PF_RING 5.6.1
http://sourceforge.net/projects/ntop/files/PF_RING/
Snort 2.9.5.3
http://blog.snort.org/2013/07/snort-2953-is-now-available.html
Suricata 1.4.5
http://suricata-ids.org/2013/07/26/suricata-1-4-5-released/
I've packaged these new releases and the new packages have been tested by David Zawdie. Thanks, David!
UPDATE 2013/09/04: Lysemose pointed out on the mailing list that VRT Registered Ruleset users won't get rules for Snort 2.9.5.3 until September 6:
https://groups.google.com/d/topic/security-onion/wd32jmXoy04/discussion
Upgrading
The new packages are now available in our stable repo. Please see our Upgrade page for full upgrade instructions:
https://code.google.com/p/security-onion/wiki/Upgrade
These updates will do the following:
- stop all NSM sensor processes
- terminate any remaining processes using PF_RING
- remove the existing PF_RING module
- build the new PF_RING module
- start all NSM sensor processes
- back up each of your existing snort.conf files to snort.conf.bak
- update Snort
- back up each of your existing suricata.yaml files to suricata.yaml.bak
- update Suricata
You'll then need to do the following:
- apply your local customizations to the new snort.conf or suricata.yaml files
- update ruleset and restart Snort/Suricata as follows:
sudo rule-updateNotes
One change that I've made to our normal Snort config is the PF_RING clustermode. Previously, snort would default to clustermode=2 meaning that PF_RING would hash each stream to a particular Snort instance based solely on src and dst IP. So let's say you have multiple Snort instances in a PF_RING cluster and you run a series of "curl testmyids.com" tests. Each and every "curl testmyids.com" would be sent to the SAME Snort instance since the src and dst IP never change. With the new clustermode=4, the snort instance would be selected based on src/dst IP *and* src/dst port. So each time you do "curl testmyids.com" it will go to a different Snort instance in the PF_RING cluster. This results in more effective load balancing.
Screenshots
"sudo soup" upgrade process |
PF_RING 5.6.1, Snort 2.9.5.3, and Suricata 1.4.5 |
Updating ruleset and restarting Snort/Suricata using "sudo rule-update" |
Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
We especially need help in answering support questions on the mailing list and IRC channel. Thanks!
No comments:
Post a Comment