dougburks
commented
3 years ago I've packaged Snort 2.9.17.0 and the following package is now available at ppa:securityonion/test:
securityonion-snort - 2.9.17.0-1ubuntu1securityonion1Please test as follows:
-
install the latest ISO image in a VM, but do not run Setup yet
-
if possible, create a snapshot of the VM
-
run Setup in Evaluation mode (Snort with Emerging Threats ruleset)
-
add the test PPA:
sudo add-apt-repository -y ppa:securityonion/test -
install updates:
sudo soup -
the Snort package should back up your existing
snort.conf, migrate yourHOME_NETandEXTERNAL_NETvariables, and tell you that you need to runsudo rule-update -
verify that your
snort.confhas been updated and shows:VERSIONS : 2.9.17 -
verify the new Snort version number:
snort -V -
Update your rules using PulledPork:
sudo rule-update -
Verify that PulledPork downloaded rules properly
-
Create some traffic:
sudo so-test -
Verify that Snort is generating alerts properly in Sguil, Squert, and Kibana
-
Increase Snort instances:
sudo so-sensor-stop #increase IDS_LB_PROCS in /etc/nsm/HOSTNAME-INTERFACE/sensor.conf sudo so-sensor-start sudo so-test -
Verify that Snort is generating alerts and load-balancing traffic via PF_RING
-
check
sostatoutput for anything out of the ordinary (specifically, check the pf_ring and Snort sections for packet loss) -
reboot and make sure everything still works properly
-
Re-run Setup and verify that Snort and PulledPork work properly on new installations
-
check log files for errors or anything else out of the ordinary
-
verify no regressions
-
anything else we missed?
Thanks in advance for your time and effort!
cm-ops
https://blog.snort.org/2020/11/snort-29170-has-been-released.html