IDS Snort rules: Acquiring Snort rules
Learn how to acquire the rules you'll need to run Snort to your specifications.
Downloading the two major sets of rules is not difficult. In this example, I am a registered user at Snort.org. I log in with my username and password. On the Snort rules page I scroll down to the section labeled Sourcefire VRT Certified Rules - The Official Snort Ruleset (registered user release) and select the link for snortrules-snapshot-CURRENT.tar.gz. If I am not logged in I cannot download those rules. After downloading snortrules-snapshot-CURRENT.tar.gz and extracting it, I have three directories: rules, doc and so_rules. Snort rules are in the first, rule documentation in the second and shared object rules in the third. (For now focus on the rules directory; future articles will address shared object rules.)
Acquiring BET rules is simple. Download http://www.bleedingthreats.net/rules/bleeding.rules.tar.gz and extract the contents. If extracted into the same directory as the Sourcefire rules, BET's ruleset will end up in the rules directory created earlier.
Snort Report -- IDS Snort rules
Introduction
About the author
Richard Bejtlich is founder of TaoSecurity, author of several books on network security monitoring, including Extrusion Detection: Security Monitoring for Internal Intrusions, and operator of the TaoSecurity blog.
