Random thoughts, tips & tricks about Slackware-Linux, Lego and Star Wars

Snort 2.9.0 released - Slackware packages available

October 10th, 2010 by Niels Horn in , ,

A few days ago 2.9.0 was released. The official announcement can be read .
This new version brings some essential changes to Snort that needed special attention.

New dependencies

libdnet is a "simplified, portable interface to several low-level networking routines" and has a SlackBuild on .
daq is a new "Data Acquisition library" that can use several sources for the packages to Snort. Its source is available on the Snort site. I wrote a simple SlackBuild script for it, that I submitted.

Changes to default configuration

The second change I encountered, was with the new default options in the snort.conf file.
By default, the "nostamp", "mpls_event_types" and "vlan_event_types" are enabled in the "unified2″ log format, but Barnyard2 does not understand them.
On the last two it actually crashes with this error: 

ERROR: Unknown record type read: 104
Fatal Error, Quitting..

I sent an e-mail to the Barnyard2 mailing list, but I'm not sure if there will be an answer, as I found other requests that never received any response.
For now I decided to disable these options in the standard configuration.

I also needed to include the -enable-zlib option at the configuration stage of building Snort, as the new default is to use this option.

New unified2 tools

Snort 2.9.0 comes with two new tools:

u2spewfoo can read the binary unified2 logs and dump the output as text. This helped me to understand the problem I had with the "unknown event type" I encountered above.
u2boat is a Unified2 Binary Output & Alert Tool can convert the unified2 logs to standard tcpdump format.

Conclusion

So, after some struggling, I managed to update my Snort server and submitted the updated SlackBuild for version 2.9.0
As always, I also prepared the packages for Slackware and ARMedslack, that are available on my . >