Tuesday, September 3, 2013

PF_RING 5.6.1, Snort, and Suricata 1.4.5 packages now available!

The following software was recently released:

PF_RING 5.6.1


Suricata 1.4.5

I've packaged these new releases and the new packages have been tested by David Zawdie.  Thanks, David!

UPDATE 2013/09/04: Lysemose pointed out on the mailing list that VRT Registered Ruleset users won't get rules for Snort until September 6:

The new packages are now available in our stable repo.  Please see our Upgrade page for full upgrade instructions:

These updates will do the following:

  • stop all NSM sensor processes
  • terminate any remaining processes using PF_RING
  • remove the existing PF_RING module
  • build the new PF_RING module
  • start all NSM sensor processes
  • back up each of your existing snort.conf files to snort.conf.bak
  • update Snort
  • back up each of your existing suricata.yaml files to suricata.yaml.bak
  • update Suricata

You'll then need to do the following:

  • apply your local customizations to the new snort.conf or suricata.yaml files
  • update ruleset and restart Snort/Suricata as follows:

sudo rule-update
One change that I've made to our normal Snort config is the PF_RING clustermode.  Previously, snort would default to clustermode=2 meaning that PF_RING would hash each stream to a particular Snort instance based solely on src and dst IP.  So let's say you have multiple Snort instances in a PF_RING cluster and you run a series of "curl testmyids.com" tests.  Each and every "curl testmyids.com" would be sent to the SAME Snort instance since the src and dst IP never change. With the new clustermode=4, the snort instance would be selected based on src/dst IP *and* src/dst port.  So each time you do "curl testmyids.com" it will go to a different Snort instance in the PF_RING cluster.  This results in more effective load balancing.

"sudo soup" upgrade process

PF_RING 5.6.1, Snort, and Suricata 1.4.5

Updating ruleset and restarting Snort/Suricata using "sudo rule-update"

If you have any questions or problems, please use our mailing list:

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

No comments:

Search This Blog

Featured Post

Sneak Peek: New Detections Feature coming in Security Onion 2.4.70!

Our latest video is a sneak peek at a NEW feature coming to our FREE and OPEN Security Onion platform in the upcoming 2.4.70 release! This n...

Popular Posts

Blog Archive