[Snort-users] Upgrading from Snort v2.3.2 to 2.8.3.1

Ian Masters ian at ...12163...
Tue Dec 9 20:01:29 EST 2008


Zultan

Thanks for the reply and the useful information.

> You might as well upgrade pcre and libpcap before you move to 2.8+

As you say pcre *has* to be upgraded or snort v2.8.3.1 will not install.
Libcap seemed not to be a problem.

> So you probably should build a test configuration first.

A test configuration turned out to be a very good idea. In moving from
v2.3.2 to 2.8.3.1 quite a few things have changed. Since the
installations I have were not updated for the last year and a half, I've
found the following problems so far (for anyone's future reference):

1. As you mentioned, quite a few config options have changed in the
application hence also in snort.conf (dynamic preprocessors "frag2" and
"telnet_decode" have disappeared, the Stream4 preprocessor will be
deprecated in a future release). A v2.3.2 snort.conf is unusable.
I migrated current settings to the new snort.conf.

2. Somewhere along the line SIDs became mandatory for custom rules (even
simple pass rules), hence:
FATAL ERROR: /etc/snort/rules/test.rules(13): Duplicate rule with same
gid (1) and no sid.  To avoid this, make sure all of your rules define
an sid.
I added SIDs to my test.rules.

3. MySQL's DB schema changed to minimum version 107, hence the following
error:
FATAL ERROR: database: The underlying database seems to be running an
older version of the DB schema (current version=106, required minimum
version= 107).
Back to the list archives to try and sort that out: I have information
in the current DB that I want to retain.

That's as far as I've got so far.

> Be sure to read the files in the docs directory.

Thanks, I will.

Ta very much.

Ian








More information about the Snort-users mailing list