> Four event log entries are created following a system reboot.
> >> 1. Security Log: Event 592 & 593 (process tracking) are created for 
> >> snort.
> >> 2. System Log: two events generated including:
> >>    Event 7000: "The Snort service failed to start due to the following
> >>    error: The service did not respond to the start or control request in
> >>    a timely manner."
> >>    Event 7009: "Timeout (30,000 milliseconds) waiting for the Snort 
> >> service
> >>    to connect."
> >>
> >> I am not at all sure whether this is an issue with Snort service code or
> >> some form of new requirement in Win XP service startup code. Several 
> >> systems
> >> seem to be restarting correctly on Win 2k Pro and Win 2k Server, however
> >> these systems are also running pre-v2.4.3 snort code and cannot be 
> >> upgrade
> >> at this time.
> >>
> >> Consistency:
> >> Snort v2.4.3 on any Win XP system will "always" fail to start following a
> >> reboot. A manual start via the Services control panel will "always" be
> >> successful, and, a "net start snort" from the command line will always be
> >> successful. All other services on these systems start normally.
> >>
> >> References:
> >> Microsoft's site suggests: "Within a specified time period after a new
> >> service starts, it notifies Service Control Manager (SCM) that it is 
> >> ready
> >> to connect. In this case, the service did not notify SCM within the time
> >> period." (Thus generating event 7009.)
> >>
> >> Other Observations:
> >> 1. Typical Win32 system has 512 meg ram with WinPcap v3.1
> >> 2. After manually starting the snort service, task manager indicates
> >>    over 150 meg of available memory.
> >> 3. After manually starting the snort service, all alerts and log entries
> >>    occur properly.
> >> 4. The snort service was installed following the examples displayed when
> >>    executing "snort -?" from the command line.
> >> 5. Executing "snort /service /show" indicates the service was properly
> >>    installed with all appropriate startup parameters.
> >>
> >> Best Guess:
> >> The two events in the security log suggest the snort service was actually
> >> starting, however the events in the system log indicate a timeout. Since
> >> the "process events" (security log) do occur, presumably snort is 
> >> starting
> >> and suppose to pass a message or call the services control manager (or 
> >> maybe
> >>
> >> return some value) indicating to the services control manager that it has
> >> started. It would appear this second step is not occurring.
> >>
> >> Some possibility exists the snort code is using the name "snortsvc" in
> >> some code and "snort" in other services code. Executing "sc query 
> >> snortsvc"
> >> from a command line indicates:
> >>   State: 1 stopped
> >>            (not-stoppable, not_pausable, ignores_shutdown)
> >> with no other hints. The above _might_ be related to not registering the
> >> snort service properly, differences in service names, incorrect 
> >> parameters,
> >> etc. Not sure.
> >>
> >> If I can provide any other information regarding the problem/symptom,
> >> please contact me.
> >>
> >> If there is a better location to report this problem, please let me know.
> >>
> >> Rich Adamson
> >> radamson at ...2127...
> >>
> >>
> >>
> >>
> >> -------------------------------------------------------
> >> This SF.net email is sponsored by: Splunk Inc. Do you grep through log 
> >> files
> >> for problems?  Stop!  Download the new AJAX search engine that makes
> >> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> >> http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>
> >>
> >>
> >>
> >>
> >
> > ---------------End of Original Message-----------------
> >
> >
> >
> >
> > -------------------------------------------------------
> > This SF.net email is sponsored by: Splunk Inc. Do you grep through log 
> > files
> > for problems?  Stop!  Download the new AJAX search engine that makes
> > searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> > http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users 
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> 
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 

---------------End of Original Message-----------------






More information about the Snort-users mailing list