Niels Horn's Blog

Random thoughts, tips & tricks about Slackware-Linux, Lego and Star Wars

Snort 2.9.0 released – Slackware packages available

snortA few days ago Snort 2.9.0 was released. The official announcement can be read here.
This new version brings some essential changes to Snort that needed special attention.

New dependencies

libdnet is a “simplified, portable interface to several low-level networking routines” and has a SlackBuild on SlackBuilds.org.
daq is a new “Data Acquisition library” that can use several sources for the packages to Snort. Its source is available on the Snort site. I wrote a simple SlackBuild script for it, that I submitted.

Changes to default configuration

The second change I encountered, was with the new default options in the snort.conf file.
By default, the “nostamp”, “mpls_event_types” and “vlan_event_types” are enabled in the “unified2″ log format, but Barnyard2 does not understand them.
On the last two it actually crashes with this error:

ERROR: Unknown record type read: 104
Fatal Error, Quitting..

I sent an e-mail to the Barnyard2 mailing list, but I’m not sure if there will be an answer, as I found other requests that never received any response.
For now I decided to disable these options in the standard configuration.

I also needed to include the –enable-zlib option at the configuration stage of building Snort, as the new default is to use this option.

New unified2 tools

Snort 2.9.0 comes with two new tools:

u2spewfoo can read the binary unified2 logs and dump the output as text. This helped me to understand the problem I had with the “unknown event type” I encountered above.
u2boat is a Unified2 Binary Output & Alert Tool can convert the unified2 logs to standard tcpdump format.

Conclusion

So, after some struggling, I managed to update my Snort server and submitted the updated SlackBuild for version 2.9.0
As always, I also prepared the packages for Slackware and ARMedslack, that are available on my site.

Bookmark and Share

This entry was posted on Sunday, October 10th, 2010 at 0:33 and is filed under ARMedslack, Slackware, snort. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply



XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

It may take some time for your comment to appear, it is not necessary to submit it again.