How to decipher the Oinkcode for Snort's VRT rules

Sourcefire has changed the licensing and distribution of Snort rules, and created the VRT Certified rules, which are tested and certified by the Sourcefire Vulnerability Research Team.

As an end user, you can get these rules in one of three ways:

  • Pay a subscription fee to Sourcefire and get the rules as soon as they are released
  • Register for free and get the rules five days after they are released to paid subscribers
  • Get whatever is current with each release of the Snort engine (in other words, no updates between engine updates, which is not recommended)

There are special considerations if you are a "Snort Integrator." In any case, you need to read the FAQ at Snort.org.

    Requires Free Membership to View

More Information

Learn more about Sourcefire's changes

Find out how you can get certified in Snort

If your organization is a Snort end user, you will almost certainly want to register for free and generate an Oinkcode, which will allow you to download the VRT rules. Once you have read and understood the FAQ, create an account at Snort.org and log in. At the bottom of the Account Settings page you will find a button to generate an Oinkcode, along with instructions for configuring your oinkmaster.conf, if you are using Oinkmaster. But even if you are not, the URL you construct (such as http://www.snort.org/pub-bin/oinkmaster.cgi/5a081649c06a277e1022e1284bdc8fabda70e2a4/snortrules-snapshot-2.3.tar.gz) may be bookmarked in a browser or used with wget or some other download tool to download the rules.

Your Oinkcode for VRT Certified rules will look like this:

Example for snort 2.3:

You can also get GPL community rules (free, no registration or Oinkcode required, very limited) from Snort.org


  Why Snort makes IDS worth the time and effort
  How to identify and monitor network ports after intrusion detection
  How to handle network design with switches and segments
  Where to place IDS network sensors
  Finding an OS for Snort IDS sensors
  How to determine network interface cards for IDS sensors
  Modifying and writing custom Snort IDS rules
  How to configure Snort variables
  Where to find Snort IDS rules
  How to automatically update Snort rules
  How to decipher the Oinkcode for Snort's VRT rules
  Using IDS rules to test Snort

JP Vossen, CISSP, is a Senior Security Engineer for Counterpane Internet Security. He is involved with various open source projects including Snort, and has previously worked as an information security consultant and systems engineer.

This was first published in May 2005

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.