Introduction

As with many other open-source projects, the Snort Intrusion Detection System (IDS) is evolving all the time. To keep up with its development and use additional features that appear in new releases, you need to be able to update your installation periodically. The update process is usually simple versions of Snort are backward compatible so all you need to do is recompile the source (if you prefer building Snort yourself) or reinstall a package; for example, a Red Hat .RPM module, which is available from the distribution site. As with all open-source projects, it is possible that someone has coded some extra functionality into his/her Snort package that is not in the distributed version, and you want to try it out. In this case, you can patch your Snort source code with the changes distributed by that person and see the results. The most important updates are the rule updates that should be applied to the Snort sensors on a regular basis. Some rule updates are created by people in response to emergencies, such as new, overwhelming attacks similar to CodeRed and the recent MS SQL Slammer worms. Some updates are simply an improvement of an existing rule (hence the rev value that can be in rules and was discussed in Chapter 5, Playing by the Rules ), and others are new rules to deal with new attacks or vulnerabilities. Several rule databases are updated on a regular basis and available at various Web sites like www.snort.org and whitehats.com, although the owner of...