Snort mailing list archives
Rough Draft: Upgrading Snort
From: Erek Adams <erek () theadamsfamily net>
Date: Wed, 15 May 2002 16:43:22 -0700 (PDT)
[ Note: This is a rough draft. Comments, fixes, suggestions, etc. are all welcome. ] I've seen a lot of folks have trouble when upgrading from one version of snort to another. I've run into my own set of issuses so I uderstand that it can be a bit frustrating to upgrade and then find yourself in a broken state. Here's my method of dealing with the upgrade that's worked well for me. 1) Roll your own. IOW, build it yourself. Once you've built it, the convert it to a .pkg, .deb, .rpm or whatever. 2) Untar the tarball for the new version. It will untar into another directory than your last one. 3) copy your current copy of the working snort binary to something like snort.1.8.6 or snort.1.8.7.b2 so that you know what version it is. 4) in the previous version of snort's compile directory there should be a file called config.status. Look at the top few lines and it will tell you which options you specified on the ./configure line. Note what those are, we're going to use them on the new version. Go ahead and fire off ./configure <options> in the new directory. Once it's finished with configuration, start the make process. If all goes well, you'll have a new snort binary in the currnt dir and the old one still installed. Check that the output of './snort -V' and 'snort -V' are different. 5) you can assume rules will be different/updated/changed. There have been many discussions on how to update rules, so I'll leave that alone. (Oinkmaster is rather useful for this!) 6) you can also assume that the snort.conf file will have changed. Find out. In the new version directory run a 'diff ../<old_version>/snort.conf ./snort.conf'. This should compare the basic and unmodified snort.confs from the distros. This will show you what has changed between the two versions. Many times, a tiny change here makes a world of difference, so check each change out carefully. 7) Now find out your changes to the snort.conf file. If your snort.conf is located in /etc/ then do a 'diff /etc/snort.conf ../<old_version>/snort.conf'. This will show you what yuo have changed from the 'blank distro' to the configured version. SAVE THIS OUTPUT! You will need it. 8) copy your current snort.conf to snort.conf.<version>. Copy the new snort.conf from the tarball to snort.conf.<new_version>. Edit snort.conf.<new_version> to reflect any changes that you had made to the older version--Such as HOME_NET, output processors, plugins, etc. 9) Once all that's done, test your config with: ./snort -c <new_version> -T This should alert to to any serious errors you have made. If all goes well, install the new version of snort. Kill the old one, make install, copy over all the snort.conf, *.rules, class*, ref*, and sid* to where the older versions were installed (/etc/snort), do a 'make install' and then restart your new version of snort. ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: bandwidth () sourceforge net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rough Draft: Upgrading Snort Erek Adams (May 15)