Eclectic Security

This post is about how to upgrade the snort package installed on the Snorby SPSA version 1.5. The following instructions will help you to upgrade from snort 2.8.6.1-1 to snort 2.9.0.1.

NOTE: I’d advise to try it on some testing in a virtual environment before doing any update on a production server.

In order accomplish the upgrade you need to download the archive that contain the README file, the pre-compiled .deb package, and a script ( update.sh ) that will automate the whole process. During the upgrade the /etc/snort folder will be moved to /etc/snort.2.8.6.1-1 in order to keep the old settings, the /etc/snort will now contain the new configuration files for the 2.9.0.1 version. Some variables and files might need to be edited again, like var HOME_NET in snort.conf.

wget http://bailey.st/spsa/upgrade.2.9.0.1.tar.gz
tar xvfz upgrade.2.9.0.1.tar.gz
cd upgrade.2.9.0.1

Please check the README file.

./update.sh

As well some changes are needed in the /etc/oinkmaster.conf in order to download the new rules, please edit the configuration files with this two new parameters.

url = http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz
url = http://www.snort.org/pub-bin/oinkmaster.cgi/OINKCODE/snortrules-snapshot-2901.tar.gz

What is new in Snort 2.9.0.1

2010-11-01 – Snort 2.9.0.1

[*] Improvements
* Fixed maximum flowbits configuration parsing to specify the number
of bits in accordance with the Snort manual, rather than number of
bytes. If you have ‘config flowbits_size’ in your snort.conf,
double check that it has the correct setting.

* Fixed a packet size issue with the IPQ and NFQ DAQs.

* Updated the version of LibPCRE bundled with the Windows installer.
This update fixes a bug that caused some PCRE matches to fail on Windows.