Snort IDS upgrade and tips on the Snort.conf file

Since the last edition of Snort Report, Snort IDS has been updated from version 2.6.1 to 2.6.1.2. So I'll begin this edition by addressing the issue of upgrading from one version to the next. Then I'll move on to discuss the contents of the snort.conf configuration file.

In my last Snort Report, I recommended creating a directory specifically for Snort 2.6.1, namely /usr/local/snort-2.6.1. That directory contained the Snort binary, in the bin/ directory. To "upgrade," create a new directory for Snort 2.6.1.2, e.g.:

freebsd61-generic:/root# mkdir /usr/local/snort-2.6.1.2

Now proceed with the steps to retrieve, extract and compile Snort described in the previous article. Be sure to replace instances of "snort-2.6.1" with "snort-2.6.1.2". To run the new version instead of the old, invoke it from the /usr/local/snort-2.6.1.2/bin/ directo...

Digg This!     StumbleUpon     Del.icio.us

VIEW ALL IN THIS CATEGORY

RELATED CONTENT Open Source Security Software Network session data analysis with Snort and Argus How to use shared object rules in Snort Why is the Snort IDS still alive and thriving? Is Snort right for the IDS needs of all clients? What is the difference between Snort and Bro? How can the operator test Snort? What does the future hold for Snort? What extra functionality do Snort add-ons provide? Does Snort support target-based intrusion detection? Will deploying Snort detect malicious events quickly? Open Source Security Tools Using SnortSP and Snort 2.8.2 OSSEC Host-Based Intrusion Detection Guide How to find new features in Snort 2.8.2 How to use shared object rules in Snort Snort frequently asked questions How to test Snort How to run IDS Snort on Red Hat Enterprise Linux 5 Working with Snort's unified output Output options for Snort data Snort IDS installation basics and tips for security resellers Snort The power of Snort 3.0 When Snort is not enough Justifying Snort Network session data analysis with Snort and Argus How to use shared object rules in Snort Why is the Snort IDS still alive and thriving? How can the operator test Snort? How can I learn more about Snort? Snort limitations Top five Snort tips

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

ry.

I recommend creating new directories for extraction and installation every time you encounter a new version of Snort. At the very least, you will have a chance to keep the old version running while creating a new version for testing. Of course, you should deploy a separate testing infrastructure independent of production systems. Keeping several versions of Snort handy on production systems, however, is a good way to roll back to an older version should a newer version seem to encounter difficulties in the field.

About the author
Richard Bejtlich is founder of TaoSecurity, author of several books on network security monitoring, including Extrusion Detection: Security Monitoring for Internal Intrusions, and operator of the TaoSecurity blog.