Problem solve Get help with specific problems with your technologies, process and projects.

Where to find Snort IDS rules

In this tip, JP Vossen points out the four best places to find Snort rules.

Once you've installed, configured and started working with Snort, the next thing you'll want to think about is...

rules. Snort rules define the patterns and criteria it uses to look for potentially malicious traffic on your network. Without these IDS rules, Snort is just another sniffer. To help you get started, here are four places to find the Snort rules you need.

1. Download official rules from

The official rules are provided on as tarball snapshots. As of March 7, 2005, Sourcefire changed the licensing and distribution of Snort rules. Among other things, Sourcefire created the VRT Certified rules, which are tested and certified by the Sourcefire Vulnerability Research Team. To get started using these and the Community rules, review the FAQ, then download the rules you choose from (See How to decipher the Oinkcode). If you pick the correct snapshot for the Snort engine you are running, as explained on the download page, these IDS rules are guaranteed to work. If you pick the wrong one, Snort probably won't start. Verify the version of Snort you are using (in fact, just get the latest one) and try again. I would strongly recommend starting with, and learning from, the VRT rules.

2. Use Bleeding Snort Rules

If you like to live on the bleeding edge, using the Bleeding Snort Rules will achieve two goals (three, if you count enabling you to live on the bleeding edge). First, the site is a clearinghouse for up-to-the-minute, experimental rules and ideas. While these rules may be prone to false positives, and sometimes don't work as expected, they're updated often. Second, they ultimately aim to generate many reliable and accurate rules that provide long-term value when they are eventually adopted into the formal Community ruleset. Bleeding Snort Rules are essentially test or beta rules, and are better suited for those who have test environments, those who like to live on the edge or must have the up-to-the-second IDS rules.

3. Subscribe to the Snort-Sigs list

The official Snort-Sigs mailing list focuses on "discussion and development of Snort rules." Subscription information and a Web archive is available at Since the changes discussed above, most new rules from the Snort community are now handled via Bleeding Snort.

4. Customize and share your rules

If you find something missing, don't be intimidated by the idea of writing a rule. You can put one together quickly and easily. (To learn more about writing them, read my recent article "How to modify and write custom Snort rules.") And, don't forget to contribute them back to the Snort community via Bleeding Snort Rules. Your work may help someone else who is struggling with similar issues.

Be cautious about where you download Snort rules

And finally, while it's possible to find Snort rules on the Internet in places other than those above, I recommend avoiding them unless you really understand what you are doing. Rule syntax has evolved to provide better ways to accomplish certain goals, such as the "established" keyword that replaces the older method of looking at TCP flags in many circumstances. The McRules you may find on John Doe's random Web site may or may not work, so to be safe you should avoid them.

As of April 2005, there are 3,166 enabled VRT and 33 Community rules from, and 775 enabled rules from, with more being added all the time.


  Why Snort makes IDS worth the time and effort
  How to identify and monitor network ports
  How to handle network design with switches and segments
  Where to place IDS network sensors
  Finding an OS for IDS Snort sensors
  How to determine network interface cards for IDS sensors
  Modifying and writing custom Snort IDS rules
  How to configure Snort variables
  Where to find Snort IDS rules
  How to automatically update Snort rules
  How to decipher the Oinkcode for Snort VRT rules
  Using IDS rules to test Snort 


JP Vossen, CISSP, is a Senior Security Engineer for Counterpane Internet Security. He is involved with various open source projects including Snort, and has previously worked as an information security consultant and systems engineer.


This was last published in May 2005

Dig Deeper on Network intrusion detection and prevention (IDS-IPS)