IDS Snort rules: Sourcefire rules

This portion of the Snort report on Snort IDS rules covers rules provided by Sourcefire. It also discusses the pros and cons of rules by subscription, free rules and rules submitted by the Snort community.

Prior to March 2005 each Snort release came packaged with a set of rules. The rules were a mix of community-developed techniques and rules written by Sourcefire engineers. In March 2005, Sourcefire announced that it was changing its rule licensing and introducing a registration and subscription model. Three sets of rules were introduced.

  1. Sourcefire VRT Certified Rules - The Official Snort Ruleset
    (subscription release)
  2. Sourcefire VRT Certified Rules - The Official Snort Ruleset
  3. Community Rules

Those who desired up-to-the-minute Snort rules could purchase a VRT Rules Subscription. Those who simply registered could access VRT rules, but after a delay. Those who did not want to register could use community rules, or third-party rules, which I will discuss later. Sourcefire also promised to provide a new set of rules with each "major release" of Snort, such as 2.6. However, this did not happen.

Snort 2.3.1, published March 9, 2005, was the last release to ship with an updated rule archive. Snort 2.3.2 and 2.3.3 shipped with the same set of rules. Snort 2.4.0 and later shipped without any rules. The last set of official rules freely available without any form of registration was published July 22, 2005 as snortrules-pr-2.4.tar.gz.

The current Sourcefire rules model works as follows: Those who want the up-to-the-minute VRT rules can purchase a subscription. Those running Snort for personal use can pay $29.99 per year for any number of sensors. Enterprises who wish to purchase a subscription can do so for $499 per sensor per year for one to five sensors, or $399 per sensor per year for six or more sensors.

Those who do not wish to pay for Sourcefire VRT rules can register, but they will have to wait 30 days to access the latest rules. In extraordinary circumstances (such as a rule to detect an attack against Snort itself), Sourcefire may make one or more rules available immediately to all users. The majority of the time, however, registered but non-subscribing users wait 30 days.

Those who do not wish to register are left with the Snort 2.4 Sourcefire release from July 2005 and the latest Community Rules.

I recommend reading Sourcefire's Why Subscribe? and VRT License documents for full details on their rule options.

Snort Report -- IDS Snort rules

  False positives
 Sourcefire rules
  Bleeding Edge Threats rules
  Acquiring Snort rules
  Activating Snort rules
  Loading rules

About the author
Richard Bejtlich is founder of TaoSecurity, author of several books on network security monitoring, including Extrusion Detection: Security Monitoring for Internal Intrusions, and operator of the TaoSecurity blog.

Dig Deeper on Managed network services technology