[Snort-users] Problem: Win32 v2.4.3 does not start as a Service

Our World Is Here info at ...2282...
Wed Dec 28 17:08:02 EST 2005


I second this...

Cheers,

James Friesen, CIO

Lucretia Enterprises
"Our World Is Here..."
Info at lucretia dot ca
http://lucretia.ca


> -----Original Message-----
> From: Rich Adamson [mailto:radamson at ...2127...]
> Sent: Wednesday, December 28, 2005 3:35 AM
> To: Gianluca Varenni; snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Problem: Win32 v2.4.3 does not
> start as a Service
>
> Gianluca,
>
> I see now from the winpcap archives this issue is related to
> changes that were made to winpcap between beta 4 and the
> official v3.1 release.
> I also see the issue resulted from someone electing to use
> the Microsoft NetMon COM component from within winpcap, and
> the NetMon component is primarily intended to capture packets
> from dialup adapters.
>
> I've read your postings relative to editing the registry to
> add a startup dependency, but I don't understand why those of
> us that don't ever use a dialup adapter are required to be
> "dependent" on that component.
>
> Can you help us understand why that dependency became manditory?
>
> Would it be appropriate for the snort win32 distribution to
> add the registry entry during the snort installation, ask the
> winpcap folks to release v3.1.1 with the registry change in
> it, stay with v3.0 in snort documentation and
> recommendations, or, is there another "fix" to this service
> startup problem?
>
> For those that are actually following this thread, the
> suggested registry changes are:
> 1. Open the registry with regedit.exe
> 2. go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
> and locate the Snort service (it should probably be  named
> "Snort" something) 3. right click on the snort key name, and
> choose New->Multi-string value 4. name the new key
> "DependOnService" (be careful to the spelling and the capital
> letters).
> 5. double click on the newly created key, and add the
> following names (one per line):
>     NM
>     NPF
>     Be careful *not* to put any space before/after each name
>
>
> ------------------------
> > Hi all.
> >
> > NetMon stands for Microsoft Network Monitor, and it's basically the
> > (quite
> > crappy) implementation of packet capture engine provided by
> Microsoft.
> > It is available (but *not* installed) on every 2000/XP/2003
> Windows installation.
> > It's *not* related to QoS.
> >
> > It's used by WinPcap to capture for dialup/VPN adapters
> (the so called
> > "NDISWAN" adapters), and it was introduced in WinPcap 3.1 (well,
> > actually it was introduced in WinPcap 3.1 beta1, back in feb '04).
> >
> > NetMon is installed by default by the WinPcap installer.
> >
> > netcat.exe is a command line tool provided by Microsoft (I think in
> > the support pack or something similar), that allows to
> capture packets
> > from the command line and dump them to file (similar to
> > "tcpdump/windump -w <somefile>").
> >
> > If I remember well netmon is a simple GUI packet analyzer
> provided by
> > microsoft (I think on the server versions of Windows) that
> uses NetMon
> > to capture packets.
> >
> > Have a nice day
> > GV
> >
> >
> > ----- Original Message -----
> > From: "Lee Clemens" <snort at ...13080...>
> > To: "'Rich Adamson'" <radamson at ...2127...>; "'Michael Steele'"
> > <michaels at ...9077...>; <snort-users at lists.sourceforge.net>
> > Sent: Tuesday, December 27, 2005 8:38 PM
> > Subject: RE: [Snort-users] Problem: Win32 v2.4.3 does not
> start as a
> > Service
> >
> >
> > > Perhaps someone else knows more about this, but it looks
> like NetMon
> > > may be related to QoS. Since you said you don't know what
> they are,
> > > I assume you haven't installed NetMon, but it may be related to a
> > > network adapter driver you have installed, or if QoS is
> dis/e/nabled
> > > on the interface you are listening to with Snort.
> > >
> > > There is a file, NetMonInstaller.exe, in the WinPcap
> directory...did
> > > you execute this? (I'm not saying you should.)
> > >
> > > Can you try typing "netcap /?" or "netmon /?" at a DOS prompt?
> > >
> > > Perhaps playing around with the adapter's settings for
> QoS, File and
> > > Print Sharing, and Client for Microsoft Networks could help?
> > >
> > > Disclaimer: Pretty much shots in the dark, but shouldn't hurt.
> > >
> > > -----Original Message-----
> > > From: snort-users-admin at lists.sourceforge.net
> > > [mailto:snort-users-admin at lists.sourceforge.net] On
> Behalf Of Rich
> > > Adamson
> > > Sent: Tuesday, December 27, 2005 8:34 PM
> > > To: Michael Steele; snort-users at lists.sourceforge.net
