Problem solve Get help with specific problems with your technologies, process and projects.

How to automatically update Snort rules

Learn how Oinkmaster can help you automatically update your Snort rules.

As you use Snort, you may find some of the default rules are not useful to you. You may also find a need for rules...

that are disabled by default, and you may even need to modify some rules. Since Snort needs regular rule updates just like your AV, it's not practical to manually recreate all of the changes you make each time you download new rules. Fortunately, there is a free tool called Oinkmaster, which does everything you need to maintain your Snort rules, and runs on both Unix and Windows. (It's written in Perl, so you'll need ActivePerl to run it on Windows.)

Oinkmaster is the de-facto rule updater in the Snort community and was released as a production version in May 2004 after several years of beta testing. It is driven by a configuration file in which you define exactly what it should do. First you get the latest rules using HTTP, HTTPS, FTP, file or SCP methods. (You will need an Oinkcode to get the VRT rules from (See How to decipher the Oinkcode). Then you define what files to update or skip, what Signature IDs (SIDs) to modify, what SIDs to enable and which ones to disable. You can also 'include' files to an arbitrary depth, which allows for a very modular approach. The configuration file that comes with Oinkmaster is well-documented and contains useful defaults, but you must still review it to make sure you are downloading the correct rule snapshot for the version of Snort you are running and to add your Oinkcode.

While you can use Oinkmaster to directly update your sensors, a better way is to use one configuration file to update a staging directory and report details of what has changed. Once you review and approve the changes you can use a second configuration file to actually update your sensors (See the Oinkmaster FAQ Q3 at

Enabling or disabling SIDs is easy; all you have to do is add the SID in question to an "enablesid" or "disablesid" line. Modifying a SID is not much harder and involves creating a Perl Regular Expression to describe your changes. There is also a template feature to make multiple similar changes. Since Snort rules can also use Regular Expressions, which are so useful in other areas of programming, they're worth learning if you aren't familiar with them.

More on this topic

  • Learn more about Sourcefire's rules development process
  • Will you have to pay for Snort updates?

Version 1.1 was released in October 2004 and adds two new report formats that more clearly show exactly what is different when rules change (see –s and –m in the changelog). Version 1.2 was released in April 2005 and allows 'multiple -u ... [command line] arguments or multiple "url = ..." [statements] in oinkmaster.conf' to facilitate downloading the VRT, Community and Bleeding Snort rules all at once, among other things. Oinkmaster's documentation is well-written, which makes it a great place to start learning about the tool. If you use Snort, take the time to investigate Oinkmaster -- you won't regret it, I promise.


  Why Snort makes IDS worth the time and effort
  How to identify ports
  How to deal with switches and segments
  Where to place IDS sensors
  What OS to use for Snort sensors
  How to determine how many interfaces a sensor needs
  How to modify and write custom Snort rules
  How to define Snort's configuration variables
  Where to find Snort rules
  How to automatically update Snort rules
  How to decipher the Oinkcode
  How to verify that Snort is operating

ABOUT THE AUTHOR: JP Vossen, CISSP, is a Senior Security Engineer for Counterpane Internet Security. He is involved with various open source projects including Snort, and has previously worked as an information security consultant and systems engineer.

This was last published in May 2005

Dig Deeper on Network intrusion detection and prevention (IDS-IPS)