Documents

The following setup guides have been contributed by members of the Snort Community for your use. Comments and questions on these documents should be submitted directly to the author by clicking on their names below.

Snort 3 Setup Guides
Rules Writers Guide to Snort 3 Rules
Yaser Mansour
Snort 3 on FreeBSD 11
Yaser Mansour
Snort 3 Multiple Packet Threads Processing
Yaser Mansour
Snort 3.1.0.0 on CentOS Stream
Yaser Mansour
Snort 3.1.0.0 on OracleLinux 8
Yaser Mansour
Snort 3.0.0-a4 on OpenSuSe 42.3
Boris Gomez
Snort Deployment Guides
How to make some Home Routers mirror traffic to Snort
William Parker
RSyslog rate limiting configuration
William Parker
Changing from IDS to IPS with NFQueue
James Lay
Snort IPS Tutorial
Vladimir Koychev
Snort IPS using DAQ AFPacket
Yaser Mansour
Snort Related Whitepapers
Inline Normalization using Snort 2.9.0
Russ Combs
Target Based Stream Reassembly
Judy Novak
Using Perfmon and Performance Profiling to Tune Snort Preprocessors and Rules
Steve Sturges
HTTP Evasions Revisited
Daniel Roelker
Target Based Fragmentation Reassembly
Judy Novak
VRT Methodology Whitepaper
Vulnerability Research Team (VRT)
Optimization of Pattern Matches for IDS
Marc Norton
Snort Setup Guides
Snort 2.9.16.1 on CentOS8
Milad Rezaei
Snort 2.9.9.x on OpenSuSE Leap 42.2
Boris Gomez
Snort 2.9.0.x with PF_RING inline deployment
Metaflows Google Group
Snort 3.1.18.0 on Ubuntu 18 & 20
Noah Dietrich
Webcast Slides
Introduction to Snort: Part 1
Nick Moore
Pimp My Snort
Leon Ward
Writing Effective Rules, Part II
Matt Olney
Performance Tuning: Rules & Preprocessors
Writing Effective Rules, Part I
Matt Olney
OpenAppId Detection Webinar
Costas Kleopa
Effective Problem Reporting: How to Get Your Problems Noticed and Fixed
Intro to Snort
Ed Mendez
Using the Host Attribute Table in Snort
OpenAppId Community Webinar
Costas Kleopa
Snort Tuning 101
Nick Moore
Using Multiconfig
John Gay
Open Source Community Webinar
Joel Esler
Preprocessor Documentation

All preprocessor docs from the Snort tarball are linked here for simple indexing and reading. Download these documents individually from the snort-faq repository.


README.GTP
README.PLUGINS
README.PerfProfiling
README.SMTP
README.UNSOCK
README.active
README.alert_order
README.asn1
README.counts
README.csv
README.daq
README.dcerpc2
README.decode
README.decoder_preproc_rules
README.dnp3
README.dns
README.event_queue
README.file
README.file_ips
README.filters
README.flowbits
README.frag3
README.ftptelnet
README.gre
README.ha
README.http_inspect
README.imap
README.ipip
README.ipv6
README.modbus
README.multipleconfigs
README.normalize
README.ppm
README.reload
README.reputation
README.rzb_saac
README.sensitive_data
README.sfportscan
README.sip
README.ssh
README.ssl
README.stream5
README.tag
README.thresholding
README.unified2
README.variables
README.pop
README.pcap_readmode
Latest rule documents - Search
1:64194
This rule looks for inbound DCE/RPC requests that are intended to exploit an arbitrary command execution vulnerability in the Advantech WebAccess webvrpcs service.
1:64192
This rule looks for PHP object injection patterns present in the following parameters in HTTP requests sent to the /module/api.php?mobile/createRaid endpoint on TerraMaster TOS web applications: raidtype, diskstring.
1:64191
This rule looks for CRLF (\r\n) sequences present in multiple parameters in requests to the "/admincertnewcsr.cgi" endpoint on Ivanti Connect Secure web applications.
1:64190
This rule looks for SSRF injection patterns present in the "url" parameter in HTTP requests sent to the /system/ws-control-servlet endpoint on Inductive Automation Ignition web applications.
1:63806
This rule detects a crafted HTTP request commonly used by the Grandoreiro strain of malware
1:63728
This rule alerts on network communications from the Earthworm network proxy tool. This rule may alert on any of the subcommands involved in the client-server handshake of custom TCP protocol used by Earthworm, including the establishment of a reverse socks5 tunnel from the server to the client.