Snort IDS tips for VARs a

IDS Snort rules: Acquiring Snort rules

Downloading the two major sets of rules is not difficult. In this example, I am a registered user at Snort.org. I log in with my username and password. On the Snort rules page I scroll down to the section labeled Sourcefire VRT

    Requires Free Membership to View

Certified Rules - The Official Snort Ruleset (registered user release) and select the link for snortrules-snapshot-CURRENT.tar.gz. If I am not logged in I cannot download those rules. After downloading snortrules-snapshot-CURRENT.tar.gz and extracting it, I have three directories: rules, doc and so_rules. Snort rules are in the first, rule documentation in the second and shared object rules in the third. (For now focus on the rules directory; future articles will address shared object rules.)

Acquiring BET rules is simple. Download http://www.bleedingthreats.net/rules/bleeding.rules.tar.gz and extract the contents. If extracted into the same directory as the Sourcefire rules, BET's ruleset will end up in the rules directory created earlier.


Snort Report -- IDS Snort rules

 Introduction
 False positives
 Sourcefire rules
 Bleeding Edge Threats rules
 Acquiring Snort rules
 Activating Snort rules
 Loading rules

About the author
Richard Bejtlich is founder of TaoSecurity, author of several books on network security monitoring, including Extrusion Detection: Security Monitoring for Internal Intrusions, and operator of the TaoSecurity blog.


This was first published in April 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: