Snort 2.9.16.1

[dougburks]

https://blog.snort.org/2020/08/snort-29161-has-been-released.html

[dougburks]

I've packaged Snort 2.9.16.1 and the following package is now available at ppa:securityonion/test:

securityonion-snort - 2.9.16.1-1ubuntu1securityonion1

Please test as follows:

• install the latest ISO image in a VM, but do not run Setup yet

• if possible, create a snapshot of the VM

• run Setup in Evaluation mode (Snort with Emerging Threats ruleset)

• add the test PPA:

  sudo add-apt-repository -y ppa:securityonion/test

• install updates:

  sudo soup

• the Snort package should back up your existing snort.conf, migrate your HOME_NET and EXTERNAL_NET variables, and tell you that you need to run sudo rule-update

• verify that your snort.conf has been updated and shows:

  VERSIONS : 2.9.16.1

• verify the new Snort version number:

  snort -V

• Update your rules using PulledPork:

  sudo rule-update

• Verify that PulledPork downloaded rules properly

• Create some traffic:

  sudo so-test

• Verify that Snort is generating alerts properly in Sguil, Squert, and Kibana

• Increase Snort instances:

  sudo so-sensor-stop
  #increase IDS_LB_PROCS in /etc/nsm/HOSTNAME-INTERFACE/sensor.conf
  sudo so-sensor-start
  sudo so-test

• Verify that Snort is generating alerts and load-balancing traffic via PF_RING

• check sostat output for anything out of the ordinary (specifically, check the pf_ring and Snort sections for packet loss)

• reboot and make sure everything still works properly

• Re-run Setup and verify that Snort and PulledPork work properly on new installations

• check log files for errors or anything else out of the ordinary

• verify no regressions

• anything else we missed?

Thanks in advance for your time and effort!

[cm-ops]

Testing results: • Snort package should back up your existing snort.conf, migrate your HOME_NET and EXTERNAL_NET variables, and tell you that you need to run sudo rule-update o Checks okay – no issues

• Verify that your snort.conf has been updated and shows: VERSIONS: 2.9.16.1 o Checks okay – no issues

• Verify the new Snort version number o Checks okay – no issues

• Update your rules using PulledPork / Verify that PulledPork downloaded rules properly o Checks okay – no issues

• Verify that Snort is generating alerts properly in Sguil, Squert, and Kibana o Sguil, Squert, and Kibana check okay – no issues

• Increase Snort instances: • Verify that Snort is generating alerts and load-balancing traffic via PF_RING o Checks okay – no issues

• Check sostat output for anything out of the ordinary (specifically, check the pf_ring and Snort sections for packet loss) o No issues noted in sostat

• Reboot and make sure everything is still working properly o Checks okay – no issues

• Re-run Setup and verify that Snort and PulledPork work properly on new installations o Checks okay – no issues

• Check log files for errors or anything else out of the ordinary o Checks okay – no issues found in log files

• Verify no regressions o Checks okay – no issues.

[dougburks]

Thanks @cm-ops !

Published: https://blog.securityonion.net/2020/08/snort-29161-now-available-for-security.html