Snort mailing list archives
RE: snort as a service on Windows 2000
From: "Michael Steele" <michaels () silicondefense com>
Date: Mon, 14 Apr 2003 11:16:05 -0700
Augie, Why would you want to monitor multiple NIC's? HOME_NET [10.0.0.1/24,192.168.1.100/24] To turn off sending alerts to the event viewer In snort.conf change: Original: output alert_syslog: LOG_AUTH LOG_ALERT Change: # output alert_syslog: LOG_AUTH LOG_ALERT Restart Snort -Michael -- Michael Steele | System Engineer / Support Technician mailto:michaels () silicondefense com Silicon Defense - The Cyber-War Defense Company Website: http://www.silicondefense.com Snort: Open Source Network IDS - http://www.snort.org -----Original Message----- From: August.K.Kunnecke () pmusa com [mailto:August.K.Kunnecke () pmusa com] Sent: Monday, April 14, 2003 8:44 AM To: michaels () silicondefense com I think I already found the answer to my question. I need to run multiple instances of Snort, correct? I do have another question. I am getting my entries into my ACID database, but I am also seeing Snort entries in my event viewer. How do I get rid of those in event viewer? Augie
-----Original Message-----
From: Kunnecke, Augie K.
Sent: Monday, April 14, 2003 11:38 AM
To: 'Michael Steele'
Subject: RE: [Snort-users] snort as a service on Windows 2000
Michael
Thanks for all of your help. I know have a working IDS for one network.
My next project is to configure another box with Windows 2000, Snort 2.0
and use it to monitor multiple networks.
Is there documentation on monitoring more than one network into Snort?
-----Original Message-----
From: Michael Steele [SMTP:michaels () silicondefense com]
Sent: Friday, April 11, 2003 5:08 PM
To: August.K.Kunnecke () pmusa com;
snort-users () lists sourceforge net
Subject: RE: [Snort-users] snort as a service on Windows 2000
August,
I'm talking it runs fine from the command line.
Navigate from a command prompt to snort\bin
Remove the service: snort /SERVICE /UNINSTALL
Reboot
Navigate from a command prompt to snort\bin
Type: snort -c c:\snort\etc\snort.conf -l c:\snort\log -i1
Make sure Snort is running with no errors.
Type CTRL/C to exit back to the command window.
Type: snort /SERVICE /INSTALL -c c:\snort\etc\snort.conf -l
c:\snort\log -i1
Type: snort /SERVICE /SHOW
Make sure the line reads: -c c:\snort\etc\snort.conf -l c:\snort\log
-i1
Go into the services and set snort to automatic, then press the
start
button. After the service starts go to Taskmanager and make SURE
snort is
running.
-Michael
Michael Steele | System Engineer / Support Technician
mailto:michaels () silicondefense com
Silicon Defense: IDS solutions - http://www.silicondefense.com
Snort: Open Source Network IDS - http://www.snort.org
-----Original Message-----
From: August.K.Kunnecke () pmusa com
[mailto:August.K.Kunnecke () pmusa com]
Sent: Friday, April 11, 2003 1:49 PM
To: michaels () silicondefense com
Subject: RE: [Snort-users] snort as a service on Windows 2000
I did that and it the SQL seems to look cleaner.
I am still having problems when I start Snort as a service.
(I am using the user "root" to be sure I don't have any more MYSQL
problems.
)
__________________________
C:\Snort\etc>snort /service /show
Snort is currently configured to run as a Windows service using the
following
command-line parameters:
-de -c c:\snort\etc\snort.conf -l c:\snort\log -i1
C:\Snort\etc>snort -c c:\snort\etc\snort.conf -l c:\snort\log -i1 -T
Log directory = c:\snort\log
Initializing Network Interface \
--== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface
\Device\NPF_{9B922988-4F36-44CF-A041-B399EB0A82E8
}
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file c:\snort\etc\snort.conf
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
Fragment timeout: 60 seconds
Fragment memory cap: 4194304 bytes
Fragment min_ttl: 0
Fragment ttl_limit: 5
Fragment Problems: 0
Stream4 config:
Stateful inspection: ACTIVE
Session statistics: INACTIVE
Session timeout: 30 seconds
Session memory cap: 8388608 bytes
State alerts: INACTIVE
Evasion alerts: INACTIVE
Scan alerts: ACTIVE
Log Flushed Streams: INACTIVE
MinTTL: 1
TTL Limit: 5
Async Link: 0
State Protection: 0
Self preservation threshold: 0
Self preservation period: 0
Suspend threshold: 0
Suspend period: 0
Stream4_reassemble config:
Server reassembly: INACTIVE
Client reassembly: ACTIVE
Reassembler alerts: ACTIVE
Ports: 21 23 25 53 80 110 111 143 513 1433
Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
http_decode arguments:
Unicode decoding
IIS alternate Unicode decoding
IIS double encoding vuln
Flip backslash to slash
Include additional whitespace separators
Ports to decode http on: 80
rpc_decode arguments:
Ports to decode RPC on: 111 32771
alert_fragments: INACTIVE
alert_large_fragments: ACTIVE
alert_incomplete: ACTIVE
alert_multiple_requests: ACTIVE
telnet_decode arguments:
Ports to decode telnet on: 21 23 25 119
Conversation Config:
KeepStats: 0
Conv Count: 32000
Timeout : 60
Alert Odd?: 0
Allowed IP Protocols: All
database: compiled support for ( mysql odbc )
database: configured to use mysql
database: user = root
database: password is set
database: database name = snort
database: host = 127.0.0.1
database: port = 3306
database: sensor name = W2K_Snort
database: sensor id = 2
database: schema version = 106
database: using the "log" facility
database: compiled support for ( mysql odbc )