> > > Subject: RE: [Snort-users] Problem: Win32 v2.4.3 does not
> start as a
> > > Service
> > >
> > >
> > >> The -i switch is what's killing the Snort service. I'm
> guessing the
> > >> reason why it's happening to some and not others is that
> some are
> > >> specifying the -i switch and others are not.
> > >
> > > The -i switch has absolutely nothing to do with the problem. Just
> > > proved that by running with/without it in both winpcap v3.0 and
> > > v3.1. Exact same issue; snort will not start after a
> reboot with v3.1.
> > >
> > >> I know in most cases (especially home and small business users)
> > >> that the -i can be omitted, but this usually means Snort will
> > >> automatically use the first interface in line, and I
> believe that
> > >> is where the problem
> > > occurs.
> > >
> > > Well, I don't think that's true either. Manual start of
> snort with
> > > the 'config interface:' did in fact select the proper
> interface (of
> > > four entries from snort -W). But, I can't rearrange the interface
> > > numbering to prove that.
> > >
> > >> If you are running snort as a service, logging to a database and
> > >> WinPcap 3.1 uses the first interface in line, then
> WinPcap 3.1 may
> > >> work, but I don't think so. We are past that point to
> check it out
> > >> on our
> > > clean install.
> > >
> > > The use of a database (or not) has nothing to do with the issue.
> > >
> > >> Tomorrow we will do another clean install and verify if
> it works,
> > >> or someone else could check.
> > >>
> > >> I'm sure there is a hack to the registry that can be done to fix
> > >> the problem, but its windows :)
> > >
> > > There is and it was posted several hours ago (which is actually
> > > included below from previous email postings).
> > >
> > >> I guess they need to figure out if it's a Snort problem or a
> > >> WinPcap problem and fix it. I'm fairly sure it's WinPcap.
> > >
> > > Based on the url provided and the summary contained in
> that posting,
> > > looks like the issue is a dependency involving winpcap v3.1 and
> > > Microsoft NetMon COM component. Since winpcap v3.0 does
> not exhibit
> > > the same problem, there is obviously something different
> about v3.1.
> > > Not sure as yet whether the NetMon component is an
> XP-only item, or what its associated with.
> > >
> > > Rich
> > >
> > >> -----Original Message-----
> > >
> > >> I've been using 3.1 for some time now with no issues.
> However, I do
> > >> not specify -I #, but use the config file to specifiy an
> interface
> > >> to
> > > listen on.
> > >> Perhaps you could try doing that if you'd like to keep
> (or go back
> > >> to)
> > > 3.1.
> > >>
> > >> >From my config file: config interface: \Device\<removed>
> > >>
> > >> Hope that helps.
> > >>
> > >> -----Original Message-----
> > >> From: snort-users-admin at lists.sourceforge.net
> > >> [mailto:snort-users-admin at lists.sourceforge.net] On
> Behalf Of Rich
> > >> Adamson
> > >> Sent: Tuesday, December 27, 2005 12:14 PM
> > >> To: Michael Steele; snort-users at lists.sourceforge.net
> > >> Subject: RE: [Snort-users] Problem: Win32 v2.4.3 does
> not start as
> > >> a Service
> > >>
> > >> Okay, the problem "is" with WinPcap v3.1; reverting to
> v3.0 allows
> > >> snort to start correctly as a Service after a reboot. Also tried
> > >> v3.2 alpha 1, but it created the same problem as v3.1.
> > >>
> > >> Based on the winpcap url (provided below), there "is" a
> dependency
> > >> that apparently causes snort not to start.
> > >>
> > >> As a side effect, reverting to winpcap v3.0 causes all of the
> > >> interface numbering (snort -W) to chanage, therefore the snort
> > >> service will need to be removed and reinstalled with an
> appropriate "-i"
> > > specification. Bummer.
> > >>
> > >> Does anyone (with development experience) know whether
> this is an
> > >> issue with "service" code in snort, or is strictly a winpcap
> > >> dependency
> > > issue?
> > >>
> > >> Rich
> > >>
> > >> ------------------------
> > >>
> > >> > Yes, I remember seeing that post somewhere. I think I
> suggested
> > >> > removing 3.1 and reverting back to 3.0.
> > >> >
> > >> > We are using 3.1 (non-beta) for our new install, and
> will know in
> > >> > a couple of hours it that is the culprit.
> > >> >
> > >> > Kindest regards,
> > >> > Michael...
> > >> >
> > >> > WINSNORT.com Management Team Member
> > >> > --
> > >> > ****************** Established ~ 2001 *******************
> > >> > *          Visit Us @ http://www.winsnort.com           *
> > >> > *      ~~ FREE WinIDS Snort installation guides ~~      *
> > >> > *               ~~ FREE support forums ~~               *
