Snort mailing list archives
Re: Snort upgrade from 1.9.1 to 2.0.0
From: Neil Dickey <neil () geol niu edu>
Date: Mon, 28 Apr 2003 10:20:41 -0500 (CDT)
Lloyd_Ardoin () mazzios com wrote:
I tried using the same conf file that I had been using with the 1.9.0 and 1.9.1 version. [ ... It didn't work ... ] so I modified the conf file that came with the 2.0.0 version to reflect the same information as the 1.9.1 conf file.
My experience is that Snort is a very dynamic piece of software, which means that it evolves rapidly. Like natural systems, there are evolutionary dead ends and it isn't always obvious in advance which direction its development will take. That means that when installing a new major revision of Snort, and some- times even when putting in what appear to be minor updates, it's a good idea to use the new version of the configuration file -- bearing in mind that it will likely have new features in it *and* that some features that were in the older version may have been altered or abandoned. Some of the configuration data you carried over from 1.9.1 may be obsolete, and this could be at the root of the behavior you observed. This is also true of rulesets, by the way, in which acceptable syntax can change between versions. When I installed 2.0.0, I started fresh with the new snort.conf and the new ruleset, and it's merrily alerting away. We are creatures of habit, and I know I become accustomed to seeing the alerts that a particular configuration and ruleset generate. I have researched them, and know what they mean with respect to my system. That makes me reluctant to exchange these for a new set which will generate different alerts that will have to be researched anew, but I find that it's the best practice. By the way, if the version of 1.9.1 you're using isn't patched for the recently-discovered stream4 integer overflow and you don't have that feature turned off, then you've told the world that you're running a vulnerable copy of Snort. Best regards, Neil Dickey, Ph.D. Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois 60115 ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort upgrade from 1.9.1 to 2.0.0 Lloyd_Ardoin (Apr 28)
- <Possible follow-ups>
- Re: Snort upgrade from 1.9.1 to 2.0.0 Neil Dickey (Apr 28)