Tuesday, September 3, 2013

PF_RING 5.6.1, Snort 2.9.5.3, and Suricata 1.4.5 packages now available!

The following software was recently released:

PF_RING 5.6.1
http://sourceforge.net/projects/ntop/files/PF_RING/

Snort 2.9.5.3
http://blog.snort.org/2013/07/snort-2953-is-now-available.html

Suricata 1.4.5
http://suricata-ids.org/2013/07/26/suricata-1-4-5-released/

I've packaged these new releases and the new packages have been tested by David Zawdie.  Thanks, David!

UPDATE 2013/09/04: Lysemose pointed out on the mailing list that VRT Registered Ruleset users won't get rules for Snort 2.9.5.3 until September 6:
https://groups.google.com/d/topic/security-onion/wd32jmXoy04/discussion

Upgrading
The new packages are now available in our stable repo.  Please see our Upgrade page for full upgrade instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

These updates will do the following:

  • stop all NSM sensor processes
  • terminate any remaining processes using PF_RING
  • remove the existing PF_RING module
  • build the new PF_RING module
  • start all NSM sensor processes
  • back up each of your existing snort.conf files to snort.conf.bak
  • update Snort
  • back up each of your existing suricata.yaml files to suricata.yaml.bak
  • update Suricata


You'll then need to do the following:

  • apply your local customizations to the new snort.conf or suricata.yaml files
  • update ruleset and restart Snort/Suricata as follows:

sudo rule-update
Notes
One change that I've made to our normal Snort config is the PF_RING clustermode.  Previously, snort would default to clustermode=2 meaning that PF_RING would hash each stream to a particular Snort instance based solely on src and dst IP.  So let's say you have multiple Snort instances in a PF_RING cluster and you run a series of "curl testmyids.com" tests.  Each and every "curl testmyids.com" would be sent to the SAME Snort instance since the src and dst IP never change. With the new clustermode=4, the snort instance would be selected based on src/dst IP *and* src/dst port.  So each time you do "curl testmyids.com" it will go to a different Snort instance in the PF_RING cluster.  This results in more effective load balancing.

Screenshots
"sudo soup" upgrade process

PF_RING 5.6.1, Snort 2.9.5.3, and Suricata 1.4.5

Updating ruleset and restarting Snort/Suricata using "sudo rule-update"

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

No comments:

Search This Blog

Featured Post

Did You Know Security Onion Scales to the Enterprise?

Did you know Security Onion scales to the enterprise? Security Onion is designed to scale from simple standalone deployments all the way up ...

Popular Posts

Blog Archive