database: configured to use mysql
database: user = root
database: password is set
database: database name = snort
database: host = 127.0.0.1
database: port = 3306
database: sensor name = W2K_Snort
database: sensor id = 2
database: schema version = 106
database: using the "alert" facility
1310 Snort rules read...
1310 Option Chains linked into 148 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
Rule application order: ->activation->dynamic->alert->pass->log
--== Initialization Complete ==--
-*> Snort! <*-
Version 1.9.1-ODBC-MySQL-WIN32 (Build 231)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
1.7-WIN32 Port By Michael Davis (mike () datanerds net,
www.datanerds.net/~mike)
1.8-1.9 WIN32 Port By Chris Reid
(chris.reid () codecraftconsultants com)
Snort sucessfully loaded all rules and checked all rule chains!
database: Closing connection to database "snort"
database: Closing connection to database "snort"
C:\Snort\etc>
______________________________________
> -----Original Message-----
> From: Michael Steele [SMTP:michaels () silicondefense com]
> Sent: Tuesday, April 08, 2003 12:28 PM
> To: August.K.Kunnecke () pmusa com
> Subject: RE: [Snort-users] snort as a service on Windows 2000
>
> August,
>
> You NEED to add UPDATE to the user snort account.
>
> Passwords:
>
> Snort - This is very low security. The user Snort only needs to
write to
> the
> database.
> Acid - This needs to be secured as anyone accessing the console
can delete
> alerts.
> Root - This is God to the complete IDS system.
>
> -Michael
> --
> Michael Steele | System Engineer / Support Technician
> mailto:michaels () silicondefense com
> Silicon Defense - The Cyber-War Defense Company
> Website: http://www.silicondefense.com
> Snort: Open Source Network IDS - http://www.snort.org
>
> -----Original Message-----
> From: August.K.Kunnecke () pmusa com
[mailto:August.K.Kunnecke () pmusa com]
> Sent: Tuesday, April 08, 2003 6:55 AM
> To: michaels () silicondefense com
>
> I made those changes and I still have problems. I think it's in
the MySQL
> software. I had problems adding users the way the instructions
said. I was
> able to add them, but not the way it said. I think I need to reset
all of
> the passwords for those accounts. (acid, snort and root)
>
> What do you think?
>
> > -----Original Message-----
> > From: Michael Steele [SMTP:michaels () silicondefense com]
> > Sent: Monday, April 07, 2003 1:49 PM
> > To: August.K.Kunnecke () pmusa com
> > Subject: RE: [Snort-users] snort as a service on Windows 2000
> >
> > August,
> >
> > I ran into this same problem this weekend. I have a work around
for it.
> >
> > In the snort.cond change the user to acid (replacing snort) and
password
> > to the associated password for user acid. Do this in both
'output
> > database .....' lines, then restart snort. I have no idea why
the user
> > snort is having problems. It worked for me for awhile then just
stopped
> > working. I'll look into it.
> >
> > -Michael
> > --
> > Michael Steele | System Engineer / Support Technician
> > mailto:michaels () silicondefense com
> > Silicon Defense - The Cyber-War Defense Company
> > Website: http://www.silicondefense.com
> > Snort: Open Source Network IDS - http://www.snort.org
> >
> >
> > -----Original Message-----
> > From: August.K.Kunnecke () pmusa com
[mailto:August.K.Kunnecke () pmusa com]
> > Sent: Monday, April 07, 2003 7:01 AM
> > To: michaels () silicondefense com
> > Subject: RE: [Snort-users] snort as a service on Windows 2000
> >
> > It looks like the problem is in MySQL. (I think.....)
> >
> >
> > C:\Snort>snort /service /show
> >
> > Snort is currently configured to run as a Windows service using
the
> > following
> > command-line parameters:
> >
> > -de -c c:\snort\etc\snort.conf -l c:\snort\log -i1
> >
> > C:\Snort>
> >
> >
> >
> > C:\Snort>snort -c c:\snort\etc\snort.conf -l c:\snort\log -i1 -T
> > Log directory = c:\snort\log
> >
> > Initializing Network Interface \
> >
> > --== Initializing Snort ==--
> > Initializing Output Plugins!
> > Decoding Ethernet on interface
> > \Device\NPF_{9B922988-4F36-44CF-A041-B399EB0A82E8
> > }
> > Initializing Preprocessors!
> > Initializing Plug-ins!
> > Parsing Rules file c:\snort\etc\snort.conf
> >
> > +++++++++++++++++++++++++++++++++++++++++++++++++++
> > Initializing rule chains...
> > No arguments to frag2 directive, setting defaults to:
> > Fragment timeout: 60 seconds
> > Fragment memory cap: 4194304 bytes
> > Fragment min_ttl: 0
> > Fragment ttl_limit: 5
> > Fragment Problems: 0
> > Stream4 config:
> > Stateful inspection: ACTIVE
> > Session statistics: INACTIVE
> > Session timeout: 30 seconds
> > Session memory cap: 8388608 bytes
> > State alerts: INACTIVE
> > Evasion alerts: INACTIVE
> > Scan alerts: ACTIVE
> > Log Flushed Streams: INACTIVE
> > MinTTL: 1
> > TTL Limit: 5
> > Async Link: 0
> > State Protection: 0
> > Self preservation threshold: 0
> > Self preservation period: 0
> > Suspend threshold: 0
> > Suspend period: 0
> > Stream4_reassemble config:
> > Server reassembly: INACTIVE
> > Client reassembly: ACTIVE
> > Reassembler alerts: ACTIVE
> > Ports: 21 23 25 53 80 110 111 143 513 1433
> > Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
> > http_decode arguments:
> > Unicode decoding
> > IIS alternate Unicode decoding
> > IIS double encoding vuln
> > Flip backslash to slash
> > Include additional whitespace separators
> > Ports to decode http on: 80
> > rpc_decode arguments:
> > Ports to decode RPC on: 111 32771
> > alert_fragments: INACTIVE
> > alert_large_fragments: ACTIVE
> > alert_incomplete: ACTIVE
> > alert_multiple_requests: ACTIVE
> > telnet_decode arguments:
> > Ports to decode telnet on: 21 23 25 119
> > Conversation Config:
> > KeepStats: 0
> > Conv Count: 32000
> > Timeout : 60
> > Alert Odd?: 0
> > Allowed IP Protocols: All
> >
> > database: compiled support for ( mysql odbc )
> > database: configured to use mysql
> > database: user = snort
> > database: password is set
> > database: database name = snort
> > database: host = 127.0.0.1
> > database: port = 3306
> > database: sensor name = W2K_Snort
> > database: sensor id = 2
> > database: mysql_error: Access denied for user: 'snort@localhost'
to
> > database
> > 'sn
> > ort'
> > SQL=UPDATE sensor SET last_cid = 8043 WHERE sid = 2
> > database: inconsistent cid information for sid=2
> > Recovering by rolling forward the cid=8043
> > database: schema version = 106
> > database: using the "log" facility
> > database: compiled support for ( mysql odbc )
> > database: configured to use mysql
> > database: user = snort
> > database: password is set
> > database: database name = snort
> > database: host = 127.0.0.1
> > database: port = 3306
> > database: sensor name = W2K_Snort
> > database: sensor id = 2
> > database: schema version = 106
> > database: using the "alert" facility
> > 1310 Snort rules read...
> > 1310 Option Chains linked into 148 Chain Headers
> > 0 Dynamic rules
> > +++++++++++++++++++++++++++++++++++++++++++++++++++
> >
> > Rule application order: ->activation->dynamic->alert->pass->log
> >
> > --== Initialization Complete ==--
> >
> > -*> Snort! <*-
> > Version 1.9.1-ODBC-MySQL-WIN32 (Build 231)
> > By Martin Roesch (roesch () sourcefire com, www.snort.org)
> > 1.7-WIN32 Port By Michael Davis (mike () datanerds net,
> > www.datanerds.net/~mike)
> > 1.8-1.9 WIN32 Port By Chris Reid
(chris.reid () codecraftconsultants com)
> >
> > Snort sucessfully loaded all rules and checked all rule chains!
