Snort Rules Options

By Creigh Long
CS457: Honeypot Project
Last Updated: 4/26/06

1. Official Snort rules
   1. subscription based - current rules, highest quality: too expensive
   2. registration based - 5-day-old subscription ruleset: recommended
   3. unregistered - only updated with each major release of Snort: stale
   4. community - sumbitted by members of the community and minimally tested
2. Bleeding-Edge Snort rules
   1. volunteer run
   2. free Snort signature development
      1. released quickly
   3. organized into rulesets
   4. Bleeding Snort Windows Ruleset Manager
   5. works with Oinkmaster (how to)
3. Write your own rules
   1. Writing Snort Rules: How To write Snort rules and keep your sanity

Other Related Rule/Ruleset Projects and Sites

1. Oinkmaster (how to)
   1. keeps snort rules current
      1. sets up a cron job to update your rulesets whenever your ruleset repository (official, bleeding, etc) is updated
      2. update current ruleset with your modifications from previous rulesets
2. Snort IDS Policy Manager For Windows 2000/XP
   1. drag-and-drop ruleset editor
   2. updates directly from bleedingsnort.org