[Snort-users] Upgrading from Snort v2.3.2

Zultan zultan at ...13388...
Tue Dec 9 03:49:31 EST 2008


> ----- Original Message -----
> From: "Ian Masters" <ian at ...12163...>
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Upgrading from Snort v2.3.2
> Date: Tue, 09 Dec 2008 10:54:41 +0900
> 
> 
> Hello
> 
> I'm back managing six Snort sensors after a couple of years away and
> during that time, no upgrades were done :(
> 
> I'm wondering if I can upgrade directly from v2.3.2 to v2.8.3 or if
> there are any gotchas.
> 
> I looked in the documentation, FAQs and this mailing list's archives but
> didn't see anything much on upgrading.
> 
> Any information gratefully received.
> 
> Ian
>
--------------------------

Ian,

I went from 2.4.5 to 2.8.3 this past summer.

You might as well upgrade pcre and libpcap before you move to 2.8+

2.8.3 is much faster running, and has a new ruleset and lots more config options in the snort.conf file.  And it has dynamic preprocessor and plugin rules that if used, must be built separately.  Richard Bejtlich wrote a long How To on them.
http://searchsecuritychannel.techtarget.com/tip/0,289483,sid97_gci1299181,00.html

You also loose the original portscan preprocessor and the granular output it provided.  But the new portscan preprocessor does a better job of catching the slow scanners.  2.8.3 will not run with the original portscan preprocessor configured in snort.conf.  Other stuff in snort.conf should be changed as well.

So you probably should build a test configuration first.

Be sure to read the files is the docs directory.

Regards,

Z

-- 
Be Yourself @ mail.com!
Choose From 200+ Email Addresses
Get a Free Account at www.mail.com





More information about the Snort-users mailing list