Shadow IDS on Slackware Linux - Security Advisory 2004-02-26

Since the release of Shadow/Snort 4.x, there has been an advisory on a kernel vulnerability that needs to be address. It can be address in two ways:

- Run /root/slackupdate.sh to download the updates
- cd /tmp/slackupdate
- upgradepkg *
- You must run lilo at the command line to update the kernel

Note: If you forgot to run 'lilo' before rebooting, run it again and reboot for the new kernel to take effect.

The second method is to manually download the kernel update and repeat the steps listed above. The updates can be downloaded from:

Updated packages for Slackware 9.1:

ftp://carroll.cac.psu.edu/pub/linux/distributions/slackware/slackware-9.1/patches/packages/kernel-ide-2.4.24-i486-2.tgz
ftp://carroll.cac.psu.edu/pub/linux/distributions/slackware/slackware-9.1/patches/packages//kernel-modules-2.4.24-i486-2.tgz

Here is an update package for Snort 2.1.1. To apply the package do the following:

(
available from http://www.whitehats.ca/downloads/ids/shadow- slack/snort-2.1.1-i486-1.tgz
md5 available from http://www.whitehats.ca/downloads/ids/shadow-slack/snort- 2.1.1-i486-1.md5
)

- Copy the package to the sensor (i.e. /tmp)
- Stop the sensor
- /etc/rc.d/rc.snort stop
- Run  upgradepkg snort-2.1.1-i486-1.tgz
- You must use the new snort.*.conf files included with the upgrade. Version 2.1.1 uses additional configuration information not available in the 2.1
config files
    - cd /usr/local/snort/etc
    - Copy your old settings from snort.internal.conf to snort.internal.conf_new (i.e. IP range, MySQL settings, etc)
    - Copy your old settings from snort.external.conf to snort.external.conf_new (i.e. IP range, MySQL settings, etc)
    - Rename snort.internal.conf_new to snort.internal.conf ( mv snort.internal.conf_new snort.internal.conf)
    - Rename snort.external.conf_new to snort.external.conf (mv snort.external.conf_new snort.external.conf)
    - cd /usr/local/snort and test the new configuration by running ./check_eth0 and ./check_eth1
    - When config files are good, update the Snort rules files this way:
        - su snort
        - cd /usr/local/snort
        - ./oinkmaster.pl -o rules
- Restart the sensor
- /etc/rc.d/rc.snort start
- Run ps -aef | grep snort (to ensure Snort restarted)