[Snort-users] Problem: Win32 v2.4.3 does not start as a Service

Rich Adamson radamson at ...2127...
Wed Dec 28 02:58:04 EST 2005


Gianluca,

I see now from the winpcap archives this issue is related to changes
that were made to winpcap between beta 4 and the official v3.1 release.
I also see the issue resulted from someone electing to use the Microsoft
NetMon COM component from within winpcap, and the NetMon component is
primarily intended to capture packets from dialup adapters.

I've read your postings relative to editing the registry to add a startup
dependency, but I don't understand why those of us that don't ever use a
dialup adapter are required to be "dependent" on that component.

Can you help us understand why that dependency became manditory?

Would it be appropriate for the snort win32 distribution to add the registry
entry during the snort installation, ask the winpcap folks to release v3.1.1
with the registry change in it, stay with v3.0 in snort documentation and
recommendations, or, is there another "fix" to this service startup problem?

For those that are actually following this thread, the suggested registry 
changes are:
1. Open the registry with regedit.exe
2. go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services and locate the 
Snort service (it should probably be  named "Snort" something)
3. right click on the snort key name, and choose New->Multi-string value
4. name the new key "DependOnService" (be careful to the spelling and the 
capital letters).
5. double click on the newly created key, and add the following names (one 
per line):
    NM
    NPF
    Be careful *not* to put any space before/after each name


------------------------
> Hi all.
> 
> NetMon stands for Microsoft Network Monitor, and it's basically the (quite 
> crappy) implementation of packet capture engine provided by Microsoft. It is 
> available (but *not* installed) on every 2000/XP/2003 Windows installation. 
> It's *not* related to QoS.
> 
> It's used by WinPcap to capture for dialup/VPN adapters (the so called 
> "NDISWAN" adapters), and it was introduced in WinPcap 3.1 (well, actually it 
> was introduced in WinPcap 3.1 beta1, back in feb '04).
> 
> NetMon is installed by default by the WinPcap installer.
> 
> netcat.exe is a command line tool provided by Microsoft (I think in the 
> support pack or something similar), that allows to capture packets from the 
> command line and dump them to file (similar to "tcpdump/windump -w 
> <somefile>").
> 
> If I remember well netmon is a simple GUI packet analyzer provided by 
> microsoft (I think on the server versions of Windows) that uses NetMon to 
> capture packets.
> 
> Have a nice day
> GV
> 
> 
> ----- Original Message ----- 
> From: "Lee Clemens" <snort at ...13080...>
> To: "'Rich Adamson'" <radamson at ...2127...>; "'Michael Steele'" 
> <michaels at ...9077...>; <snort-users at lists.sourceforge.net>
> Sent: Tuesday, December 27, 2005 8:38 PM
> Subject: RE: [Snort-users] Problem: Win32 v2.4.3 does not start as a Service
> 
> 
> > Perhaps someone else knows more about this, but it looks like NetMon may 
> > be
> > related to QoS. Since you said you don't know what they are, I assume you
> > haven't installed NetMon, but it may be related to a network adapter 
> > driver
> > you have installed, or if QoS is dis/e/nabled on the interface you are
> > listening to with Snort.
> >
> > There is a file, NetMonInstaller.exe, in the WinPcap directory...did you
> > execute this? (I'm not saying you should.)
> >
> > Can you try typing "netcap /?" or "netmon /?" at a DOS prompt?
> >
> > Perhaps playing around with the adapter's settings for QoS, File and Print
> > Sharing, and Client for Microsoft Networks could help?
> >
> > Disclaimer: Pretty much shots in the dark, but shouldn't hurt.
> >
> > -----Original Message-----
> > From: snort-users-admin at lists.sourceforge.net
> > [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Rich Adamson
> > Sent: Tuesday, December 27, 2005 8:34 PM
> > To: Michael Steele; snort-users at lists.sourceforge.net
> > Subject: RE: [Snort-users] Problem: Win32 v2.4.3 does not start as a 
> > Service
> >
> >
> >> The -i switch is what's killing the Snort service. I'm guessing the
> >> reason why it's happening to some and not others is that some are
> >> specifying the -i switch and others are not.
> >
> > The -i switch has absolutely nothing to do with the problem. Just proved
> > that by running with/without it in both winpcap v3.0 and v3.1. Exact same
> > issue; snort will not start after a reboot with v3.1.
> >
> >> I know in most cases (especially home and small business users) that
> >> the -i can be omitted, but this usually means Snort will automatically
> >> use the first interface in line, and I believe that is where the problem
> > occurs.
> >
> > Well, I don't think that's true either. Manual start of snort with the
> > 'config interface:' did in fact select the proper interface (of four 
> > entries
> > from snort -W). But, I can't rearrange the interface numbering to prove
> > that.
> >
> >> If you are running snort as a service, logging to a database and
> >> WinPcap 3.1 uses the first interface in line, then WinPcap 3.1 may
> >> work, but I don't think so. We are past that point to check it out on our
> > clean install.
> >
> > The use of a database (or not) has nothing to do with the issue.
> >
> >> Tomorrow we will do another clean install and verify if it works, or
> >> someone else could check.
> >>
> >> I'm sure there is a hack to the registry that can be done to fix the
> >> problem, but its windows :)
> >
> > There is and it was posted several hours ago (which is actually included
> > below from previous email postings).
> >
> >> I guess they need to figure out if it's a Snort problem or a WinPcap
> >> problem and fix it. I'm fairly sure it's WinPcap.
> >
> > Based on the url provided and the summary contained in that posting, looks
> > like the issue is a dependency involving winpcap v3.1 and Microsoft NetMon
> > COM component. Since winpcap v3.0 does not exhibit the same problem, there
> > is obviously something different about v3.1. Not sure as yet whether the
> > NetMon component is an XP-only item, or what its associated with.
> >
> > Rich
> >
> >> -----Original Message-----
> >
> >> I've been using 3.1 for some time now with no issues. However, I do
> >> not specify -I #, but use the config file to specifiy an interface to
> > listen on.
> >> Perhaps you could try doing that if you'd like to keep (or go back to)
> > 3.1.
> >>
> >> >From my config file: config interface: \Device\<removed>
> >>
> >> Hope that helps.
> >>
> >> -----Original Message-----
> >> From: snort-users-admin at lists.sourceforge.net
> >> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Rich
> >> Adamson
> >> Sent: Tuesday, December 27, 2005 12:14 PM
> >> To: Michael Steele; snort-users at lists.sourceforge.net
> >> Subject: RE: [Snort-users] Problem: Win32 v2.4.3 does not start as a
> >> Service
> >>
> >> Okay, the problem "is" with WinPcap v3.1; reverting to v3.0 allows
> >> snort to start correctly as a Service after a reboot. Also tried v3.2
> >> alpha 1, but it created the same problem as v3.1.
> >>
> >> Based on the winpcap url (provided below), there "is" a dependency
> >> that apparently causes snort not to start.
> >>
> >> As a side effect, reverting to winpcap v3.0 causes all of the
> >> interface numbering (snort -W) to chanage, therefore the snort service
> >> will need to be removed and reinstalled with an appropriate "-i"
> > specification. Bummer.
> >>
> >> Does anyone (with development experience) know whether this is an
> >> issue with "service" code in snort, or is strictly a winpcap dependency
> > issue?
> >>
> >> Rich
> >>
> >> ------------------------
> >>
> >> > Yes, I remember seeing that post somewhere. I think I suggested
> >> > removing 3.1 and reverting back to 3.0.
> >> >
> >> > We are using 3.1 (non-beta) for our new install, and will know in a
> >> > couple of hours it that is the culprit.
> >> >
> >> > Kindest regards,
> >> > Michael...
> >> >
> >> > WINSNORT.com Management Team Member
> >> > --
> >> > ****************** Established ~ 2001 *******************
> >> > *          Visit Us @ http://www.winsnort.com           *
> >> > *      ~~ FREE WinIDS Snort installation guides ~~      *
> >> > *               ~~ FREE support forums ~~               *
> >> > * Snort: Open Source Network IDS - http://www.snort.org *
> >> > *********************************************************
> >> >
> >> >
> >> > -----Original Message-----
> >> > From: snort-users-admin at lists.sourceforge.net
> >> > [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of
> >> > Gianluca Varenni
> >> > Sent: Tuesday, December 27, 2005 8:02 AM
> >> > To: Rich Adamson; Michael Steele; snort-users at lists.sourceforge.net
> >> > Subject: Re: [Snort-users] Problem: Win32 v2.4.3 does not start as a
> >> > Service
> >> >
> >> > Hi all.
> >> >
> >> > It could be an issue with a service dependency with WinPcap. Another
> >> > user reported a similar issue some weeks ago on the WinPcap-bugs
> >> > mailing
> >> list.
> >> >
> >> > You can find the mail and a possible workaround here:
> >> >
> >> > http://www.winpcap.org/pipermail/winpcap-bugs/2005-December/000133.h
> >> > tm
> >> > l
> >> >
> >> >
> >> > Hope it helps
> >> >
> >> > Gianluca Varenni
> >> > WinPcap Team
> >> >
> >> > ----- Original Message -----
> >> > From: "Rich Adamson" <radamson at ...2127...>
> >> > To: "Michael Steele" <michaels at ...9077...>;
> >> > <snort-users at lists.sourceforge.net>
> >> > Sent: Tuesday, December 27, 2005 5:43 AM
> >> > Subject: RE: [Snort-users] Problem: Win32 v2.4.3 does not start as a
> >> > Service
> >> >
> >> >
> >> > > Keep in mind the issue is that snort isn't starting at system
> >> > > bootup time, so there isn't any desktop to interact with. It
> >> > > starts just fine
> >> "after"
> >> > > the system is fully up.
> >> > >
> >> > > There likely is a 'dependency' issue or an XP service control
> >> > > manager issue, but its not obvious from the event log, etc.
> >> > > Changing from dhcp to a static IP made no difference either.
> >> > >
> >> > > The event log messages (as originally stated) seem to imply the
> >> > > service control manager is waiting on snort for some sort of
> >> > > communications (indicating a successful start) that isn't happening.
> >> > >
> >> > > Any other thoughts?
> >> > >
> >> > > ------------------------
> >> > >
> >> > >> Rich,
> >> > >>
> >> > >> Go into services and allow Snort to interact with the desktop and
> >> > >> it should display the error:
> >> > >>
> >> > >> 1) Go into the Services applet
> >> > >> 2) Double left-click on the snort entry
> >> > >> 3) Left-click the 'Logon' tab
> >> > >> 4) Under 'Local system account' make sure that 'Allow service to
> >> > >> interact with desktop' is checked
> >> > >> 5) Left-click the 'Apply' button
> >> > >> 6) Left-click the 'General' tab
> >> > >> 7) Under 'Service Status' left-click the 'Start' button
> >> > >>
> >> > >> Snort will start in a console and should display any problems
> >> > >> with the startup procedure.
> >> > >>
> >> > >> Note: Make sure to reverse the above procedure so Snort does NOT
> >> > >> interact with the desktop under normal startup conditions.
> >> > >>
> >> > >> Kindest regards,
> >> > >> Michael...
> >> > >>
> >> > >> WINSNORT.com Management Team Member
> >> > >> --
> >> > >> Pick up your FREE Windows or UNIX Snort installation guides
> >> > >> mailto:support at ...9077...
> >> > >> Website: http://www.winsnort.com
> >> > >> Snort: Open Source Network IDS - http://www.snort.org
> >> > >>
> >> > >> -----Original Message-----
> >> > >> From: snort-users-admin at lists.sourceforge.net
> >> > >> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of
> >> > >> Rich Adamson
> >> > >> Sent: Monday, December 26, 2005 7:08 AM
> >> > >> To: Snort Developers Postings; Snort Users Postings
> >> > >> Subject: [Snort-users] Problem: Win32 v2.4.3 does not start as a
> >> > >> Service
> >> > >>
> >> > >> Could not find any reference on the snort.org site relative to
> >> > >> reporting a problem, so posting to both the -users and -devel lists.
> >> > >>
> >> > >> Implementation: Snort v2.4.3 on Win XP (all versions) with
> >> > >> WinPcap
> >> > >> v3.1
> >> > >>
> >> > >> Experience Level:
> >> > >> Been around snort since v1.8 days and have had it running just
> >> > >> fine as a Service on most Win32 O/S's. I do not have an
> >> > >> application development system (or development experience) to
> > diagnose the problem.
> >> > >>
> >> > >> Issue:
> >> > >> Snort will not start as a Service (for example after a reboot),
> >> > >> however it runs just fine if started manually. Happens on
> >> > >> multiple XP systems and has been observed by others (see forums) as
> > well.
> >> > >> Viewing the Services list indicates the snort service is properly
> >> > >> configured to start "automatically" and log on using the Local
> >> > >> System
> >> account.
> >> > >>
> >> > >> Indicators:
> >> > >> Four event log entries are created following a system reboot.
> >> > >> 1. Security Log: Event 592 & 593 (process tracking) are created
> >> > >> for snort.
> >> > >> 2. System Log: two events generated including:
> >> > >>    Event 7000: "The Snort service failed to start due to the
> > following
> >> > >>    error: The service did not respond to the start or control
> >> > >> request
> >> in
> >> > >>    a timely manner."
> >> > >>    Event 7009: "Timeout (30,000 milliseconds) waiting for the
> >> > >> Snort service
> >> > >>    to connect."
> >> > >>
> >> > >> I am not at all sure whether this is an issue with Snort service
> >> > >> code or some form of new requirement in Win XP service startup
> >> > >> code. Several systems seem to be restarting correctly on Win 2k
> >> > >> Pro and Win 2k Server, however these systems are also running
> >> > >> pre-v2.4.3 snort code and cannot be upgrade at this time.
> >> > >>
> >> > >> Consistency:
> >> > >> Snort v2.4.3 on any Win XP system will "always" fail to start
> >> > >> following a reboot. A manual start via the Services control panel
> >> > >> will "always" be successful, and, a "net start snort" from the
> >> > >> command line will always be successful. All other services on
> >> > >> these
> >> systems start normally.
> >> > >>
> >> > >> References:
> >> > >> Microsoft's site suggests: "Within a specified time period after
> >> > >> a new service starts, it notifies Service Control Manager (SCM)
> >> > >> that it is ready to connect. In this case, the service did not
> >> > >> notify SCM within the time period." (Thus generating event 7009.)
> >> > >>
> >> > >> Other Observations:
> >> > >> 1. Typical Win32 system has 512 meg ram with WinPcap v3.1 2.
> >> > >> After manually starting the snort service, task manager indicates
> >> > >>    over 150 meg of available memory.
> >> > >> 3. After manually starting the snort service, all alerts and log
> >> entries
> >> > >>    occur properly.
> >> > >> 4. The snort service was installed following the examples
> >> > >> displayed
> >> when
> >> > >>    executing "snort -?" from the command line.
> >> > >> 5. Executing "snort /service /show" indicates the service was
> > properly
> >> > >>    installed with all appropriate startup parameters.
> >> > >>
> >> > >> Best Guess:
> >> > >> The two events in the security log suggest the snort service was
> >> > >> actually starting, however the events in the system log indicate
> >> > >> a timeout. Since the "process events" (security log) do occur,
> >> > >> presumably snort is starting and suppose to pass a message or
> >> > >> call the services control manager (or maybe
> >> > >>
> >> > >> return some value) indicating to the services control manager
> >> > >> that it has started. It would appear this second step is not
> > occurring.
> >> > >>
> >> > >> Some possibility exists the snort code is using the name "snortsvc"
> >> > >> in some code and "snort" in other services code. Executing "sc
> >> > >> query snortsvc"
> >> > >> from a command line indicates:
> >> > >>   State: 1 stopped
> >> > >>            (not-stoppable, not_pausable, ignores_shutdown) with
> >> > >> no other hints. The above _might_ be related to not registering
> >> > >> the snort service properly, differences in service names,
> >> > >> incorrect parameters, etc. Not sure.
> >> > >>
> >> > >> If I can provide any other information regarding the
> >> > >> problem/symptom, please contact me.
> >> > >>
> >> > >> If there is a better location to report this problem, please let
> >> > >> me
> >> know.
> >> > >>
> >> > >> Rich Adamson
> >> > >> radamson at ...2127...
> >> > >>
> >> > >>






More information about the Snort-users mailing list