Some folks have reported a few issues since updating to these new packages, so we're releasing a new version of rule-update which should help with these issues.
The first issue is that rule-update takes longer now. Per the barnyard2 developers, all entries in the sig_reference table must be deleted when upgrading to this new version of barnyard2. rule-update then uses barnyard2 to re-populate this table. Depending on the size of your Snorby database, this may take a while. The new version of rule-update (released today) will only do a full delete of the sig_reference table once, so subsequent runs of rule-update should be much faster.
The second issue is that users running the Snort engine with the VRT ruleset are experiencing barnyard2 failing with errors like "Returned signature_id is not equal to updated signature_id". This is due to some wrong entries in the database left by the previous version of barnyard2. One of the barnyard2 developers wrote a MySQL script to fix these entries and I've packaged it into a shell script called so-snorby-fix-sigs and included it in today's rule-update package. If you're running the Snort engine with the VRT ruleset, please run so-snorby-fix-sigs and follow the directions (including shutting down all barnyard2 instances).
The updated package version is as follows:
securityonion-rule-update - 20120726-0ubuntu0securityonion20
This new package has been tested by the following (thanks!):
Issue 556: rule-update: add so-snorby-fix-sigs script
Issue 557: rule-update: only delete sig_reference table once
The new package is now available in our stable repo. Please see the following page for full update instructions:
If you have any questions or problems, please use our security-onion mailing list:
Want to learn more about Security Onion? Check out our 2-day training class:
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
We especially need help in answering support questions on the mailing list:
We also need help testing new packages: