[Snort-users] Rough Draft: Upgrading Snort

Erek Adams erek at ...577...
Wed May 15 16:44:03 EDT 2002

[ Note:  This is a rough draft.  Comments, fixes, suggestions, etc. are all
welcome. ]

I've seen a lot of folks have trouble when upgrading from one version of snort
to another.  I've run into my own set of issuses so I uderstand that it can be
a bit frustrating to upgrade and then find yourself in a broken state.  Here's
my method of dealing with the upgrade that's worked well for me.

1)  Roll your own.  IOW, build it yourself.  Once you've built it, the convert
it to a .pkg, .deb, .rpm or whatever.

2)  Untar the tarball for the new version.  It will untar into another
directory than your last one.

3)  copy your current copy of the working snort binary to something like
snort.1.8.6 or snort.1.8.7.b2 so that you know what version it is.

4)  in the previous version of snort's compile directory there should be a
file called config.status.  Look at the top few lines and it will tell you
which options you specified on the ./configure line.  Note what those are,
we're going to use them on the new version.  Go ahead and fire off ./configure
<options> in the new directory.  Once it's finished with configuration, start
the make process.  If all goes well, you'll have a new snort binary in the
currnt dir and the old one still installed.  Check that the output of './snort
-V' and 'snort -V' are different.

5)  you can assume rules will be different/updated/changed.  There have been
many discussions on how to update rules, so I'll leave that alone.
(Oinkmaster is rather useful for this!)

6)  you can also assume that the snort.conf file will have changed.  Find out.
In the new version directory run a 'diff ../<old_version>/snort.conf
./snort.conf'.  This should compare the basic and unmodified snort.confs from
the distros.  This will show you what has changed between the two versions.
Many times, a tiny change here makes a world of difference, so check each
change out carefully.

7)  Now find out your changes to the snort.conf file.  If your snort.conf is
located in /etc/ then do a 'diff /etc/snort.conf ../<old_version>/snort.conf'.
This will show you what yuo have changed from the 'blank distro' to the
configured version.  SAVE THIS OUTPUT!  You will need it.

8)  copy your current snort.conf to snort.conf.<version>.  Copy the new
snort.conf from the tarball to snort.conf.<new_version>.  Edit
snort.conf.<new_version> to reflect any changes that you had made to the older
version--Such as HOME_NET, output processors, plugins, etc.

9)  Once all that's done, test your config with: ./snort -c <new_version> -T
This should alert to to any serious errors you have made.  If all goes well,
install the new version of snort.  Kill the old one, make install, copy over
all the snort.conf, *.rules, class*, ref*, and sid* to where the older
versions were installed (/etc/snort), do a 'make install' and then restart
your new version of snort.

Erek Adams

More information about the Snort-users mailing list