Closed dougburks closed 3 years ago
I've packaged Snort 2.9.17.0 and the following package is now available at ppa:securityonion/test
:
securityonion-snort - 2.9.17.0-1ubuntu1securityonion1
Please test as follows:
install the latest ISO image in a VM, but do not run Setup yet
if possible, create a snapshot of the VM
run Setup in Evaluation mode (Snort with Emerging Threats ruleset)
add the test PPA:
sudo add-apt-repository -y ppa:securityonion/test
install updates:
sudo soup
the Snort package should back up your existing snort.conf
, migrate your HOME_NET
and EXTERNAL_NET
variables, and tell you that you need to run sudo rule-update
verify that your snort.conf
has been updated and shows:
VERSIONS : 2.9.17
verify the new Snort version number:
snort -V
Update your rules using PulledPork:
sudo rule-update
Verify that PulledPork downloaded rules properly
Create some traffic:
sudo so-test
Verify that Snort is generating alerts properly in Sguil, Squert, and Kibana
Increase Snort instances:
sudo so-sensor-stop
#increase IDS_LB_PROCS in /etc/nsm/HOSTNAME-INTERFACE/sensor.conf
sudo so-sensor-start
sudo so-test
Verify that Snort is generating alerts and load-balancing traffic via PF_RING
check sostat
output for anything out of the ordinary (specifically, check the pf_ring and Snort sections for packet loss)
reboot and make sure everything still works properly
Re-run Setup and verify that Snort and PulledPork work properly on new installations
check log files for errors or anything else out of the ordinary
verify no regressions
anything else we missed?
Thanks in advance for your time and effort!
Tested per the testing guidelines and verified the following without issue:
snort.conf
updated and showed VERSIONS : 2.9.17
snort -V
showed the correct versionsostat
Thanks @cm-ops !
https://blog.snort.org/2020/11/snort-29170-has-been-released.html