I finally upgraded my test sensor from Snort 2.6.1.5 to Snort 2.8.0. David Bianco mentioned some of the new features in his blog a couple of months ago, so I won't get into the differences. I am mainly documenting the things I had to do for the upgrade so I have a reference if needed at a future date.
The first thing I did was look through the documentation in the "docs" directory, reading some of the README files for the preprocessors. The README.variables file was of particular interest since Snort 2.8 allows port lists. I also looked at the snort.conf file in the "etc" directory of the source tree to see how it differed from my current configuration file.
Next, I made a copy of my snort.conf from 2.6.1.5 and edited it for the changes in 2.8.0. I changed the HTTP_PORTS variable to list a few other ports besides 80, including 8080 and 8000. The portvar variable was used in the examples of multiple HTTP_PORTS.
portvar HTTP_PORTS [80,8000,8080,8888]
Although I only run HTTP on port 80, the Snort web-client ruleset and a number of Bleeding rules use the $HTTP_PORTS variable to detect attacks against web clients like Internet Explorer, Mozilla Firefox, media players, and more. After that simple change, I configured and installed Snort../configure --enable-dynamicplugin --enable-inline --enable-perfprofilingAfter installing, I tried to start Snort. The first problem I encountered was with my stream5 configuration. I had previously been using the stream4 and the flow preprocessors, but when changing the configuration to use stream5 I had not removed the flow preprocessor configuration. Stream5 handles everything that used to be handled by the combination of flow and stream4, so I removed the flow configuration. I also had to add the stream5_udp and stream5_icmp options.
make
make install
A check of the configure help will also show that --enable-dynamicplugin is the default with 2.8.0, so it should not actually be needed in the configuration command.
After fixing stream5, I tried again and had one more problem. I was getting the following errors:
Oct 23 19:18:52 sensor snort[3117]: /etc/snort/snort.conf(206) unknown dynamic preprocessor "ftp_telnet"This was pretty easy to fix. I just needed the proper path to the dynamic preprocessors.
Oct 23 19:18:52 sensor snort[3117]: /etc/snort/snort.conf(210) unknown dynamic preprocessor "ftp_telnet_protocol"
Oct 23 19:18:52 sensor snort[3117]: /etc/snort/snort.conf(221) unknown dynamic preprocessor "ftp_telnet_protocol"
Oct 23 19:18:52 sensor snort[3117]: /etc/snort/snort.conf(226) unknown dynamic preprocessor "ftp_telnet_protocol"
Oct 23 19:18:52 sensor snort[3117]: /etc/snort/snort.conf(238) unknown dynamic preprocessor "smtp"
Oct 23 19:18:52 sensor snort[3117]: /etc/snort/snort.conf(307) unknown dynamic preprocessor "dcerpc"
Oct 23 19:18:52 sensor snort[3117]: /etc/snort/snort.conf(313) unknown dynamic preprocessor "dns"
Oct 23 19:18:52 sensor snort[3117]: FATAL ERROR: Misconfigured dynamic preprocessor(s)
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/After I fixed the snort.conf, the next try to start Snort 2.8.0 was successful. Now that I have it installed and running with very similar settings to 2.6.1.5, it's time to dig deeper into the differences and possibly test other configuration changes.
Could you describe this in more details so we can do the same for Ipcop 1.4.21 boxes ?
ReplyDeleteThanks,
https://forums.snort.org/posts?q=ipcop
Hello. I was also interested in how you made the conversion so I can do the same thing? Do you have it posted somewhere or know how we can locate more detailed instructions? Thank you.
ReplyDeleteDub Lubin and John,
ReplyDeleteI have a few newer posts on upgrading that are probably worth reading. There were a lot of changes Snort users need to know about from version 2.8.0 to 2.8.1 and 2.8.4.
Snort 2.8.1 changes and upgrading
Snort 2.8.4 has a new DCE/RPC preprocessor
Upgrading to Snort 2.8.4
The snort-users archives and mailing list, and #snort on Freenode IRC are good places for help.
Whatever you're doing with Snort, you definitely want to update to the latest version. Using old versions is a bad idea because they can have bugs, don't incorporate all the new features, and often don't have support for all the latest rules.