Snort Official Documentation

The official documentation produced by the Snort team at Sourcefire

Title Author
Snort Users ManualPDF Small Snort Team
Snort FAQ Snort Team



Snort Users Webinar Series

View recordings of past Snort Users Webinars or download PDF copies of the slides

Performance Tuning: Rules & Preprocessors: November 9, 2009
Steve Sturges, Snort development team manager, discusses guidelines for tuning Snort based on performance statistics from rule and preprocessor profiling and the perfmon preprocessor. This session is intended to help Snort administrators when tuning and troubleshooting performance issues. The discussion may also be useful to Snort rule writers for measuring the potential performance impact of their rules.

Access the webcast | Download the slides

What’s New in Snort 2.8.5: September 21, 2009
Steve Sturges, Snort development team manager, discusses a number of new features and enhancements to improve the detection capabilities and performance of Snort 2.8.5 including:

  • A new SSH preprocessor
  • Support for multiple configurations
  • New and updated filtering options
  • Improved restart and update processes

Access the webcast | Watch the Q&A session | Download the slides

Pimp My Snort: July 24, 2009
In this webinar, Leon Ward and JJ Cummings discuss three open source tools that will help you customize your Snort install. Tools covered in this episode include:

  • Dumb Pig – Parses a snort rule-set, and depending on command line options, will recommend “fixes” for dumb Snort rules.
  • SnoGE – Plots attacker location via Google Earth
  • Pulled Pork – Beta release of a new Snort rules management tool

Access the webcast | SnoGE/DumbPig slides | Pulled_Pork slides

Installing Snort 2.8.4 on Fedora Core 10: June 12, 2009
In this edition of the Snort Users Webinar Series Nick Moore a Security Engineer with Sourcefire will discuss installing Snort 2.8.4 on Fedora Core 10. Nick’s presentation will cover a basic Snort/Base installation on a VMWare install of FC 10 with:

  • MySQL 5.0.77
  • Libnet 1.0.2a
  • Libpcap 1.0.0
  • BASE 1.4.2
  • Apache 2.2.11

What’s New in Snort 2.8.4: April 22, 2009

In this webinar, Steve Kane, Snort product manager and Steve Sturges, Snort development team manager, discuss what’s new in Snort 2.8.4. Snort 2.8.4 introduced a number of new features to improve the detection capabilities and performance of Snort.

Introduction to Snort: February 27, 2008

In this webinar with Ed Mendez, Director of Instructional Design and Development, learn the basic steps necessary to install, configure and use Snort. The session covers:

  • Planning a deployment
  • Preparing for the install
  • Software requirements
  • Installing Snort
  • Basic Snort operation
  • Tuning strategies

Writing Effective Rules, Part I: June 04, 2008

In this latest Snort Users Webinar, Matt Olney of the Sourcefire VRT discusses the VRT’s methodology for writing effective Snort Rules and what you need to know about Snort to take on rule writing. The one-hour session covers:

  • Detection theory
  • Snort’s architecture
  • Rule options available in Snort

Writing Effective Rules, Part II: September 17, 2008

In this session Matt Olney of the Sourcefire Vulnerability Research Team (VRT) will present Performance Rules Creation: Rules Options and Techniques. In this session Matt will look at the use of several different rule options by examining their use in published VRT rules:

  • Detecting buffer overflows with content checks and isdataat, and PCRE
  • Detecting attacks against the Kaminsky DNS bug with byte_test
  • Parsing variable sized protocols and using byte_test for buffer overflow detection
  • Fun with the content and replace keywords

Common Mistakes with Snort and How to Fix Them: Aug 20, 2008

Common Mistakes with Snort and How to fix them. In this session Joel Esler, a Sourcefire security consultant and frequent contributor to the Snort community discusses some of the most common mistakes made when configuring and using Snort and how to fix them. Topics covered in this session will include:

  • Snort.conf file
  • Variables
  • Preprocessors
  • Rules
  • Barnyard and SnortUnified

Effective Problem Reporting: How to Get Your Problems Noticed and Fixed: February 23, 2009

In this session of the Snort-Users webinar series, Alex Kirk of the Sourcefire VRT discusses how to prepare a Snort rules-related bug report that will enable the VRT to help you solve the problem at hand. Discussion will include:

  • Common pitfalls in false positive/negative reporting
  • Steps that you should take prior to submitting a bug report for a rule
  • A checklist you should use when you’re ready to submit your bug report

Using the Host Attribute Table in Snort: November 12, 2008

This session features Ed Mendez, Director of Courseware Development for the Sourcefire Education Team. Ed will discuss Using Snort’s Host Attribute Table. The session will include an overview of what you can do with it and why you might find it useful. It will also discuss how to build the attribute table file and describe the XML structures it uses. Additionally, this session will describe how you can write rules that take advantage of this feature to provide more robust detection capabilities.

Site Search

Documentation Links