Documents

The following setup guides have been contributed by members of the Snort Community for your use. Comments and questions on these documents should be submitted directly to the author by clicking on their names below.

Snort 3 Setup Guides
Rules Writers Guide to Snort 3 Rules
Yaser Mansour
Snort 3 on FreeBSD 11
Yaser Mansour
Snort 3 Multiple Packet Threads Processing
Yaser Mansour
Snort 3.0.0-a4 on OpenSuSe 42.3
Boris Gomez
Snort 3.1.0.0 on CentOS Stream
Yaser Mansour
Snort 3.1.0.0 on OracleLinux 8
Yaser Mansour
Snort 3.1.6.0 on Ubuntu 18 & 20
Noah Dietrich
Snort Deployment Guides
RSyslog rate limiting configuration
William Parker
Snort IPS using DAQ AFPacket
Yaser Mansour
Snort IPS Tutorial
Vladimir Koychev
Changing from IDS to IPS with NFQueue
James Lay
How to make some Home Routers mirror traffic to Snort
William Parker
Snort Related Whitepapers
Inline Normalization using Snort 2.9.0
Russ Combs
Target Based Stream Reassembly
Judy Novak
Using Perfmon and Performance Profiling to Tune Snort Preprocessors and Rules
Steve Sturges
HTTP Evasions Revisited
Daniel Roelker
Target Based Fragmentation Reassembly
Judy Novak
VRT Methodology Whitepaper
Vulnerability Research Team (VRT)
Optimization of Pattern Matches for IDS
Marc Norton
Snort Setup Guides
Snort Setup Guides for Windows
WinSnort.com
Snort 2.9.9.x on OpenSuSE Leap 42.2
Boris Gomez
Snort 2.9.16.1 on CentOS8
Milad Rezaei
Snort 2.9.0.x with PF_RING inline deployment
Metaflows Google Group
Webcast Slides
Introduction to Snort: Part 1
Nick Moore
Pimp My Snort
Leon Ward
Writing Effective Rules, Part II
Matt Olney
Performance Tuning: Rules & Preprocessors
Writing Effective Rules, Part I
Matt Olney
OpenAppId Detection Webinar
Costas Kleopa
Effective Problem Reporting: How to Get Your Problems Noticed and Fixed
Intro to Snort
Ed Mendez
Using the Host Attribute Table in Snort
OpenAppId Community Webinar
Costas Kleopa
Snort Tuning 101
Nick Moore
Using Multiconfig
John Gay
Open Source Community Webinar
Joel Esler
Latest rule documents - Search
1-58219
This rule is designed to alert on attempts to exploit a dir traversal in VMware vCenter Server that leads to a remote code execution vulnerability in the context of the server. Attackers who exploit this can ultimately execute code remotely on the server.
1-58218
This rule is designed to alert on attempts to exploit a dir traversal in VMware vCenter Server that leads to a remote code execution vulnerability in the context of the server. Attackers who exploit this can ultimately execute code remotely on the server.
1-58217
This rule is designed to alert on attempts to exploit a dir traversal in VMware vCenter Server that leads to a remote code execution vulnerability in the context of the server. Attackers who exploit this can ultimately execute code remotely on the server.
1-58216
This rule detects the attempted exfiltration of banking credentials after a successful phishing attempt by looking for know URIs and parameters used to exfiltrate the captured credentials.
1-58215
This rule detects an attempted phishing attack designed to steal email credentials by looking for embedded picture data used in the phishing webpage.
1-58214
This rule detects an attempted phishing attack designed to steal email credentials by looking for embedded picture data used in the phishing webpage.