Snort mailing list archives

Re: Upgrading from Snort v2.3.2 to 2.8.3.1

From: Ian Masters <ian () acces co jp>
Date: Wed, 10 Dec 2008 10:01:29 +0900

Zultan

Thanks for the reply and the useful information.

You might as well upgrade pcre and libpcap before you move to 2.8+


As you say pcre *has* to be upgraded or snort v2.8.3.1 will not install.
Libcap seemed not to be a problem.

So you probably should build a test configuration first.


A test configuration turned out to be a very good idea. In moving from
v2.3.2 to 2.8.3.1 quite a few things have changed. Since the
installations I have were not updated for the last year and a half, I've
found the following problems so far (for anyone's future reference):

1. As you mentioned, quite a few config options have changed in the
application hence also in snort.conf (dynamic preprocessors "frag2" and
"telnet_decode" have disappeared, the Stream4 preprocessor will be
deprecated in a future release). A v2.3.2 snort.conf is unusable.
I migrated current settings to the new snort.conf.

2. Somewhere along the line SIDs became mandatory for custom rules (even
simple pass rules), hence:
FATAL ERROR: /etc/snort/rules/test.rules(13): Duplicate rule with same
gid (1) and no sid.  To avoid this, make sure all of your rules define
an sid.
I added SIDs to my test.rules.

3. MySQL's DB schema changed to minimum version 107, hence the following
error:
FATAL ERROR: database: The underlying database seems to be running an
older version of the DB schema (current version=106, required minimum
version= 107).
Back to the list archives to try and sort that out: I have information
in the current DB that I want to retain.

That's as far as I've got so far.

Be sure to read the files in the docs directory.


Thanks, I will.

Ta very much.

Ian





------------------------------------------------------------------------------
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can't happen without you.  Join us at MIX09 to help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Upgrading from Snort v2.3.2 Ian Masters (Dec 08)
- <Possible follow-ups>
- Re: Upgrading from Snort v2.3.2 Zultan (Dec 09)
  - Re: Upgrading from Snort v2.3.2 Joel Esler (Dec 09)
  - Error loading plugins... Jose J. Cintron (Dec 09)
  - Re: Upgrading from Snort v2.3.2 to 2.8.3.1 Ian Masters (Dec 09)
    - Re: Upgrading from Snort v2.3.2 to 2.8.3.1 Joel Esler (Dec 09)
    - Re: Upgrading from Snort v2.3.2 to 2.8.3.1 Ian Masters (Dec 09)
    - Re: Upgrading from Snort v2.3.2 to 2.8.3.1 Joel Esler (Dec 09)
    - Re: Upgrading from Snort v2.3.2 to 2.8.3.1 Harry Hoffman (Dec 09)
    - Re: Upgrading from Snort v2.3.2 to 2.8.3.1 Joel Esler (Dec 10)
    - Re: Upgrading from Snort v2.3.2 to 2.8.3.1 Michael Steele (Dec 10)
    - Re: Upgrading from Snort v2.3.2 to 2.8.3.1 Joel Esler (Dec 10)