Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Problem: Win32 v2.4.3 does not start as a Service

From: "Lee Clemens" <snort () leeclemens net>
Date: Mon, 26 Dec 2005 17:11:54 -0500
Restart the service won't make it start when there's an error....but can you
confirm that it does not add an error in your event log when it should be
trying to restart? (double check the time interval you set too).

I had a problem running 2.4.3 as a service, but it was an issue with the
logging directory not being created, some permissions error would show up in
the logs though.

When you installed it as a service, can you tell us which switches or
options you used to install? Are you running it as a local user?

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Rich Adamson
Sent: Monday, December 26, 2005 12:18 PM
To: 'Snort Developers Postings'; 'Snort Users Postings'; Jeff Dell
Subject: RE: [Snort-users] Problem: Win32 v2.4.3 does not start as a Service

No databases or any other external app is used. Alerting to syslog in
relatively low traffic environments. As mentioned, all snort functions have
been and continue to function just fine; purely a services startup issue
with no dependencies as best as I can tell.

Might also add that "Restart the Service" in the Recovery tab of the snort
services properties has been set, and that never kicks off. So, presumably
it also is related to the fact the service never started, therefore it can't
be restarted.

------------------------


Question... What are you using for your output? Are you using a 
Database on the same server? If so, the problem is probably that Snort 
is trying to startup before your DB service is and causing Snort to fail.

Cheers,
Jeff


-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Rich 
Adamson
Sent: Monday, December 26, 2005 10:08 AM
To: Snort Developers Postings; Snort Users Postings
Subject: [Snort-users] Problem: Win32 v2.4.3 does not start as a 
Service

Could not find any reference on the snort.org site relative to 
reporting a problem, so posting to both the -users and -devel lists.

Implementation: Snort v2.4.3 on Win XP (all versions) with WinPcap 
v3.1

Experience Level: 
Been around snort since v1.8 days and have had it running just fine 
as a Service on most Win32 O/S's. I do not have an application 
development system (or development experience) to diagnose the 
problem.

Issue: 
Snort will not start as a Service (for example after a reboot), 
however it runs just fine if started manually. Happens on multiple 
XP systems and has been observed by others (see forums) as well. 
Viewing the Services list indicates the snort service is properly 
configured to start "automatically" and log on using the Local 
System account.

Indicators: 
Four event log entries are created following a system reboot.
1. Security Log: Event 592 & 593 (process tracking) are created for 
snort.
2. System Log: two events generated including:
   Event 7000: "The Snort service failed to start due to the following
   error: The service did not respond to the start or control 
request in
   a timely manner."
   Event 7009: "Timeout (30,000 milliseconds) waiting for the Snort 
service
   to connect."

I am not at all sure whether this is an issue with Snort service 
code or some form of new requirement in Win XP service startup code.
Several systems
seem to be restarting correctly on Win 2k Pro and Win 2k Server, 
however these systems are also running pre-v2.4.3 snort code and 
cannot be upgrade at this time.

Consistency: 
Snort v2.4.3 on any Win XP system will "always" fail to start 
following a reboot. A manual start via the Services control panel 
will "always" be successful, and, a "net start snort" from the 
command line will always be successful. All other services on these 
systems start normally.

References: 
Microsoft's site suggests: "Within a specified time period after a 
new service starts, it notifies Service Control Manager (SCM) that 
it is ready to connect. In this case, the service did not notify SCM 
within the time period." (Thus generating event 7009.)

Other Observations:
1. Typical Win32 system has 512 meg ram with WinPcap v3.1 2. After 
manually starting the snort service, task manager indicates
   over 150 meg of available memory.
3. After manually starting the snort service, all alerts and log 
entries
   occur properly.
4. The snort service was installed following the examples displayed 
when
   executing "snort -?" from the command line.
5. Executing "snort /service /show" indicates the service was properly
   installed with all appropriate startup parameters.

Best Guess:
The two events in the security log suggest the snort service was 
actually starting, however the events in the system log indicate a 
timeout. Since the "process events" (security log) do occur, 
presumably snort is starting and suppose to pass a message or call 
the services control manager (or maybe return some value) indicating 
to the services control manager that it has started. It would appear 
this second step is not occurring.

Some possibility exists the snort code is using the name "snortsvc" 
in some code and "snort" in other services code. Executing "sc query 
snortsvc"
from a command line indicates:
  State: 1 stopped
           (not-stoppable, not_pausable, ignores_shutdown) with no 
other hints. The above _might_ be related to not registering the 
snort service properly, differences in service names, incorrect 
parameters, etc. Not sure.

If I can provide any other information regarding the 
problem/symptom, please contact me.

If there is a better location to report this problem, please let me 
know.

Rich Adamson
radamson () routers com




-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through 
log files for problems?  Stop!  Download the new AJAX search engine 
that makes searching your log files as easy as surfing the  web.
DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




---------------End of Original Message-----------------




-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: