< Snort and MySQL Database | Java & Friends  | MySQL, PHP Code, Basic Analysis and Security Engine (BASE) and ADODB >

---

 

 

Testing the New Snort Configuration

 

 

 

 

What do we have in this session?

1. Testing the New Snort Configuration

2. Configuring Snort as a Service (failed!)

 

 

 

 

 

Testing the New Snort Configuration

 

Then, let test Snort with MySQL database. Issue the following command. Any error(s) should be visible.

 

C:\>snort -c c:\snort\etc\snort.conf -l c:\snort\log –i4 -T

 

 

Look likes all working properly.

 

 

Configuring Snort as a Service

 

In order to run Snort as a background service on Windows 2000, XP, 2003 and so on, you must know:

 

1. Where your config file is (in this case: C:\Snort\etc\snort.conf)
2. Where you want Snort to create its log file (in this case: C:\Snort\log)

 

We already have this information. When we added the database output configuration to the snort.conf file, we made Snort rely on MySQL. If we try to run Snort as a service without having MySQL installed and configured, the Snort service fails because it’s looking for MySQL databases which we already 'told' her through snort.conf. The following examples are a generic configuration. Your configuration may vary slightly and you should change accordingly.

Lastly we need to setup Snort to log to the Event Logs and to run as a service. This can be done easily by running the following command from a command prompt:

 

C:\>snort /SERVICE /INSTALL -l C:\Snort\log -c C:\Snort\etc\snort.conf -i2 -E

 

The following screenshots show the Snorts’ service options.

 

 

The following screenshot shows how to install Snort as Windows service.

 

 

The following is another example with interface #2 as the interface.

 

 

The following is another example.

 

 

After the /SERVICE /INSTALL successfully run, Snort’s service should be visible in Windows Services snap-in.

 

 

Now, let start the Snort service. Select Snort service > right-click mouse > select Start menu.

 

 

Or, open Snort service’s property page > click the Start button. The following screenshot shows Snort’s Properties page.

 

 

 

 

 

 

--------------------------------------------------------

 

Hmmm, we failed to start Snort service with the following error: Error 5: Access is denied.

 

 

Let view the actual error message from Windows Event Viewer. Open Windows Event Viewer > double click the error.

 

 

The following screenshot shows the error details.

 

 

Let, restart the Windows machine. Hmmm… also fail to start Snort’s service. No good answer from Mr. Google though. We also have tried some solutions from Winsnort.com (http://www.winsnort.com/), also failed!

To verify Snort service from console, issue the following command.

 

C:\>snort /SERVICE /SHOW

 

 

Well, Snort service correctly configured. Forget about the Snort as a Windows service, however, snort service won’t start automatically. We need to run snort manually. As for other Windows services, if Snort’s service run properly, the service should be visible in Windows Task Manager as shown below.

 

 

The registry key looks fine and the permission already using LocalSystem.

 

 

 

 

 

 

 

The following paragraph extracted from Snort installation document. Look likes not much information provided for us to find the solutions.

 

"...If you intend to run snort as a Win32 Service, ALWAYS run snort from the command line FIRST to ensure there are no configuration or rule errors. Snort will NOT report errors when run as a Service; it will simply abort providing no clue why it aborted. The syntax for running snort as a Service can be seen by simply executing snort from the command line (no command line parameters) and reviewing the first several lines displayed..."

 

However one of our readers has tried and given the following 'tip'. You can try the following steps and thank you for the feedback.

 

Dear friend,

 

Today I found your website www.javaguicodexample.com and found it very interesting as it hosts lots of useful sysadmin articles centered around Windows platform. Thanks a lot for your efforts and great contribution to IT community. I am reading your article on Windows XP Pro SP2, Snort 2.8.6, MySQL and BASE for Fun (snortiisphpmysqlbaseperladodbwinxp.pdf) and have found on page number 51 that you have listed a command to install Snort as a Windows Service.

 

C:\>snort /SERVICE /INSTALL -l C:\Snort\log -c C:\Snort\etc\snort.conf -i2 -E

 

The command produces no error, because earlier in this PDF article, you have appended C:\Snort\bin in PATH environment variable so that snort may be called from any folder (here C:\ instead of C:\Snort\bin). If you launch Services.mmc snap-in, you will see that Snort is listed in services database, but if you try to start the service, it fails. The solution to the problem is that you should launch above command from C:\Snort\bin folder where snort.exe physically resides, even if you have modified the PATH environment variable. Then not only snort will be added to the Windows services database, you will also be able to start the service. Therefore issue following command.

 

C:\Snort\bin>snort /SERVICE /INSTALL -l C:\Snort\log -c C:\Snort\etc\snort.conf -i2 -E

 

The command works perfectly on my PC, and hope it will also work on your Windows machine also.

Thanks again for your great efforts.

 

Best regards,

Babby Boss

 

To uninstall Snort service, issue the following command.

 

C:\>snort /SERVICE /UNINSTALL

 

 

If the service is started and running, the Windows net command also can be used to start and/or stop the Snort service.

 

 

 

---

< Snort and MySQL Database | Java & Friends  | MySQL, PHP Code, Basic Analysis and Security Engine (BASE) and ADODB >