Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Snort 2.9.15.1 #1703

Closed
dougburks opened this issue Jan 6, 2020 · 3 comments
Closed

Snort 2.9.15.1 #1703

dougburks opened this issue Jan 6, 2020 · 3 comments
Assignees
Projects

Comments

@dougburks dougburks self-assigned this Jan 6, 2020
@dougburks dougburks added this to To do in 16.04.6.5 via automation Jan 6, 2020
@dougburks dougburks removed this from To do in 16.04.6.5 Jan 20, 2020
@dougburks dougburks added this to To do in 16.04.6.4 via automation Jan 20, 2020
@dougburks dougburks moved this from To do to In progress in 16.04.6.4 Jan 20, 2020
@dougburks dougburks moved this from In progress to In Testing in 16.04.6.4 Jan 20, 2020
@dougburks

This comment has been minimized.

Copy link
Contributor Author

@dougburks dougburks commented Jan 21, 2020

I've packaged Snort 2.9.15.1 and the following package is now available at ppa:securityonion/test:

securityonion-snort - 2.9.15.1-1ubuntu1securityonion1

Please test as follows:

  • install the latest ISO image in a VM, but do not run Setup yet

  • if possible, create a snapshot of the VM

  • run Setup in Evaluation mode (Snort with Emerging Threats ruleset)

  • add the test PPA:

sudo add-apt-repository -y ppa:securityonion/test
  • install updates:
sudo soup
  • the Snort package should back up your existing snort.conf,
    migrate your HOME_NET and EXTERNAL_NET variables, and tell you that
    you need to run sudo rule-update

  • verify that your snort.conf has been updated and shows:

VERSIONS : 2.9.15.1
  • verify the new Snort version number:
snort -V
  • Update your rules using PulledPork:
sudo rule-update
  • Verify that PulledPork downloaded rules properly

  • Create some traffic:

sudo so-test
  • Verify that Snort is generating alerts properly in Sguil, Squert, and Kibana

  • Increase Snort instances:

sudo so-sensor-stop
#increase IDS_LB_PROCS in /etc/nsm/HOSTNAME-INTERFACE/sensor.conf
sudo so-sensor-start
sudo so-test
  • Verify that Snort is generating alerts and load-balancing traffic via PF_RING

  • check sostat output for anything out of the ordinary (specifically, check the pf_ring and Snort sections for packet loss)

  • reboot and make sure everything still works properly

  • Re-run Setup and verify that Snort and PulledPork work properly on new installations

  • check log files for errors or anything else out of the ordinary

  • verify no regressions

  • anything else we missed?

Thanks in advance for your time and effort!

@weslambert

This comment has been minimized.

Copy link
Collaborator

@weslambert weslambert commented Jan 23, 2020

No issues with my testing 👍

@weslambert weslambert moved this from In Testing to Tested in 16.04.6.4 Jan 23, 2020
@dougburks

This comment has been minimized.

@dougburks dougburks closed this Jan 23, 2020
16.04.6.4 automation moved this from Tested to Done Jan 23, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
16.04.6.4
  
Done
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.