Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
RE: [Snort-users] Problem: Win32 v2.4.3 does not start as a Service
From: Michael Steele (michaelswinsnort.com)
Date: Tue Dec 27 2005 - 10:18:34 CST
Like I said; 'This is happening with some, but not others'. You might want
to go back and review what has changed, as it was operating correctly. Did
this happen after an OS update (SP2)? If so, can you still remove SP2 from
We are in the process of doing a fresh install of XP, MySQL, and IIS. We'll
know more in a couple of hours if we can replicate the problem.
WINSNORT.com Management Team Member
****************** Established ~ 2001 *******************
* Visit Us http://www.winsnort.com *
* ~~ FREE WinIDS Snort installation guides ~~ *
* ~~ FREE support forums ~~ *
* Snort: Open Source Network IDS - http://www.snort.org *
From: Gianluca Varenni [mailto:gianluca.varennigmail.com]
Sent: Tuesday, December 27, 2005 8:02 AM
To: Rich Adamson; Michael Steele; snort-userslists.sourceforge.net
Subject: Re: [Snort-users] Problem: Win32 v2.4.3 does not start as a Service
It could be an issue with a service dependency with WinPcap. Another user
reported a similar issue some weeks ago on the WinPcap-bugs mailing list.
You can find the mail and a possible workaround here:
Hope it helps
----- Original Message -----
From: "Rich Adamson" <radamsonrouters.com>
To: "Michael Steele" <michaelswinsnort.com>;
Sent: Tuesday, December 27, 2005 5:43 AM
Subject: RE: [Snort-users] Problem: Win32 v2.4.3 does not start as a Service
> Keep in mind the issue is that snort isn't starting at system bootup time,
> so there isn't any desktop to interact with. It starts just fine "after"
> the system is fully up.
> There likely is a 'dependency' issue or an XP service control manager
> but its not obvious from the event log, etc. Changing from dhcp to a
> IP made no difference either.
> The event log messages (as originally stated) seem to imply the service
> control manager is waiting on snort for some sort of communications
> (indicating a successful start) that isn't happening.
> Any other thoughts?
>> Go into services and allow Snort to interact with the desktop and it
>> display the error:
>> 1) Go into the Services applet
>> 2) Double left-click on the snort entry
>> 3) Left-click the 'Logon' tab
>> 4) Under 'Local system account' make sure that 'Allow service to interact
>> with desktop' is checked
>> 5) Left-click the 'Apply' button
>> 6) Left-click the 'General' tab
>> 7) Under 'Service Status' left-click the 'Start' button
>> Snort will start in a console and should display any problems with the
>> startup procedure.
>> Note: Make sure to reverse the above procedure so Snort does NOT interact
>> with the desktop under normal startup conditions.
>> Kindest regards,
>> WINSNORT.com Management Team Member
>> Pick up your FREE Windows or UNIX Snort installation guides
>> Website: http://www.winsnort.com
>> Snort: Open Source Network IDS - http://www.snort.org
>> -----Original Message-----
>> From: snort-users-adminlists.sourceforge.net
>> [mailto:snort-users-adminlists.sourceforge.net] On Behalf Of Rich
>> Sent: Monday, December 26, 2005 7:08 AM
>> To: Snort Developers Postings; Snort Users Postings
>> Subject: [Snort-users] Problem: Win32 v2.4.3 does not start as a Service
>> Could not find any reference on the snort.org site relative to reporting
>> a problem, so posting to both the -users and -devel lists.
>> Implementation: Snort v2.4.3 on Win XP (all versions) with WinPcap v3.1
>> Experience Level:
>> Been around snort since v1.8 days and have had it running just fine as
>> a Service on most Win32 O/S's. I do not have an application development
>> system (or development experience) to diagnose the problem.
>> Snort will not start as a Service (for example after a reboot), however
>> it runs just fine if started manually. Happens on multiple XP systems and
>> has been observed by others (see forums) as well. Viewing the Services
>> list indicates the snort service is properly configured to start
>> "automatically" and log on using the Local System account.
>> Four event log entries are created following a system reboot.
>> 1. Security Log: Event 592 & 593 (process tracking) are created for
>> 2. System Log: two events generated including:
>> Event 7000: "The Snort service failed to start due to the following
>> error: The service did not respond to the start or control request in
>> a timely manner."
>> Event 7009: "Timeout (30,000 milliseconds) waiting for the Snort
>> to connect."
>> I am not at all sure whether this is an issue with Snort service code or
>> some form of new requirement in Win XP service startup code. Several
>> seem to be restarting correctly on Win 2k Pro and Win 2k Server, however
>> these systems are also running pre-v2.4.3 snort code and cannot be
>> at this time.
>> Snort v2.4.3 on any Win XP system will "always" fail to start following a
>> reboot. A manual start via the Services control panel will "always" be
>> successful, and, a "net start snort" from the command line will always be
>> successful. All other services on these systems start normally.
>> Microsoft's site suggests: "Within a specified time period after a new
>> service starts, it notifies Service Control Manager (SCM) that it is
>> to connect. In this case, the service did not notify SCM within the time
>> period." (Thus generating event 7009.)
>> Other Observations:
>> 1. Typical Win32 system has 512 meg ram with WinPcap v3.1
>> 2. After manually starting the snort service, task manager indicates
>> over 150 meg of available memory.
>> 3. After manually starting the snort service, all alerts and log entries
>> occur properly.
>> 4. The snort service was installed following the examples displayed when
>> executing "snort -?" from the command line.
>> 5. Executing "snort /service /show" indicates the service was properly
>> installed with all appropriate startup parameters.
>> Best Guess:
>> The two events in the security log suggest the snort service was actually
>> starting, however the events in the system log indicate a timeout. Since
>> the "process events" (security log) do occur, presumably snort is
>> and suppose to pass a message or call the services control manager (or
>> return some value) indicating to the services control manager that it has
>> started. It would appear this second step is not occurring.
>> Some possibility exists the snort code is using the name "snortsvc" in
>> some code and "snort" in other services code. Executing "sc query
>> from a command line indicates:
>> State: 1 stopped
>> (not-stoppable, not_pausable, ignores_shutdown)
>> with no other hints. The above _might_ be related to not registering the
>> snort service properly, differences in service names, incorrect
>> etc. Not sure.
>> If I can provide any other information regarding the problem/symptom,
>> please contact me.
>> If there is a better location to report this problem, please let me know.
>> Rich Adamson
>> This SF.net email is sponsored by: Splunk Inc. Do you grep through log
>> for problems? Stop! Download the new AJAX search engine that makes
>> searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
>> Snort-users mailing list
>> Go to this URL to change user options or unsubscribe:
>> Snort-users list archive:
> ---------------End of Original Message-----------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log
> for problems? Stop! Download the new AJAX search engine that makes
> searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
> Snort-users mailing list
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
Snort-users mailing list
Go to this URL to change user options or unsubscribe:
Snort-users list archive: