I've packaged these new releases and the new packages have been tested by David Zawdie. Thanks, David!
UPDATE 2013/09/04: Lysemose pointed out on the mailing list that VRT Registered Ruleset users won't get rules for Snort 18.104.22.168 until September 6:
The new packages are now available in our stable repo. Please see our Upgrade page for full upgrade instructions:
These updates will do the following:
- stop all NSM sensor processes
- terminate any remaining processes using PF_RING
- remove the existing PF_RING module
- build the new PF_RING module
- start all NSM sensor processes
- back up each of your existing snort.conf files to snort.conf.bak
- update Snort
- back up each of your existing suricata.yaml files to suricata.yaml.bak
- update Suricata
You'll then need to do the following:
- apply your local customizations to the new snort.conf or suricata.yaml files
- update ruleset and restart Snort/Suricata as follows:
One change that I've made to our normal Snort config is the PF_RING clustermode. Previously, snort would default to clustermode=2 meaning that PF_RING would hash each stream to a particular Snort instance based solely on src and dst IP. So let's say you have multiple Snort instances in a PF_RING cluster and you run a series of "curl testmyids.com" tests. Each and every "curl testmyids.com" would be sent to the SAME Snort instance since the src and dst IP never change. With the new clustermode=4, the snort instance would be selected based on src/dst IP *and* src/dst port. So each time you do "curl testmyids.com" it will go to a different Snort instance in the PF_RING cluster. This results in more effective load balancing.
|"sudo soup" upgrade process|
|PF_RING 5.6.1, Snort 22.214.171.124, and Suricata 1.4.5|
|Updating ruleset and restarting Snort/Suricata using "sudo rule-update"|
If you have any questions or problems, please use our mailing list:
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
We especially need help in answering support questions on the mailing list and IRC channel. Thanks!