As any of you using Demarc's PureSecure know they are really slow about upgrading to the newest version of Snort. They are still on 1.9 I believe it is, (may be 2.0 by now). This means that all the fancy new stuff such as pcre and flowbits won't work because 1.9 doesn't understand them. The kicker is that Snort 2.1.1 uses a slightly different table structure then previous versions and it won't start because it can't find certain rows in some of the tables.

If you are like me and run snort outside the control of PureSecure but have it reporting to the MySQL database that PureSecure uses I found out that you can update to Snort 2.1.1 and still have the benefit of the nice PureSecure interface and it's additional features.

I downloaded a MySQL manager called SQLyog, (free 30 day trial here), because I know nothing about MySQL, (it's one of those things you keep meaning to get to but never quite manage it.... ), and logged in. It was immediately apparent that Demarc has it's own tables but seemed to leave the Snort tables as-is.

When you d/l Snort 2.1.1 and install it there is a script in the contrib folder called create_mysql. This is the version 1.6 of the script that creates the tables for 2.1.1. So I deleted all the Snort tables, ("drop table" from the menu).

NOTE: I didn't back my tables up, (export), so I could restore them, (import), because I only use PureSecure as a real time monitor - I have other systems for logging the Snort events in place for archival and analysis functions - but I believe this would work to keep your old data.

NOTE 2: You need to stop Snort on the sensor and PureSecure on the reporting station or you will get sharing violations.

I placed the create_mysql script in the c:\mysql folder and issued the following command to run the script thus creating the tables with the 2.1.1 structure.

mysql -u AAAA -p BBBB < c:\mysql\create_mysql

AAAA = the admin account name of the MySQL system, (usually root)
BBBB = the name of the database that Snort reports to and PureSecure reads from.
the -p will prompt you for the password

If it runs with no errors then go back to SQLyog and you will find the new tables there.

Copy the following files to your Sensor's Snort folder:-

Snort.exe (the new 2.1.1 version)
LibNetNT.dll
pcre.dll

and restart the Snort service, (or just restart Snort if you don't run it as a service) and the PureSecure service and it all works fine.

Now you can go to your rules files and put in all those nice new updated rules that catch the new nasties but that wouldn't work in Snort 2.0.5 and below.