Snort mailing list archives

Re: Upgrading from Snort v2.3.2

From: Joel Esler <eslerj () gmail com>
Date: Tue, 9 Dec 2008 08:37:56 -0500

On Dec 9, 2008, at 3:49 AM, Zultan allegedly wrote:

Hello

I'm back managing six Snort sensors after a couple of years away and
during that time, no upgrades were done :(

I'm wondering if I can upgrade directly from v2.3.2 to v2.8.3 or if
there are any gotchas.

I looked in the documentation, FAQs and this mailing list's  
archives but
didn't see anything much on upgrading.

Any information gratefully received.

Ian

--------------------------

Ian,

I went from 2.4.5 to 2.8.3 this past summer.

You might as well upgrade pcre and libpcap before you move to 2.8+

2.8.3 is much faster running, and has a new ruleset and lots more  
config options in the snort.conf file.  And it has dynamic  
preprocessor and plugin rules that if used, must be built  
separately.  Richard Bejtlich wrote a long How To on them.
http://searchsecuritychannel.techtarget.com/tip/0,289483,sid97_gci1299181,00.html

You also loose the original portscan preprocessor and the granular  
output it provided.  But the new portscan preprocessor does a better  
job of catching the slow scanners.  2.8.3 will not run with the  
original portscan preprocessor configured in snort.conf.  Other  
stuff in snort.conf should be changed as well.

So you probably should build a test configuration first.

Be sure to read the files is the docs directory.



I'd also suggest you go ahead and go right to the current Snort,  
2.8.3.1.  Please try and stay current, especially through 2.8.4, as it  
will have some big features that you WILL NEED.

Joel



------------------------------------------------------------------------------
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can't happen without you.  Join us at MIX09 to help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Upgrading from Snort v2.3.2 Ian Masters (Dec 08)
- <Possible follow-ups>
- Re: Upgrading from Snort v2.3.2 Zultan (Dec 09)
  - Re: Upgrading from Snort v2.3.2 Joel Esler (Dec 09)
  - Error loading plugins... Jose J. Cintron (Dec 09)
  - Re: Upgrading from Snort v2.3.2 to 2.8.3.1 Ian Masters (Dec 09)
    - Re: Upgrading from Snort v2.3.2 to 2.8.3.1 Joel Esler (Dec 09)
    - Re: Upgrading from Snort v2.3.2 to 2.8.3.1 Ian Masters (Dec 09)
    - Re: Upgrading from Snort v2.3.2 to 2.8.3.1 Joel Esler (Dec 09)
    - Re: Upgrading from Snort v2.3.2 to 2.8.3.1 Harry Hoffman (Dec 09)
    - Re: Upgrading from Snort v2.3.2 to 2.8.3.1 Joel Esler (Dec 10)
    - Re: Upgrading from Snort v2.3.2 to 2.8.3.1 Michael Steele (Dec 10)
    - Re: Upgrading from Snort v2.3.2 to 2.8.3.1 Joel Esler (Dec 10)