Home > IDS Snort rules: Sourcefire rules
Snort IDS tips for VARs and systems integrators:
EMAIL THIS

IDS Snort rules: Sourcefire rules

03 Apr 2007

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   

Prior to March 2005 each Snort release came packaged with a set of rules. The rules were a mix of community-developed techniques and rules written by Sourcefire engineers. In March 2005, Sourcefire announced that it was changing its rule licensing and introducing a registration and subscription model. Three sets of rules were introduced.

  1. Sourcefire VRT Certified Rules - The Official Snort Ruleset
    (subscription release)
  2. Sourcefire VRT Certified Rules - The Official Snort Ruleset
  3. Community Rules

Those who desired up-to-the-minute Snort rules could purchase a VRT Rules Subscription. Those who simply registered could access VRT rules, but after a delay. Those who did not want to register could use community rules, or third-party rules, which I will discuss later. Sourcefire also promised to provide a new set of rules with each "major release" of Snort, such as 2.6. However, this did not happen.

Snort 2.3.1, published March 9, 2005, was the last release to ship with an updated rule archive. Snort 2.3.2 and 2.3.3 shipped with the same set of rules. Snort 2.4.0 and later shipped without any rules. The last set of official rules freely available without any form of registration was published July 22, 2005 as snortrules-pr-2.4.tar.gz.

The current Sourcefire rules model works as follows: Those who want the up-to-the-minute VRT rules can purchase a subscription. Those running Snort for personal use can pay $29.99 per year for any number of sensors. Enterprises who wish to purchase a subscription can do so for $499 per sensor per year for one to five sensors, or $399 per sensor per year for six or more sensors.

Those who do not wish to pay for Sourcefire VRT rules can register, but they will have to wait 30 days to access the latest rules. In extraordinary circumstances (such as a rule to detect an attack against Snort itself), Sourcefire may make one or more rules available immediately to all users. The majority of the time, however, registered but non-subscribing users wait 30 days.

Those who do not wish to register are left with the Snort 2.4 Sourcefire release from July 2005 and the latest Community Rules.

I recommend reading Sourcefire's Why Subscribe? and VRT License documents for full details on their rule options.


Snort Report -- IDS Snort rules

 Introduction
 False positives
 Sourcefire rules
 Bleeding Edge Threats rules
 Acquiring Snort rules
 Activating Snort rules
 Loading rules

About the author
Richard Bejtlich is founder of TaoSecurity, author of several books on network security monitoring, including Extrusion Detection: Security Monitoring for Internal Intrusions, and operator of the TaoSecurity blog.

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary


HomeNewsTopicsITKnowledge ExchangeTipsMultimediaWhite PapersBlogsEvents
About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2006 - 2010, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts