Once you've installed, configured and started working with Snort, the next thing you'll want to think about is rules. Snort rules define the patterns and criteria it uses to look for potentially malicious traffic on your
1. Download official rules from Snort.org
The official rules are provided on Snort.org as tarball snapshots. As of March 7, 2005, Sourcefire changed the licensing and distribution of Snort rules. Among other things, Sourcefire created the VRT Certified rules, which are tested and certified by the Sourcefire Vulnerability Research Team. To get started using these and the Community rules, review the Snort.org FAQ, then download the rules you choose from Snort.org (See How to decipher the Oinkcode). If you pick the correct snapshot for the Snort engine you are running, as explained on the download page, these IDS rules are guaranteed to work. If you pick the wrong one, Snort probably won't start. Verify the version of Snort you are using (in fact, just get the latest one) and try again. I would strongly recommend starting with, and learning from, the VRT rules.
2. Use Bleeding Snort Rules
If you like to live on the bleeding edge, using the Bleeding Snort Rules will achieve two goals (three, if you count enabling you to live on the bleeding edge). First, the site is a clearinghouse for up-to-the-minute, experimental rules and ideas. While these rules may be prone to false positives, and sometimes don't work as expected, they're updated often. Second, they ultimately aim to generate many reliable and accurate rules that provide long-term value when they are eventually adopted into the formal Snort.org Community ruleset. Bleeding Snort Rules are essentially test or beta rules, and are better suited for those who have test environments, those who like to live on the edge or must have the up-to-the-second IDS rules.
3. Subscribe to the Snort-Sigs list
The official Snort-Sigs mailing list focuses on "discussion and development of Snort rules." Subscription information and a Web archive is available at Snort.org. Since the changes discussed above, most new rules from the Snort community are now handled via Bleeding Snort.
4. Customize and share your rules
If you find something missing, don't be intimidated by the idea of writing a rule. You can put one together quickly and easily. (To learn more about writing them, read my recent article "How to modify and write custom Snort rules.") And, don't forget to contribute them back to the Snort community via Bleeding Snort Rules. Your work may help someone else who is struggling with similar issues.
Be cautious about where you download Snort rules
And finally, while it's possible to find Snort rules on the Internet in places other than those above, I recommend avoiding them unless you really understand what you are doing. Rule syntax has evolved to provide better ways to accomplish certain goals, such as the "established" keyword that replaces the older method of looking at TCP flags in many circumstances. The McRules you may find on John Doe's random Web site may or may not work, so to be safe you should avoid them.
As of April 2005, there are 3,166 enabled VRT and 33 Community rules from Snort.org, and 775 enabled rules from BleedingSnort.com, with more being added all the time.
SNORT INTRUSION DETECTION AND PREVENTION GUIDE
Why Snort makes IDS worth the time and effort
How to identify and monitor network ports
How to handle network design with switches and segments
Where to place IDS network sensors
Finding an OS for IDS Snort sensors
How to determine network interface cards for IDS sensors
Modifying and writing custom Snort IDS rules
How to configure Snort variables
Where to find Snort IDS rules
How to automatically update Snort rules
How to decipher the Oinkcode for Snort VRT rules
Using IDS rules to test Snort
|JP Vossen, CISSP, is a Senior Security Engineer for Counterpane Internet Security. He is involved with various open source projects including Snort, and has previously worked as an information security consultant and systems engineer.|
This was first published in May 2005