Snort FAQ

Abuse of Snort.org

We consider abuse of Snort.org to be the following:

  • Excessive downloading

While we don’t have any limitations on the amount of times you can download a Snort package or ruleset per day, we ask that you schedule your downloads for no more than once per hour. (We also insist on the usage of PulledPork, which, amongst its many features, checks the md5 of the file you are attempting to download, before it attempts to download the entire rule file. This saves us a tremendous amount of bandwidth.) If you are causing us problems by attempting to download the ruleset too often (for instance, once every minute, every five minutes), you may wind up at our “Abuse” page. If you suspect you are one of these people, (which is the majority of people that wind up on the abuse page), please double check your crontabs to ensure you are downloading no more than once an hour.

  • Use of a Shared Oinkcode

Sharing of Oinkcodes between users is in violation of the Snort Subscriber Rule Set License. Every user on Snort.org is assigned an individual Oinkcode for usage inside of PulledPork. Occasionally, users will accidentally post their oinkcode on a forum, email list, etc, and need to reset their Oinkcode. (This feature is available on the oinkcode page under your user account.) Other people on the internet will grab the Oinkcode that was accidentally published and attempt to use it in their installation. We generally take two steps in this case:

  • Reset the Oinkcode
  • Redirect you to our “Abuse” page.
  • Repeated attempts to download a version of the Ruleset that no longer exists.

We have a large set of users that have forgotten about their Snort installations, and are still attempting to download ruleset versions that we haven’t published in 10 or so years. Those users are redirected to our “Abuse” page.