Documents

The following setup guides have been contributed by members of the Snort Community for your use. Comments and questions on these documents should be submitted directly to the author by clicking on their names below.

Snort Setup Guides
Snort 3 Multiple Packet Threads Processing
Yaser Mansour
Rules Writers Guide to Snort 3 Rules
Yaser Mansour
Snort 2.9.9.x on Ubuntu 14 -16
Noah Dietrich
Snort 3.0.0-a4 on OpenSuSe 42.3
Boris Gomez
Snort 3 on FreeBSD 11
Yaser Mansour
Snort Setup Guides for Windows
WinSnort.com
Snort 2.9.15.1 on CentOS7
Milad Rezaei
Snort 3 on Ubuntu 18 & 19
Noah Dietrich
Snort 2.9.0.x with PF_RING inline deployment
Metaflows Google Group
Snort 2.9.9.x on OpenSuSE Leap 42.2
Boris Gomez
Snort 3.0.1 on CentOS8
Yaser Mansour
Snort Deployment Guides
Changing from IDS to IPS with NFQueue
James Lay
Snort IPS using DAQ AFPacket
Yaser Mansour
Integrating Snort and AlienVault OSSIM
William Parker
Snort IPS Tutorial
Vladimir Koychev
Integrating Snort-2.9.8.x with AlienVault OSSIM
William Parker
How to make some Home Routers mirror traffic to Snort
William Parker
RSyslog rate limiting configuration
William Parker
Snort Related Whitepapers
HTTP Evasions Revisited
Daniel Roelker
Using Perfmon and Performance Profiling to Tune Snort Preprocessors and Rules
Steve Sturges
Inline Normalization using Snort 2.9.0
Russ Combs
Target Based Stream Reassembly
Judy Novak
VRT Methodology Whitepaper
Vulnerability Research Team (VRT)
Optimization of Pattern Matches for IDS
Marc Norton
Target Based Fragmentation Reassembly
Judy Novak
Webcast Slides
Writing Effective Rules, Part I
Matt Olney
Performance Tuning: Rules & Preprocessors
Writing Effective Rules, Part II
Matt Olney
Open Source Community Webinar
Joel Esler
Effective Problem Reporting: How to Get Your Problems Noticed and Fixed
Intro to Snort
Ed Mendez
Using the Host Attribute Table in Snort
OpenAppId Community Webinar
Costas Kleopa
Snort Tuning 101
Nick Moore
Using Multiconfig
John Gay
Introduction to Snort: Part 1
Nick Moore
OpenAppId Detection Webinar
Costas Kleopa
Pimp My Snort
Leon Ward
CONF files
snort.2983.conf
Talos
snort.2091101.conf
Talos
snort.2976.conf
Talos
snort.2990.conf
Talos
snort.2091000.conf
Talos
snort.2091100.conf
Talos
classification.config
Talos
reference.config
Talos
Latest rule documents - Search
1-38027
This rule will alert when it sees a pdf that is trying to use the a function which initiates network communication and can violate corporate policy and is used in a number of adobe exploits.
1-38022
This rule detects specific binary artifacts of RC4 decryption
1-54675
This rule looks for requests for ASP files coming from an attacked host during a secondary stage of attack.
1-54674
This rule looks for the use of the StartRemoteProjectCopy function of Rockwell FactoryTalk View SE to cause the server to copy a project from an attacker controlled URI locally to the server.
1-54673
This rule looks for the use of the BackupHMI function in an HTTP request coming from a FactoryTalk device. This could be an indication of potential compromise.
1-54672
This rule looks for a large number of page requests to ASP files in a short period of time to the Rockwell FactoryTalk server in an attempt win a race condition to trigger an attackers uploaded ASP file.