[Snort-users] Upgrading from Snort v2.3.2

Joel Esler eslerj at ...11827...
Tue Dec 9 08:37:56 EST 2008


On Dec 9, 2008, at 3:49 AM, Zultan allegedly wrote:

>> Hello
>>
>> I'm back managing six Snort sensors after a couple of years away and
>> during that time, no upgrades were done :(
>>
>> I'm wondering if I can upgrade directly from v2.3.2 to v2.8.3 or if
>> there are any gotchas.
>>
>> I looked in the documentation, FAQs and this mailing list's  
>> archives but
>> didn't see anything much on upgrading.
>>
>> Any information gratefully received.
>>
>> Ian
>>
> --------------------------
>
> Ian,
>
> I went from 2.4.5 to 2.8.3 this past summer.
>
> You might as well upgrade pcre and libpcap before you move to 2.8+
>
> 2.8.3 is much faster running, and has a new ruleset and lots more  
> config options in the snort.conf file.  And it has dynamic  
> preprocessor and plugin rules that if used, must be built  
> separately.  Richard Bejtlich wrote a long How To on them.
> http://searchsecuritychannel.techtarget.com/tip/0,289483,sid97_gci1299181,00.html
>
> You also loose the original portscan preprocessor and the granular  
> output it provided.  But the new portscan preprocessor does a better  
> job of catching the slow scanners.  2.8.3 will not run with the  
> original portscan preprocessor configured in snort.conf.  Other  
> stuff in snort.conf should be changed as well.
>
> So you probably should build a test configuration first.
>
> Be sure to read the files is the docs directory.


I'd also suggest you go ahead and go right to the current Snort,  
2.8.3.1.  Please try and stay current, especially through 2.8.4, as it  
will have some big features that you WILL NEED.

Joel






More information about the Snort-users mailing list