This little piggy caught some hackers
Snort ™
Got Source? Our Team About Snort License
The Open Source Network Intrusion Detection System hosted by Sourcefire

Hear Marty Speak
Didn't get to see Marty speak? Listen to his "The Future of IDS" webinar.

» News
  Get the latest news about our favorite pig
» Documentation
  Information on how to setup the pig
» Downloads
  Get the pig, and all addons that make the pig easier to use
» Mailing lists
  Discussions about snort.
» User Groups
  Like minded pig lovers getting together to discuss snort.
» Rules
  All the information about rules you could ever want.

Search Ports

Rules Documentation

SecurityFocus News Feed


The following press release was brought to my attention today.

In essence, the Gartner analysts (Richard Stiennon and John Pescatore) are saying that you shouldn't spend any (ANY!) money on your network audit function (IDS) but should instead focus only (ONLY!) on your access control function (Firewalls/IPS). They further posit that IDS will be obsolete by 2005 and that a mix of network and application firewalls will completely eliminate the need to monitor your network for hostile activity falling outside the scope of access control.


Write rule documentation, get a t-shirt Brian @ Sat May 31 00:15:58 2003 GMT
As you may have noticed, we have kicked documentation of Snort rules into high gear. A number of people have been working extremely hard on documenting our rules to make YOUR life easier by having better understanding of alerts when they trigger on your network.

Sourcefire has donated a case of Snort t-shirts for us to give away, so we've come up with a great way for you to get a t-shirt. Anyone that submits twenty (20) well written rule documents will get a t-shirt sent to them.

With all give-aways, there are a few caveats.
  1. Don't violate copyright law. Original content is a must.
  2. Rule documentation is distributed as a part of the Snort project (GPLed). You still own copyright to anything you submit, but the license must be GPLed.
  3. When we run out of t-shirts, we will stop giving away t-shirts.
  4. We define "well written" and reserve the right to redefine our definition at any time. Of course, we will try and be as friendly as possible. If you are hard working and try hard, we will keep that in mind. (We want to give away t-shirts, but we also want you to earn it :P)
  5. We may stop running this give-away at any time, for any reason, and reserve the right to not send t-shirts for any reason. (Running out of t-shirts will probably be the only one!!!)
  6. You must send us your address for us to send you a t-shirt. (Feel free to email it to me privately. I promise not to publish any addresses. I hate spam as much as everyone else.)
Anyways, the template we require you to fill in is available here. Please only submit documents for rules without documentation. We will review any and all submitted documents, but please try and do not duplicate work.

Please submit any completed documentation to If you have any questions, please ask on

New Snort Book Brian @ Tue May 6 20:20:30 EDT 2003
Syngress has published a new book on Snort. Syngress put together an awesome team to write for the book, including Jay Beale (of Bastille fame), James C. Foster (from Foundstone), Jeffrey Posluns ( Author of a number of security books), and Ryan Russell (primary author of the Hack Proofing Your Internet Tradecraft among many other books), me, and a number of other awesome authors.

A sample chapter for the book (all about preprocessors) is available here.

The book is already shipping from a number of sources:
  • Barnes & Noble
    (I know, I had to buy one from amazon for myself just to know it was real :P)

    Check out the book. Apart from being the first comprehensive book on snort, the book is well put together, packed full of information, and you should learn quite a bit.
  • Snort Advisory: Integer Overflow in Stream4 Brian @ Wed Apr 16 14:52:33 EDT 2003
    Affected Versions:
    All versions of the following products are affected:
  • Snort 1.8 through 1.9.1
  • Snort CVS - current branch up to version 2.0.0 beta

    The Sourcefire Vulnerability Research Team has learned of an integer overflow in the Snort stream4 preprocessor used by snort. The Snort stream4 preprocessor (spp_stream4) incorrectly calculates segment size parameters during stream reassembly for certain sequence number ranges which can lead to an integer overflow that can be expanded to a heap overflow.

    Snort 2.0 fixes this vulnerability. Snort 2.0 can be downloaded at

    The full text for the advisory can be read here.
  • Snort 2.0 release available Brian @ Mon Apr 14 11:35:32 EDT 2003
    Snort 2.0 has been released and is available at Snort 2.0 is the result of many months of effort on the part of dozens of people and has a slew of new features:
  • Enhanced high-performance detection engine
  • Stateful Pattern Matching
  • New detection keywords: byte_test & byte_jump
  • The Snort code base has undergone an external third party professional security audit funded by Sourcefire (
  • Many new and updated rules
  • snort.conf has been updated
  • Enhancements to self preservation mechanisms in stream4 and frag2
  • State tracking fixes in stream4
  • New HTTP flow analyzer
  • Enhanced protocol decoding (TCP options, 802.1q, etc)
  • Enhanced protocol anomaly detection (IP, TCP, UDP, ICMP, RPC, HTTP, etc)
  • Enhanced flexresp mode for real-time TCP session sniping
  • Better chroot()'ing
  • Tagging system updated
  • Several million bugs addressed....
  • Updated FAQ (thanks to Erek Adams and Dragos Ruiu) Snort 2.0 can be downloaded at Binary versions of the codebase will be built over the next several days and made available at here.
  • Snort 2.0 rc4 available Brian @ Mon Apr 7 14:49:11 EDT 2003
    The Snort 2.0 release candidate 4 is available for your testing. This release includes a number of fixes thanks to your tests of rc1, rc2 and rc3.

    This version includes the following changes:
  • byte_jump/byte_test don't force relative content options
  • byte_jump/byte_test absolute offsets work
  • Better FIN handling in Stream4

    The source tarball is available here. A win32 build will follow shortly!
  • Snort 2.0 rc3 available Brian @ Thu Apr 3 15:09:43 EST 2003
    The Snort 2.0 release candidate 3 is available for your testing. This release includes a number of fixes thanks to your tests of rc1 and rc2.

    This version includes the following changes:
  • A low memory usage detection method (enabled via "config detection: search-method lowmem")
  • Moved the default unix socket location to LOGDIR

    The source tarball is available here. A win32 build will follow shortly!
  • Snort 2.0 rc2 available Brian @ Tue Apr 1 13:32:19 EST 2003
    The Snort 2.0 release candidate 2 is available for your testing. This release includes a number of fixes thanks to your tests of rc1.

    This version includes:
  • syslog should work on win32 and unix
  • major tagging updates
  • new UDP decoding alerts
  • snort.conf updates

    The source tarball is available here. A win32 build will follow shortly!
  • Snort 2.0 rc1 available Marty @ Wed Mar 26 16:41:42 EST 2003
    The Snort 2.0 release candidate 1 is available for your testing. We've been working on and tweaking Snort 2.0 for quite a while now and it's looking like it's ready to go. Please download it and check it out at the earliest opportunity. If you find any bugs, please read the doc/BUGS file before submitting a bug report, Snort works on too many platforms for us to guess at your configuration!

    This version features:
  • Higher performance (due to a new pattern matcher and rebuilt detection engine)
  • Better decoders
  • Enhanced stream reassembly and defragmentation
  • Tons of bug fixes
  • Updated rules
  • Updated snort.conf
  • New detection keywords (byte_test, byte_jump, distance, within) & stateful pattern matching
  • New HTTP flow analyzer
  • Enhanced anomaly detection (HTTP, RPC, TCP, IP, etc)
  • Better self preservation in stateful subsystems
  • Xrefs fixed
  • Flexresp works faster and more effectively
  • Better chroot()'ing
  • Fixed 802.1q decoding
  • Better async state handling
  • New alerting option: -A cmg!!

    The source tarball is available here. A win32 build will follow shortly!

    Brought to you by the character ':', the letters 'w' and 'q' and the number 0x41414141. Enjoy!

    Update by Brian @ 03/27/03 and neither can Marty.
  • More opportunities for lunch with Marty Brian @ Tue Mar 25 16:47:04 EST 2003
    As the previous 'Marty speaks on IDS, Snort, and Sourcefire' seminars hosted by Sourcefire got such a overwhelmingly positive response from attendees, Sourcefire has decided to extend Marty's tour to additional cities around the country. Sorry guys, US only. Food will be served, and the seminar is free, but you must register first.

    For locations, times, and registration information, click here.

    Update by Brian @ 03/27/03 Ok, so I can't speel...

    Snort 1.9.1 linux build released Brian @ Thu Mar 13 19:36:13 EST 2003
    RPMs for 1.9.1 are now available, as is an updated version of Inline snort. Thank Chris Green for the RPMs and Rob McMillen for the Inline update.

    Snort 1.9.1 win32 build released Brian @ Tue Mar 4 15:54:15 EST 2003
    A win32 binary is now available (Thanks to Chris Reid) here. So please stop emailing us asking for the win32 binary that fixes the RPC buffer overflow. :)

    Snort 1.9.1 released, fixes vulnerability in rpc decoder Brian @ Mon Mar 3 13:00:00 EST 2003
    A buffer overflow has been found in the snort RPC normalization routines by ISS X-Force. This can cause snort to execute arbitrary code embedded within sniffed network packets. This preprocessor is enabled by default.

    Snort 1.9.1 has been released to resolve this issue. For users using CVS HEAD, a fix has been committed to the source tree.

    If you are in an environment that can not upgrade snort immediately, comment out the line in your snort.conf that begins:
    preprocessor rpc_decode

    and replace it with:
    # preprocessor rpc_decode

    Snort 1.9.1 is available here.

