Tuesday, September 3, 2013

PF_RING 5.6.1, Snort 2.9.5.3, and Suricata 1.4.5 packages now available!

The following software was recently released:

PF_RING 5.6.1
http://sourceforge.net/projects/ntop/files/PF_RING/

Snort 2.9.5.3
http://blog.snort.org/2013/07/snort-2953-is-now-available.html

Suricata 1.4.5
http://suricata-ids.org/2013/07/26/suricata-1-4-5-released/

I've packaged these new releases and the new packages have been tested by David Zawdie.  Thanks, David!

UPDATE 2013/09/04: Lysemose pointed out on the mailing list that VRT Registered Ruleset users won't get rules for Snort 2.9.5.3 until September 6:
https://groups.google.com/d/topic/security-onion/wd32jmXoy04/discussion

Upgrading
The new packages are now available in our stable repo.  Please see our Upgrade page for full upgrade instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

These updates will do the following:

  • stop all NSM sensor processes
  • terminate any remaining processes using PF_RING
  • remove the existing PF_RING module
  • build the new PF_RING module
  • start all NSM sensor processes
  • back up each of your existing snort.conf files to snort.conf.bak
  • update Snort
  • back up each of your existing suricata.yaml files to suricata.yaml.bak
  • update Suricata


You'll then need to do the following:

  • apply your local customizations to the new snort.conf or suricata.yaml files
  • update ruleset and restart Snort/Suricata as follows:

sudo rule-update
Notes
One change that I've made to our normal Snort config is the PF_RING clustermode.  Previously, snort would default to clustermode=2 meaning that PF_RING would hash each stream to a particular Snort instance based solely on src and dst IP.  So let's say you have multiple Snort instances in a PF_RING cluster and you run a series of "curl testmyids.com" tests.  Each and every "curl testmyids.com" would be sent to the SAME Snort instance since the src and dst IP never change. With the new clustermode=4, the snort instance would be selected based on src/dst IP *and* src/dst port.  So each time you do "curl testmyids.com" it will go to a different Snort instance in the PF_RING cluster.  This results in more effective load balancing.

Screenshots
"sudo soup" upgrade process

PF_RING 5.6.1, Snort 2.9.5.3, and Suricata 1.4.5

Updating ruleset and restarting Snort/Suricata using "sudo rule-update"

Feedback
If you have any questions or problems, please use our mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

We especially need help in answering support questions on the mailing list and IRC channel.  Thanks!

No comments:

Search This Blog

Featured Post

Security Onion Documentation printed book now updated for Security Onion 2.4.60!

We've been offering our Security Onion documentation in book form on Amazon for a few years and it's now been updated for the recent...

Popular Posts

Blog Archive