> > >> > * Snort: Open Source Network IDS - http://www.snort.org *
> > >> > *********************************************************
> > >> >
> > >> >
> > >> > -----Original Message-----
> > >> > From: snort-users-admin at lists.sourceforge.net
> > >> > [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of
> > >> > Gianluca Varenni
> > >> > Sent: Tuesday, December 27, 2005 8:02 AM
> > >> > To: Rich Adamson; Michael Steele;
> > >> > snort-users at lists.sourceforge.net
> > >> > Subject: Re: [Snort-users] Problem: Win32 v2.4.3 does
> not start
> > >> > as a Service
> > >> >
> > >> > Hi all.
> > >> >
> > >> > It could be an issue with a service dependency with WinPcap.
> > >> > Another user reported a similar issue some weeks ago on the
> > >> > WinPcap-bugs mailing
> > >> list.
> > >> >
> > >> > You can find the mail and a possible workaround here:
> > >> >
> > >> >
> http://www.winpcap.org/pipermail/winpcap-bugs/2005-December/00013
> > >> > 3.h
> > >> > tm
> > >> > l
> > >> >
> > >> >
> > >> > Hope it helps
> > >> >
> > >> > Gianluca Varenni
> > >> > WinPcap Team
> > >> >
> > >> > ----- Original Message -----
> > >> > From: "Rich Adamson" <radamson at ...2127...>
> > >> > To: "Michael Steele" <michaels at ...9077...>;
> > >> > <snort-users at lists.sourceforge.net>
> > >> > Sent: Tuesday, December 27, 2005 5:43 AM
> > >> > Subject: RE: [Snort-users] Problem: Win32 v2.4.3 does
> not start
> > >> > as a Service
> > >> >
> > >> >
> > >> > > Keep in mind the issue is that snort isn't starting
> at system
> > >> > > bootup time, so there isn't any desktop to interact with. It
> > >> > > starts just fine
> > >> "after"
> > >> > > the system is fully up.
> > >> > >
> > >> > > There likely is a 'dependency' issue or an XP
> service control
> > >> > > manager issue, but its not obvious from the event log, etc.
> > >> > > Changing from dhcp to a static IP made no difference either.
> > >> > >
> > >> > > The event log messages (as originally stated) seem
> to imply the
> > >> > > service control manager is waiting on snort for some sort of
> > >> > > communications (indicating a successful start) that
> isn't happening.
> > >> > >
> > >> > > Any other thoughts?
> > >> > >
> > >> > > ------------------------
> > >> > >
> > >> > >> Rich,
> > >> > >>
> > >> > >> Go into services and allow Snort to interact with
> the desktop
> > >> > >> and it should display the error:
> > >> > >>
> > >> > >> 1) Go into the Services applet
> > >> > >> 2) Double left-click on the snort entry
> > >> > >> 3) Left-click the 'Logon' tab
> > >> > >> 4) Under 'Local system account' make sure that
> 'Allow service
> > >> > >> to interact with desktop' is checked
> > >> > >> 5) Left-click the 'Apply' button
> > >> > >> 6) Left-click the 'General' tab
> > >> > >> 7) Under 'Service Status' left-click the 'Start' button
> > >> > >>
> > >> > >> Snort will start in a console and should display
> any problems
> > >> > >> with the startup procedure.
> > >> > >>
> > >> > >> Note: Make sure to reverse the above procedure so
> Snort does
> > >> > >> NOT interact with the desktop under normal startup
> conditions.
> > >> > >>
> > >> > >> Kindest regards,
> > >> > >> Michael...
> > >> > >>
> > >> > >> WINSNORT.com Management Team Member
> > >> > >> --
> > >> > >> Pick up your FREE Windows or UNIX Snort installation guides
> > >> > >> mailto:support at ...9077...
> > >> > >> Website: http://www.winsnort.com
> > >> > >> Snort: Open Source Network IDS - http://www.snort.org
> > >> > >>
> > >> > >> -----Original Message-----
> > >> > >> From: snort-users-admin at lists.sourceforge.net
> > >> > >> [mailto:snort-users-admin at lists.sourceforge.net] On
> Behalf Of
> > >> > >> Rich Adamson
> > >> > >> Sent: Monday, December 26, 2005 7:08 AM
> > >> > >> To: Snort Developers Postings; Snort Users Postings
> > >> > >> Subject: [Snort-users] Problem: Win32 v2.4.3 does
> not start as
> > >> > >> a Service
> > >> > >>
> > >> > >> Could not find any reference on the snort.org site
> relative to
> > >> > >> reporting a problem, so posting to both the -users
> and -devel lists.
> > >> > >>
> > >> > >> Implementation: Snort v2.4.3 on Win XP (all versions) with
> > >> > >> WinPcap
> > >> > >> v3.1
> > >> > >>
> > >> > >> Experience Level:
> > >> > >> Been around snort since v1.8 days and have had it
> running just
> > >> > >> fine as a Service on most Win32 O/S's. I do not have an
> > >> > >> application development system (or development
> experience) to
> > > diagnose the problem.
> > >> > >>
> > >> > >> Issue:
> > >> > >> Snort will not start as a Service (for example after a