    Marty and Greg discussing Snort, IDS, and Sourcefire Brian @ Mon Feb 10 10:18:10 EST 2003
    Marty, our benevolent dictator, along with Greg Shipley (of Neohapsis fame) will be discussing snort, the state of intrusion detection, and Sourcefire's products at a seminar on February 20th in Chicago. The seminar is free, but you must register first to attend.
    UPDATE - Mon Feb 24 11:45:01 EST 2003 The 20th has past. So stop trying to register for a seminar that has already taken place. :)

    Paper on configuring Snort Inline Brian @ Sun Jan 26 20:56:57 EST 2003
    Tim Slighter has put together a paper discussing configuring Inline mode for snort. Inline isn't just for honeynets, so if you are interested in the Intrusion Prevention buzzword, check out Tim's paper.

    Rule to detect SQL worm Brian @ Sat Jan 25 21:12:39 EST 2003
    We've put together a rule and rule documentation for the worm. The rule is available at here or from your normal rule updates.

    More in-depth papers on snort 2.0 technology Brian @ Wed Jan 22 05:25:19 EST 2003
    Marc Norton and Dan Roelker of Sourcefire have published 3 papers on the technology they have been working on for Snort 2.0. These papers are similar to what was released by Sourcefire previously, but with a little less marketing foo, and a little more hard core geekisms. Check out the papers in our Documents section. If you find the papers interesting, send a thank you note to Marc and Dan to let them know what you think.

    A new honeynet toolkit from the honeynet project Brian @ Tue Jan 14 05:07:20 EST 2003
    The Honeynet Project has released a Honeynet Snort-Inline Toolkit. Included in this toolkit is a drop ruleset designed for honeypots and a precompiled snort-inline binary for linux.

    NOTE: The rules provided by the Honeynet Project will NOT protect your network. They are designed for a HONEYNET and for a HONEYNET ONLY.

    So, if you are looking for an easy-to-use honeynet, check out the Honeynet Project's toolkit.

    Odd devices running snort Brian @ Tue Dec 24 06:12:58 EST 2002
    Ed Skoudis, frequent teacher of SANS classes, has posted a fun list of unusual devices running Snort. Check it out.

    The next time you are taking a SANS IDS class, try not to ask Mike if he has caught any new intrusion attempts. :P

    snort 2.0 notice Brian @ Fri Nov 22 04:04:47 EST 2002
    FYI, snort 2.0 has not been released yet. We are currently implementing a large number of features that will go into snort before we release 2.0. If you would like to check out the improvements we are working on, the changes are in the HEAD branch of CVS. You can also use the snort-current snapshot.

    tcpdump and libpcap trojaned Brian @ Thu Nov 14 05:29:04 EST 2002
    The latest versions of libpcap and tcpdump available from contain trojan code that connects to on TCP port 1963.

    While snort was not directly affected, if you downloaded libpcap from, you should take steps to verify your system's integrity.

    Snort 2.0 development branch merged Brian @ Thu Oct 10 04:20:24 EDT 2002
    For those of you that don't watch CVS commits, you should check out the latest code that was merged by Chris last night.

    Sourcefire has been working on speeding up Snort and has reengineered Snort 2.0 to use a new HTTP Protocol Flow Analyzer and Detection Engine. Together, these enhancements provide users with increased accuracy and up to 18 times greater performance than previous versions.

    Read the paper by Sourcefire to learn about the new features in Snort 2.0. Way to go guys.

    Snort 1.9.0 Released Brian @ Thu Oct 3 17:03:59 EDT 2002
    Snort 1.9.0 was released today. This release of snort includes a large number of enhancements and bug fixes. If you've been tracking rule changes, this is the first release to use the "flow" keyword. Chris will be sending a detailed changelog to the mailing lists, so keep an eye out for his email.

    Download source or pre-built binaries.

    Poll of snort usage Brian @ Wed Oct 2 09:34:57 EDT 2002
    Patrick M. pointed out that Security Administrator is running a poll on who is running Snort on their network. Since you are reading this, you probably are using snort. So go to the site and say "Yes" in the poll.

    "This little piggie guards the market" Brian @ Mon Sep 23 16:18:53 EDT 2002
    The AGE, an online newspaper, published an article about snort. They discuss the snort a little bit, mention a few companies that are doing "snort things" including Sourcefire, Demarc, and Farm9. The article even mentions that ISS has tried to replicate snort functionality with the TRONS features.

    Check it out here.

    Copyright © 2002, 2003 Brian Caswell and Marty Roesch. All rights reserved.
    Sourcefire and Snort are trademarks or registered trademarks of Sourcefire, INC. patents pending
    Last Updated
    Sat Jun 21 00:19:19 2003 GMT