Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Windows » Snort doesn't start as service at boot time on Windows (XP)

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

Snort doesn't start as service at boot time on Windows (XP)


Posted by ekerazha on November 14, 2005 02:50:06

If I start Snort from console, it works.

If I install Snort as service ( snort /SERVICE /INSTALL -l C:\Snort\log -c C:\Snort\etc\snort.conf -E ), it works if I manually start the service from the "administration tools", but it *doesn't* work if I set it to start "Automatically" (it hangs a few seconds at boot time and finally doesn't start) or if I try to start it with "net start snortsvc" the first time I give this command (if I try again, then it works).

I have Snort 2.4.1 on Windows XP SP2 with WinPCap 3.1.

Thank you very much.

Posted by Gatsby on November 15, 2005 07:28:36

I'm having same problem. Has anyone made any progress on figuring this out?

Posted by Gatsby on November 15, 2005 07:32:49

Sorry about the double-post. Here's some additional info.:
Also, cannot find any error indications other the following message in the snortlog.txt file:

Errorbuf:
AdaptersName:\Device\NPF_GenericDialupAdapter
\Device\NPF_{1354AA1D-07CF-4002-87A9-B... {I clipped the end of this}

Machine doesn't have a DialupAdapter; second device listed is the NIC, and the initialization string is set to " -i2 ", which snort seems to use except for generating this error message and unloading after it tries to start automatically as a service during system boot.

Posted by TechProj on November 15, 2005 17:31:05

I need a copy of snort that work with Windows

Posted by ekerazha on November 17, 2005 03:18:37

Same problem with Snort 2.4.3

Posted by JoePope on November 21, 2005 08:53:19

Try WinPCap 3.0 instead of 3.1.
I had the same problem and this fixed it.
Don't forget to run "snort -W" for your interface numbers, the dial-up adapter (ghost) will disappear and your interface numbers will change.
Just modify the interface number for the service in your registry!

Posted by puma on July 31, 2006 21:07:27

how to congigure interfacename on snort.conf
I configure my snort config interface :$(\Device\NPF_{3BA85FA4-AB07-49AF-9251-22BF191499E4_192.168.1.69}
but is not run
with command snort -vde
thanks alot

Posted by bobrmr on August 03, 2006 16:22:29

The first time I installed Snort on the windows platform, I used the following guide from winsnort.com.

http://www.winsnort.com/modules.php?op=modload&name=Sections&file=index&req=viewarticle&artid=2&page=1

This was on a Server 2003 using MySQL and IIS. They have guides for other installs as well. This included setting up Snort to run as a service and worked without a hitch.

Posted by myrmex on October 27, 2006 04:42:34

i have the same problem. snort d'ont start at startup. i installed it as a service. at startup i see it about 30 seconds in the task manager an then it dissapeard. so, i can't start it manually, if i type "net start snort" or "net start snortsvc" (of course without " ) the following error appears:


The Snort service is starting.
The Snort service could not be started.

A system error has occurred.

System error 1067 has occurred.

The process terminated unexpectedly.

i read a lot of stuff in this forum but i cant find a solution :(
if anyone have an idea please write it down.

my system:
win xp with sp2 & all patches
i followed this guide:
http://winsnort.com/modules.php?op=modload&name=Sections&file=index&req=listarticles&secid=9

that mean i have apache & mysql.


Posted by myrmex on October 27, 2006 06:26:15

so i tested and changed some things, but it didn't help. i try diffrent types of winpcap ; 3.0 ; 3.1 & 4.0 Beta2. now i have wincap 3.1 .
i edited and tested the config, i reinstalled snort a few times with diffrent settings.

at the moment, there are the default settings. snort allone works finde, the apache server too and the mysql database also. but this ******* service won't work.

on monday i'ill test snort with mssql & iis , maybe that will work.

anyway, have a nice weekend

Posted by myrmex on October 30, 2006 00:31:28

now it works fine.
winpcap makes problem.

quote from winsnort.com
===========================================

There has been some discussion on this and it seems there is some sort of conflict between the way WinPcap 3.1 is implemented and the way Snorts 'Run as Service' is implemented.

Snort using WinPcap 3.1 will fail to initialize on boot up, however running Snort from a command window does work.

In order to patch the problem the Registry will need to be edited. Be very careful and always make a backup before proceeding.

This was posted in the Snort User Group as a work around:

1. Open the registry with regedit.exe

2. go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services and locate the SnortSvc service

3. right click on the SnortSvc key name, and choose New->Multi-string value

4. name the new key "DependOnService" (be careful to the spelling and the capital letters).

5. double click on the newly created key, and add the following names (one per line):
NM
NPF
Be careful *not* to put any space before/after each name

site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.