Snort Setup Guides for Emerging Threats Prevention

The following setup guides have been contributed by members of the Snort Community for your use. Comments and questions on these documents should be submitted directly to the author by clicking on their names below.

Additional Resources

Possible Packet Loss During Reassembly for Snort IDS/IPS Sensors

William Parker

What do the base policies mean?

Joel Esler

Basics of Snort Rule Writing TechByte

Cisco & Dave McDaniel

Snort Supported OSs

Talos

dpx-1.7.tar.gz

Snort.conf examples

Joel Esler

Snort installation and configuration TechByte

Cisco & John Gay

DPX Readme

Snort site

Snort VIM Configuration

Victor Roemer

Official Documentation

Snort FAQ

Snort Team / Open Source Community

Snort 3 Rule Writing Guide

Talos

Snort Users Manual 2.9.16 (HTML)

Snort Team

Snort Users Manual 2.9.16

Snort Team

Snort Rule Infographic

Talos

Snort 3 Setup Guides

Rules Writers Guide to Snort 3 Rules

Yaser Mansour

Snort 3 on FreeBSD 11

Yaser Mansour

Snort 3 Multiple Packet Threads Processing

Yaser Mansour

Snort 3.1.0.0 on CentOS Stream

Yaser Mansour

Snort 3.1.0.0 on OracleLinux 8

Yaser Mansour

Snort 3.0.0-a4 on OpenSuSe 42.3

Boris Gomez

Snort Deployment Guides

How to make some Home Routers mirror traffic to Snort

William Parker

RSyslog rate limiting configuration

William Parker

Changing from IDS to IPS with NFQueue

James Lay

Snort IPS Tutorial

Vladimir Koychev

Snort IPS using DAQ AFPacket

Yaser Mansour

Snort Related Whitepapers

Inline Normalization using Snort 2.9.0

Russ Combs

Target Based Stream Reassembly

Judy Novak

Using Perfmon and Performance Profiling to Tune Snort Preprocessors and Rules

Steve Sturges

HTTP Evasions Revisited

Daniel Roelker

Target Based Fragmentation Reassembly

Judy Novak

VRT Methodology Whitepaper

Vulnerability Research Team (VRT)

Optimization of Pattern Matches for IDS

Marc Norton

Snort Setup Guides

Snort 2.9.16.1 on CentOS8

Milad Rezaei

Snort 2.9.9.x on OpenSuSE Leap 42.2

Boris Gomez

Snort 2.9.0.x with PF_RING inline deployment

Metaflows Google Group

Snort 3.1.18.0 on Ubuntu 18 & 20

Noah Dietrich

Snort StartUp Scripts

Snort Startup Script for NetBSD 6.x

William Parker

Snort Startup Script for NetBSD 5.x

William Parker

Snort Startup Script for OpenSuSE 11.4

William Parker

Snort Startup Script for OpenSuSE 12.x

William Parker

Snort Startup Script for OpenBSD 5.x

William Parker

Snort Startup Script for Fedora

William Parker

Snort Startup Script for CentOS

William Parker

Webcast Slides

Introduction to Snort: Part 1

Nick Moore

Pimp My Snort

Leon Ward

Writing Effective Rules, Part II

Matt Olney

Performance Tuning: Rules & Preprocessors

Writing Effective Rules, Part I

Matt Olney

OpenAppId Detection Webinar

Costas Kleopa

Effective Problem Reporting: How to Get Your Problems Noticed and Fixed

Intro to Snort

Ed Mendez

Using the Host Attribute Table in Snort

OpenAppId Community Webinar

Costas Kleopa

Snort Tuning 101

Nick Moore

Using Multiconfig

John Gay

Open Source Community Webinar

Joel Esler

Preprocessor Documentation

All preprocessor docs from the Snort tarball are linked here for simple indexing and reading. Download these documents individually from the snort-faq repository.

README.GTP

README.PLUGINS

README.PerfProfiling

README.SMTP

README.UNSOCK

README.active

README.alert_order

README.asn1

README.counts

README.csv

README.daq

README.dcerpc2

README.decode

README.decoder_preproc_rules

README.dnp3

README.dns

README.event_queue

README.file

README.file_ips

README.filters

README.flowbits

README.frag3

README.ftptelnet

README.gre

README.ha

README.http_inspect

README.imap

README.ipip

README.ipv6

README.modbus

README.multipleconfigs

README.normalize

README.ppm

README.reload

README.reputation

README.rzb_saac

README.sensitive_data

README.sfportscan

README.sip

README.ssh

README.ssl

README.stream5

README.tag

README.thresholding

README.unified2

README.variables

README.pop

README.pcap_readmode

Latest rule documents - Search

1:65454

This rule looks for inbound requests to the "/OA.jsp" endpoint on Oracle E-Business Suite web applications that attempt to invoke the Template Preview functionality. Attackers have been observed targeting this functionality to execute previously uploaded malicious XSL or XML files.

1:65455

This rule looks for inbound requests to the "/OA_HTML/SyncServlet" endpoint on Oracle E-Business Suite web applications. Attackers have been observed targeting this endpoint with an authentication bypass exploit to enable subsequent attacks that allow for remote code execution.

1:65456

This rule looks for requests to the /OA_HTML/OA.jsp endpoint of Oracle E-Business Suite web applications. Malicious XSLT documents may be uploaded using this endpoint and later triggered by attempting to preview the file. This can lead to remote code execution by an unauthenticated attacker.

1:65452

This rule looks for specially crafted inbound HTTP requests to the "/adminui/" endpoint on Adobe Experience Manager web applications that attempt to invoke the Struts2 devMode feature to execute arbitrary OGNL expressions. Attackers have been observed exploiting an authentication bypass vulnerability (CVE-2025-54253) to be able to invoke devMode functionality.

1:65451

Revolution PiCtory is vulnerable to a stored cross site scripting attack in the `fn` parameter on the `saveProject` endpoint. Attackers who abuse this can execute code on the victims browser in the context of the user. This can be used to steal credentials, send the user to unwanted websites, or abuse other access on the application.

1:65453

This rule looks for attempts to bypass authentication in Adobe Experience Manager by including "login." as a path parameter.