Closed dougburks closed 4 years ago
I've packaged Snort 2.9.16.1 and the following package is now available at ppa:securityonion/test
:
securityonion-snort - 2.9.16.1-1ubuntu1securityonion1
Please test as follows:
install the latest ISO image in a VM, but do not run Setup yet
if possible, create a snapshot of the VM
run Setup in Evaluation mode (Snort with Emerging Threats ruleset)
add the test PPA:
sudo add-apt-repository -y ppa:securityonion/test
install updates:
sudo soup
the Snort package should back up your existing snort.conf,
migrate your HOME_NET
and EXTERNAL_NET
variables, and tell you that
you need to run sudo rule-update
verify that your snort.conf
has been updated and shows:
VERSIONS : 2.9.16.1
verify the new Snort version number:
snort -V
Update your rules using PulledPork:
sudo rule-update
Verify that PulledPork downloaded rules properly
Create some traffic:
sudo so-test
Verify that Snort is generating alerts properly in Sguil, Squert, and Kibana
Increase Snort instances:
sudo so-sensor-stop
#increase IDS_LB_PROCS in /etc/nsm/HOSTNAME-INTERFACE/sensor.conf
sudo so-sensor-start
sudo so-test
Verify that Snort is generating alerts and load-balancing traffic via PF_RING
check sostat
output for anything out of the ordinary (specifically, check the pf_ring and Snort sections for packet loss)
reboot and make sure everything still works properly
Re-run Setup and verify that Snort and PulledPork work properly on new installations
check log files for errors or anything else out of the ordinary
verify no regressions
anything else we missed?
Thanks in advance for your time and effort!
Testing results: • Snort package should back up your existing snort.conf, migrate your HOME_NET and EXTERNAL_NET variables, and tell you that you need to run sudo rule-update o Checks okay – no issues
• Verify that your snort.conf has been updated and shows: VERSIONS: 2.9.16.1 o Checks okay – no issues
• Verify the new Snort version number o Checks okay – no issues
• Update your rules using PulledPork / Verify that PulledPork downloaded rules properly o Checks okay – no issues
• Verify that Snort is generating alerts properly in Sguil, Squert, and Kibana o Sguil, Squert, and Kibana check okay – no issues
• Increase Snort instances: • Verify that Snort is generating alerts and load-balancing traffic via PF_RING o Checks okay – no issues
• Check sostat output for anything out of the ordinary (specifically, check the pf_ring and Snort sections for packet loss) o No issues noted in sostat
• Reboot and make sure everything is still working properly o Checks okay – no issues
• Re-run Setup and verify that Snort and PulledPork work properly on new installations o Checks okay – no issues
• Check log files for errors or anything else out of the ordinary o Checks okay – no issues found in log files
• Verify no regressions o Checks okay – no issues.
Thanks @cm-ops !
Published: https://blog.securityonion.net/2020/08/snort-29161-now-available-for-security.html
https://blog.snort.org/2020/08/snort-29161-has-been-released.html