Snort 2.9.6.0 released, can we have an upgraded package?

zor1984

Snort 2.9.6.0 released, can we have an upgraded package?

Supermule

I think Bill is working on it as we speak. Patience my dear! :)

fragged

Next Snort package upgrade should have the new binary for both Snort and Barnyard2.

bmeeks

@Supermule:

I think Bill is working on it as we speak. Patience my dear! :)

Yep, I have it working in my test environment.  I have a conundrum, though.  If I deploy 2.9.6.0, then all the "free, registered VRT rules" users will be locked out of updates until 2.9.6.0 is 30 days old.  I was planning on deploying 2.9.5.6 instead to get around that problem.  It would take a bit of code changing to accommodate Snort VRT with two different subscription types.  It would have to be a manual checkbox, because you can't tell automatically from just the Oinkcode which rule set version it is authorized for.  The Snort folks "version" their rules files such that the update snapshots are locked to a specific Snort binary version.

I've kind of liked staying about 1 minor release behind the upstream Snort binary for this reason (not having to worry about free versus paid subscriptions).  Another reason is to let the VRT find and fix any bleeding edge bugs.. ;)

EDIT:  actually, upon further reflecting after my first response, this won't work because the Snort binary version and rules package version are locked together by the VRT folks.  So it's impossible to have the 2.9.6.0 Snort binary but feed it the 2.9.5.6 rules, for example.  So I think we are stuck staying with a version that is at least 30 days old, or else require everyone to buy the paid subscription.  That would not be popular :'(
Bill

BBcan177

@bmeeks:

So I think we are stuck staying with a version that is at least 30 days old, or else require everyone to buy the paid subscription.  That would not be popular :'(

Thanks Bill,

If its not too much trouble, maybe you could post both updates and users could choose which version would work for them? This would allow us to debug the most recent Snort version while having the option to go down one version just in case?

bmeeks

@BBcan17:

@bmeeks:

So I think we are stuck staying with a version that is at least 30 days old, or else require everyone to buy the paid subscription.  That would not be popular :'(

Thanks Bill,

If its not too much trouble, maybe you could post both updates and users could choose which version would work for them? This would allow us to debug the most recent Snort version while having the option to go down one version just in case?

Well, that is a good idea.  There was, at one time, an active snort-dev package maintained by the old maintainer.  It was really bleeding edge, though.  I had considered resurrecting that old snort-dev tree, but not for "free" versus "paid" subscriptions, but instead to try and keep the most recent Snort binary out there.  I've just been busy lately with the current package and doing some work on a Suricata package, and just have not gotten around to it.

Bill