> > >> > >> reboot), however it runs just fine if started manually.
> > >> > >> Happens on multiple XP systems and has been
> observed by others
> > >> > >> (see forums) as
> > > well.
> > >> > >> Viewing the Services list indicates the snort service is
> > >> > >> properly configured to start "automatically" and
> log on using
> > >> > >> the Local System
> > >> account.
> > >> > >>
> > >> > >> Indicators:
> > >> > >> Four event log entries are created following a
> system reboot.
> > >> > >> 1. Security Log: Event 592 & 593 (process tracking) are
> > >> > >> created for snort.
> > >> > >> 2. System Log: two events generated including:
> > >> > >>    Event 7000: "The Snort service failed to start due to the
> > > following
> > >> > >>    error: The service did not respond to the start
> or control
> > >> > >> request
> > >> in
> > >> > >>    a timely manner."
> > >> > >>    Event 7009: "Timeout (30,000 milliseconds)
> waiting for the
> > >> > >> Snort service
> > >> > >>    to connect."
> > >> > >>
> > >> > >> I am not at all sure whether this is an issue with Snort
> > >> > >> service code or some form of new requirement in Win
> XP service
> > >> > >> startup code. Several systems seem to be restarting
> correctly
> > >> > >> on Win 2k Pro and Win 2k Server, however these systems are
> > >> > >> also running
> > >> > >> pre-v2.4.3 snort code and cannot be upgrade at this time.
> > >> > >>
> > >> > >> Consistency:
> > >> > >> Snort v2.4.3 on any Win XP system will "always"
> fail to start
> > >> > >> following a reboot. A manual start via the Services control
> > >> > >> panel will "always" be successful, and, a "net start snort"
> > >> > >> from the command line will always be successful. All other
> > >> > >> services on these
> > >> systems start normally.
> > >> > >>
> > >> > >> References:
> > >> > >> Microsoft's site suggests: "Within a specified time period
> > >> > >> after a new service starts, it notifies Service Control
> > >> > >> Manager (SCM) that it is ready to connect. In this
> case, the
> > >> > >> service did not notify SCM within the time period." (Thus
> > >> > >> generating event 7009.)
> > >> > >>
> > >> > >> Other Observations:
> > >> > >> 1. Typical Win32 system has 512 meg ram with WinPcap v3.1 2.
> > >> > >> After manually starting the snort service, task
> manager indicates
> > >> > >>    over 150 meg of available memory.
> > >> > >> 3. After manually starting the snort service, all
> alerts and
> > >> > >> log
> > >> entries
> > >> > >>    occur properly.
> > >> > >> 4. The snort service was installed following the examples
> > >> > >> displayed
> > >> when
> > >> > >>    executing "snort -?" from the command line.
> > >> > >> 5. Executing "snort /service /show" indicates the
> service was
> > > properly
> > >> > >>    installed with all appropriate startup parameters.
> > >> > >>
> > >> > >> Best Guess:
> > >> > >> The two events in the security log suggest the
> snort service
> > >> > >> was actually starting, however the events in the system log
> > >> > >> indicate a timeout. Since the "process events"
> (security log)
> > >> > >> do occur, presumably snort is starting and suppose
> to pass a
> > >> > >> message or call the services control manager (or maybe
> > >> > >>
> > >> > >> return some value) indicating to the services
> control manager
> > >> > >> that it has started. It would appear this second step is not
> > > occurring.
> > >> > >>
> > >> > >> Some possibility exists the snort code is using the
> name "snortsvc"
> > >> > >> in some code and "snort" in other services code.
> Executing "sc
> > >> > >> query snortsvc"
> > >> > >> from a command line indicates:
> > >> > >>   State: 1 stopped
> > >> > >>            (not-stoppable, not_pausable, ignores_shutdown)
> > >> > >> with no other hints. The above _might_ be related to not
> > >> > >> registering the snort service properly, differences
> in service
> > >> > >> names, incorrect parameters, etc. Not sure.
> > >> > >>
> > >> > >> If I can provide any other information regarding the
> > >> > >> problem/symptom, please contact me.
> > >> > >>
> > >> > >> If there is a better location to report this
> problem, please
> > >> > >> let me
> > >> know.
> > >> > >>
> > >> > >> Rich Adamson
> > >> > >> radamson at ...2127...
> > >> > >>
> > >> > >>
>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep
> through log files for problems?  Stop!  Download the new AJAX
> search engine that makes searching your log files as easy as
> surfing the  web.  DOWNLOAD SPLUNK!
> http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>






More information about the Snort-users mailing list