> > database: mysql_error: Access denied for user: 'snort@localhost'
to
> > database
> > 'sn
> > ort'
> > SQL=UPDATE sensor SET last_cid = 8043 WHERE sid = 2
> > database: Closing connection to database "snort"
> > database: mysql_error: Access denied for user: 'snort@localhost'
to
> > database
> > 'sn
> > ort'
> > SQL=UPDATE sensor SET last_cid = 8043 WHERE sid = 2
> > database: Closing connection to database "snort"
> >
> > C:\Snort>
> >
> > > -----Original Message-----
> > > From: Michael Steele [SMTP:michaels () silicondefense com]
> > > Sent: Saturday, April 05, 2003 2:20 PM
> > > To: August.K.Kunnecke () pmusa com
> > > Cc: snort-users () lists sourceforge net
> > > Subject: RE: [Snort-users] snort as a service on Windows 2000
> > >
> > > August,
> > >
> > > Do a:
> > >
> > > Snort /SERVICE /SHOW
> > >
> > > Send the output to me along with your snort.conf.
> > >
> > > Try running:
> > >
> > > Snort -c d:\applications\swnort\etc\snort.conf -l
> > > d:\applications\snort\log
> > > -ix -T
> > >
> > > Make SURE to replace the proper paths and make SURE that the
'-ix' has
> > the
> > > proper interface in place of the 'x'. Send me that output.
> > >
> > > -Michael
> > >
> > > Michael Steele | System Engineer / Support Technician
> > > mailto:michaels () silicondefense com
> > > Silicon Defense: IDS solutions -
http://www.silicondefense.com
> > > Snort: Open Source Network IDS - http://www.snort.org
> > >
> > >
> > > -----Original Message-----
> > > From: snort-users-admin () lists sourceforge net
> > > [mailto:snort-users-admin () lists sourceforge net] On Behalf Of
> > > August.K.Kunnecke () pmusa com
> > > Sent: Thursday, April 03, 2003 11:18 AM
> > > To: snort-users () lists sourceforge net
> > > Subject: [Snort-users] snort as a service on Windows 2000
> > >
> > > I am trying to use Snort on a Windows 2000 server.
> > >
> > > Snort works when I type snort -v -ix. I am having problems
getting it
> > to
> > > run
> > > as a service. It install fine. When I try to start it, I get
different
> > > errors. I have finally decided to stop and see if I can get
some help.
> > > This
> > > time I am getting the following message in my event viewer:
> > >
> > > ------------------------------------------------------------
> > > Event Type: Error
> > > Event Source: Service Control Manager
> > > Event Category: None
> > > Event ID: 7000
> > > Date: 4/3/2003
> > > Time: 1:59:36 PM
> > > User: N/A
> > > Computer: XXXXXX
> > > Description:
> > > The Snort service failed to start due to the following error:
> > > The system cannot find the file specified
> > >
---------------------------------------------------------------------
> > >
> > > It usually tells me that is cannot find the snort.conf file in
the
> > > application log, but I am not getting any messages in that
section.
> > >
> > > When I run snort at a DOS prompt to try to see what file it is
> > missing, I
> > > get the following:
> > >
> > > ---------------------------------
> > > WARNING: unknown output plugin: 'alert_syslog'WARNING: unknown
output
> > > plugin: 'd
> > > atabase'WARNING: unknown output plugin: 'database'1310 Snort
rules
> > read...
> > > 1310 Option Chains linked into 148 Chain Headers
> > > 0 Dynamic rules
> > > +++++++++++++++++++++++++++++++++++++++++++++++++++
> > >
> > > Rule application order:
->activation->dynamic->alert->pass->log
> > >
> > > --== Initializing Snort ==--
> > > Initializing Output Plugins!
> > >
> > > [!] ERROR: Can not get write access to logging directory
"log".
> > > (directory doesn't exist or permissions are set incorrectly
> > > or it is not a directory at all)
> > >
> > > Fatal Error, Quitting..
> > > -------------------------------------------------
> > >
> > > I followed the instructions from the snort.org web site. I
tried
> > moving
> > > the
> > > snort.exe to the snort directory. I also tried to move (and
copy) the
> > > snort.conf file, but I still get the same error.
> > >
> > >
> > > I also have some questions about the config files:
> > >
> > > One document I read had the path names to the files listed
with the
> > "/"
> > > character Another set of instructions said to use the
standard "\"
> > > backslash character. Which is the correct convention to use?
> > >
> > >
> > > Thanks in advance for any help.
> > >
> > >
> > >
> > >
> > > -------------------------------------------------------
> > > This SF.net email is sponsored by: ValueWeb:
> > > Dedicated Hosting for just $79/mo with 500 GB of bandwidth!
> > > No other company gives more support or power for your
dedicated server
> > > http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > >
> >
> >
>
>
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort as a service on Windows 2000 August . K . Kunnecke (Apr 03)
- RE: snort as a service on Windows 2000 Michael Steele (Apr 05)
- <Possible follow-ups>
- RE: snort as a service on Windows 2000 Michael Steele (Apr 11)
- RE: snort as a service on Windows 2000 Michael Steele (Apr 14)