[Winpcap-bugs] Automatic Start of Snort Service Fails
(usingWinPCap 3.1)
Gianluca Varenni
gianluca.varenni at cacetech.com
Sun Dec 4 18:23:44 GMT 2005
Hi Hugh.
We are aware of the issue, and it's caused by a service dependency problem
between WinPcap and Microsoft NetMon COM component (that we use to capture
from dialup adapters).
A workaround to the problem is to explicitely make the Snort service depend
on the NetMon one in the service. The procedure requires to manually patch
the Windows Registry (i.e. do it at your own risk):
1. Open the registry with regedit.exe
2. go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services and locate the
Snort service (it should probably be named "Snort" something)
3. right click on the snort key name, and choose New->Multi-string value
4. name the new key "DependOnService" (be careful to the spelling and the
capital letters).
5. double click on the newly created key, and add the following names (one
per line):
NM
NPF
Be careful *not* to put any space before/after each name
Hope it helps
GV
----- Original Message -----
From: "Hugh Rowley" <hughr at ofcu.org>
To: <winpcap-bugs at winpcap.org>
Sent: Monday, November 28, 2005 10:52 AM
Subject: [Winpcap-bugs] Automatic Start of Snort Service Fails (usingWinPCap
3.1)
Hello,
While building a new IDS sensor, I had trouble with the Snort Service always
failing to start automatically following a reboot. The service would run
fine from the command line, without errors or events. After a couple of
days troubleshooting, I tried
replacing WinPCap version 3.1 with the 3.0 version, and the problem went
away. The problem was repeatable on the same hardware with either Windows
2000 PRO, or Windows XP PRO installed. The machine is a Dell Dimension 4100
with an integrated Intel NIC
(all Service Packs, Patches, and latest BIOS and drivers applied).
I noticed that with WinPCap 3.0, only one device is detected when I run
"snort -W" to show available capture devices. When WinPCap 3.1 was
installed, two devices were detected, one was the actual NIC (device 2), and
the other was a "Generic Dial-up
Adapter" (device 1), though there is no modem installed. Cannot be sure
whether this is a WinPCap issue, a snort issue, or a hardware specific
issue. I just know that the older version of WinPCap works as expected in
this situation, and the new version
does not.
If you know whether or not this is a hardware specific problem, that would
be very helpful, or if you know of a patch or method that would enable this
machine to run using the latest WinPCap version, that would be great too.
If there is no simple fix
for this problem, then is there any reason not to continue using the 3.0
version of WinPCap, at least for the foreseeable future?
Thanks,
Hugh R.
_______________________________________________
Winpcap-bugs mailing list
Winpcap-bugs at winpcap.org
https://www.winpcap.org/mailman/listinfo/winpcap-bugs
More information about the Winpcap-bugs
mailing list