Where to find Snort IDS rules

In this tip, JP Vossen points out the four best places to find Snort rules.

Once you've installed, configured and started working with Snort, the next thing you'll want to think about is rules. Snort rules define the patterns and criteria it uses to look for potentially malicious traffic on your network. Without these IDS rules, Snort is just another sniffer. To help you get started, here are four places to find the Snort rules you need.

1. Download official rules from Snort.org

The official rules are provided on Snort.org as tarball snapshots. As of March 7, 2005, Sourcefire changed the licensing and distribution of Snort rules. Among other things, Sourcefire created the VRT Certified rules, which are tested and certified by the Sourcefire Vulnerability Research Team. To get started using these and the Community rules, review the Snort.org FAQ, then download the rules you choose from Snort.org (See How to decipher the Oinkcode). If you pick the correct snapshot for the Snort engine you are running, as explained on the download page, these IDS rules are guaranteed to work. If you pick the wrong one, Snort probably won't start. Verify the version of Snort you are using (in fact, just get the latest one) and try again. I would strongly recommend starting with, and learning from, the VRT rules.

2. Use Bleeding Snort Rules

If you like to live on the bleeding edge, using the Bleeding Snort Rules will achieve two goals (three, if you count enabling you to live on the bleeding edge). First, the site is a clearinghouse for up-to-the-minute, experimental rules and ideas. While these rules may be prone to false positives, and sometimes don't work as expected, they're updated often. Second, they ultimately aim to generate many reliable and accurate rules that provide long-term value when they are eventually adopted into the formal Snort.org Community ruleset. Bleeding Snort Rules are essentially test or beta rules, and are better suited for those who have test environments, those who like to live on the edge or must have the up-to-the-second IDS rules.

3. Subscribe to the Snort-Sigs list

The official Snort-Sigs mailing list focuses on "discussion and development of Snort rules." Subscription information and a Web archive is available at Snort.org. Since the changes discussed above, most new rules from the Snort community are now handled via Bleeding Snort.

4. Customize and share your rules

If you find something missing, don't be intimidated by the idea of writing a rule. You can put one together quickly and easily. (To learn more about writing them, read my recent article "How to modify and write custom Snort rules.") And, don't forget to contribute them back to the Snort community via Bleeding Snort Rules. Your work may help someone else who is struggling with similar issues.

Be cautious about where you download Snort rules

And finally, while it's possible to find Snort rules on the Internet in places other than those above, I recommend avoiding them unless you really understand what you are doing. Rule syntax has evolved to provide better ways to accomplish certain goals, such as the "established" keyword that replaces the older method of looking at TCP flags in many circumstances. The McRules you may find on John Doe's random Web site may or may not work, so to be safe you should avoid them.

As of April 2005, there are 3,166 enabled VRT and 33 Community rules from Snort.org, and 775 enabled rules from BleedingSnort.com, with more being added all the time.


SNORT INTRUSION DETECTION AND PREVENTION GUIDE

  Introduction
  Why Snort makes IDS worth the time and effort
  How to identify and monitor network ports
  How to handle network design with switches and segments
  Where to place IDS network sensors
  Finding an OS for IDS Snort sensors
  How to determine network interface cards for IDS sensors
  Modifying and writing custom Snort IDS rules
  How to configure Snort variables
  Where to find Snort IDS rules
  How to automatically update Snort rules
  How to decipher the Oinkcode for Snort VRT rules
  Using IDS rules to test Snort 
 

ABOUT THE AUTHOR:

 
JP Vossen, CISSP, is a Senior Security Engineer for Counterpane Internet Security. He is involved with various open source projects including Snort, and has previously worked as an information security consultant and systems engineer.
 

 

This was first published in May 2005

Dig deeper on Network Intrusion Detection (IDS)

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

2 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close