Results 1 to 6 of 6

Thread: Snort/Slackware Upgrade and recommendations

  1. #1
    Senior Member
    Join Date
    Sep 2003
    Posts
    137

    Snort/Slackware Upgrade and recommendations

    Hey all,

    Just a few quick questions.

    I have 10.2 Slackware installed and recently starting working with Snort. I have 2.4.4 installed currently and noticed that 2.6.0 is out. How do I upgrade snort to the newer version? I am new to slack and also snort so to me this is a little confusing..lol

    Also, as far as Snort is concerned, I am reading a book "Snort 2.0" on the ins and outs. I feel some of the information may be dated. It talkes about using ACID and mysql, but I thought I recently saw something saying that ACID was a little dated for todays use.

    I am sure there are people still using ACID and do not want to offend anyone, but what is the most recent recommended method of setting up reporting. A freind of mine mentioned snortsam, but I am sure there are others out there.

    I am planning on deploying snort on my network, just about 10 hosts and 3 servers. I have it in place and just need to make sure I do this the smartest way possible..lol

    Any advice would be greatly appreciated!!
    \"Common Sense, isn\'t that common\"
    \"It is a lot easier to raise a child then it is to repair an adult\"
    -Kruptos

  2. #2
    Senior Member
    Join Date
    Oct 2002
    Posts
    1,130
    I run Snort off a Slackware 10.1 box right now, I just upgraded from 2.4.3 to 2.6. Snort logs to a mysql database; I found that the 2.6 database is completely backwards compatible with 2.4.

    To upgrade, I would recommend you just do away with the old Snort, and compile a new one. That's what I did, and it worked for me. As for ACID, you're right, ACID hasn't been maintained for about two years now, although for some reason people keep trying it. The base ACID code has been taken and turned into BASE, which is currently maintained. It is a bit of a hassle to set up and get running, but greatly simplifies the management of the database and the logs. I have no complaints about it.

    I've never used snortsam, so I can't really comment on it. But in answer to the other questions, the best way to upgrade Snort is probably to just perform a clean install, and BASE is what I would use for management.
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

  3. #3
    Senior Member
    Join Date
    Sep 2003
    Posts
    137
    Striek,

    Thanks for the information, thats what I was looking for :-)

    Although I do have a Slack noob question..lol

    I went to uninstall snort 2.4.4 using pkgtool and it dosent show up in the list?? Any other suggestions on how to uninstall it?

    The book I am reading said to extract and install in the /tmp directory and its running under /tmp/snort2.4.4

    Kinda new to some of this stuff so any help would be appreciated.

    As far as mysql, can I install and configure that after I install snort? also with BASE?

    I appreciate your help and thank you for your time :-)
    \"Common Sense, isn\'t that common\"
    \"It is a lot easier to raise a child then it is to repair an adult\"
    -Kruptos

  4. #4
    Senior Member
    Join Date
    Oct 2002
    Posts
    1,130
    Uninstalling Snort should be a simple matter of deleting the snort executable and configuration files, then removing execute permissions from the snort startup script, /etc/rc.d/rc.snort. It is entirely possible that Snort was not installed as a Slackware package in the first place, and hence is not on the installed packages list.

    If all the Snort files have been intalled to /tmp, then deleting the /tmp/snort2.4.4 directory should suffice. Be sure to check /etc for any configuration files; sometimes installation scripts put files there despite your instructions.

    Now, as for installing Snort to /tmp, anybody who tells you to do this, unless they have reasons of which I am unaware, is either retarded or on crack. The whole point of a /tmp directory is that a) anybody can write to it, and by extension, delete from it, and b)you can delete the whole directory as part of normal system maintenace. Executable system files have no place in /tmp.

    With mysql, you can install that once Snort has been installed, but to get BASE working, you will need mysql installed first, or it will have no database to read from.

    ...

    *still wondering wtf they told you to install to /tmp..*
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

  5. #5
    Senior Member
    Join Date
    Sep 2003
    Posts
    137
    Hehe, same here.

    It is a book called Snort 2.0, I think published my Syngress. It states in the "Installation" chapter to download the latest from Snort.org. Then save and extract it in the /tmp directory.

    Goes right into ./configure and so on. Does not mention to change the install path or anything, but ultimatly it ends up staying in the /tmp directory.

    It also could be im pretty new to linux and maybe they assumed that I would install it elseware, but the book is actually pretty thourough outside of that.
    \"Common Sense, isn\'t that common\"
    \"It is a lot easier to raise a child then it is to repair an adult\"
    -Kruptos

  6. #6
    I usually recommend to create a directory named '/snort' on my drive, and place everything in there. Snort, Oinkmaster, barnyard, etc..

    Snort 2.6 does require alot more memory than it's predecessors (BTW), because of the prequalification search algorithim it uses (Aho-Corasick as opposed to Wu-Mamber -- as in previous releases) so if you have a problem with RAM usage here are some tips on how to limit the RAM usage:

    ""As noted in the RELEASE.NOTES, there was a change in the
    default pattern matching engine from Wu-Manber to standard
    Aho-Corasick which is faster but consumes more memory.

    This effectively replaced an implicit config of

    config detection: search-method mwm

    with

    config detection: search-method ac

    The Aho-Corasick implementation in snort has a few different
    memory models, standard, full, banded, sparse, and sparse
    banded. The sparse and spare-banded ones consume much less
    memory... To use them, add a snort.conf line, as desired,
    for example. Wu-Manber is being deprecated in the next
    release.

    config detection: search-method ac-sparsebands

    There is also the lowmem method, which is slow, but uses
    very little memory."" -- Steve Sturgess, Snort Developer.

    I suggest you use one of these examples if you have a RAM problem (95% utilitzation of processor..etc..) 2.6.0 needs a good couple of GIGS of ram for non-customized machines.

    I also suggest you don't use Snort to log directly to DB. Having your IDS log directly to DB is begging for it to drop packets, instead log to 'unified', download, compile, and install 'barnyard', barnyard reads this unified file format and then inserts into the db. abstracting the db layer from the actual IDS method.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •