Matt Jonkman and James Ashton founded Bleeding Edge Threats (BET) (previously Bleeding Edge Snort) in 2003 as a focus point for a variety of projects related to intrusion detection. BET's most popular set of rules are BSD licensed and require no registration. There are other rules available, too.
I recommend using both Sourcefire VRT rules and BET rules on sensors. Sourcefire VRT rules are backed by a professional rule development team with millions of dollars of testing equipment at its disposal and specialized tools for signature generation, so they tend to be solid and well-tested. BET releases rules almost immediately upon discovery of a network-based attack, so they can be rough around the edges and less tested. I have found many interesting network activities only using BET rules, however.
Snort Report -- IDS Snort rules
Introduction
False positives
Sourcefire rules
Bleeding Edge Threats rules
Acquiring Snort rules
Activating Snort rules
Loading rules
About the author
Richard Bejtlich is founder of TaoSecurity, author of several books on network security monitoring, including Extrusion Detection: Security Monitoring for Internal Intrusions, and operator of the TaoSecurity blog.
