Snort upgrade from 1.9.1 to 2.0.0

[Lloyd_Ardoin () mazzios com]

John,

my apologies for not submitting enough information about the upgrade. I 
tried using the same conf file that I had been using with the 1.9.0 and 
1.9.1 version. When I started snort with the -T option I received this 

ERROR:  unknown preprocessor "asn1_decode"
Fatal Error, Quitting..

so I modified the conf file that came with the 2.0.0 version to reflect 
the same information as the 1.9.1 conf file. I again ran snort with the -T 
switch and got a successful load. I started snort and allowed it to run 
for 48 hours with no alerts during that time period. I then went back and 
compared both conf files to make sure my HOME_NET was the same in both and 
I had left EXTERNAL_NET as 'any'. I looked for any other possible 
discrepancies but was unable to find any. I would be happy to provided any 
other information that you might feel would be helpful to allow me to 
upgrade to 2.0.0.

thanks in advance,
LA



On or about Sat, Apr 26, 2003 at 03:37:44PM -0500, 
Lloyd_Ardoin () mazzios com posited:
> Just an FYI ....I had submitted a question a couple of days ago about 
> upgrading from Snort 1.9.1 to 2.0.0 and wasn't getting any alerts 
anymore 
> on a RedHat 8.0 Dell box. I have gone back to the 1.9.1 version and I am 

> seeing the exploit traffic again on my DMZ.

Given that you presented little to no useful background regarding your
new 2.0.0 configuration, it's not surprising that no one was able to
help you.

Should you decide to progress to 2.0.0 at a later date, more detail
beyond "...I upgraded to the 2.0.0 version on April 23rd and I am no
longer getting any alerts..." would be a good starting point toward
your receiving actual help from the list.

Just a thought...


- John