Updating snort rules
PCRE allows the use of Regular Expressions in rules, so you can be very specific about what you are searching for.
The three kinds of thresholding allow you to limit the number of alerts sent for "noisy" rules in various ways and may be written into custom rules or placed in a separate configuration file such as
You can also read the archive or join the Snort Sigs mailing list at
Introduction Why Snort makes IDS worth the time and effort How to identify and monitor network ports How to handle network design with switches and segments Where to place IDS network sensors Finding an OS for Snort IDS sensors How to determine network interface cards for IDS sensors Modifying and writing custom Snort IDS rules How to configure Snort variables Where to find Snort IDS rules How to automatically update Snort rules How to decipher the Oinkcode for Snort's VRT rules Using IDS rules to test Snort JP Vossen, CISSP, is a Senior Security Engineer for Counterpane Internet Security.
If the /tmp slice is small, either because the firewall is running Nano BSD or a full install with /tmp on a RAM disk, current rulesets can easily fill the slice up and cause numerous rule-related errors.
I've been using it for a couple of weeks and I'm very impressed by it. One thing I found though with the new relese 18.1, is that my IDS rules are not updating (as they did with r1 and r2).
If you don't want to download the source code tarball you can access all of Snort's source code, documentation and obsolete rules on the Web the Snort CVS Repository.
Note the rules in the public CVS repository are not being maintained as of April 2005, though there is discussion about that and it may change.
To get started, review the FAQ at Snort.org, and while you're there, download the latest VRT rules. has reserved any number less than 1 million for the "official" rules, and Bleeding Snort uses SIDs starting at 2 million.
(See How to decipher the Oinkcode.) Read the rules, modify them and try them (in a test environment, of course). If you modify a rule, just add 1 million to the SID so you can keep track of the original.
This code means: Send an alert if you see an ICMP packet from whatever the $EXTERNAL_NET is defined as (default = any) to whatever the $HOME_NET is defined as (default = any), if the data size (dsize) is zero and the ICMP type (itype) is 8 (which is echo (request)). sid=469.) Other actions beside "alert" include, but are not limited to, log and pass.
The protocol in this case is ICMP, but IP, TCP and UDP are also supported.