Recipe 9.26 Upgrading and Tuning Snort's Ruleset

9.26.1 Problem

You want Snort to use the latest intrusion signatures.

9.26.2 Solution

Download the latest rules from and install them in /usr/local/share to be consistent with our other Snort recipes:

# tar xvpzf snortrules-stable.tar.gz -C /usr/local/share

To test configuration changes, or to verify the correct usage of command-line options:

# snort -T ...

To omit the verbose initialization and summary messages:

# snort -q ...

9.26.3 Discussion

The field of NIDS is an area of active research, and Snort is undergoing rapid development. Furthermore, the arms race between attackers and defenders of systems continues to escalate. You should upgrade your Snort installation frequently to cope with the latest threats.

If you have locally modified your rules, then before upgrading them, preserve your changes and merge them into the new versions. If you confine your site-specific additions to the file local.rules, merging will be a lot easier.

Although the snort.conf file can be used without modification, it is worthwhile to edit the file to customize Snort's operation for your site. Comments in the file provide a guided tour of Snort's features, and can be used as a step-by-step configuration guide, along with the Snort User's Manual.

The most important parameters are the network variables at the beginning of the configuration file. These define the boundaries of your networks, and the usage patterns within those networks. For quick testing, you can override variables on the command line with the -S option, e.g.:

# snort -S HOME_NET= ...

Depending on your interests and needs, you may also wish to enable or tune some of the Snort preprocessors that are designed to respond to various threats. IP defragmentation and TCP stream reassembly are enabled by default, to detect denial of service attacks and to support the other preprocessors. If you are being subjected to anti-NIDS attacks such as noise generators that attempt to overwhelm Snort with a flood of alert-inducing traffic, use:

# snort -z est ...

to limit alerts to known, established connections only. Several preprocessors are available to defeat attempts to escape detection during attacks on specific protocols. These often take the form of path name or instruction sequence mutations, and the preprocessors work to convert the input streams into a canonical form that can be more readily recognized by the pattern matching rules. Port scans are noticed by preprocessors that watch a range of protocols over time.

Finally, a variety of output plugins can direct alerts to databases, XML files, SNMP traps, a local Unix socket, or even WinPopup messages on Windows workstations, using Samba. Many of these features are experimental, or require special configuration options when Snort is installed; consult the documentation in the source distribution for details.

Whenever you modify the Snort configuration or add or customize rules, use the -T option to verify that your changes are correct. This will prevent Snort from dying unexpectedly when it next restarts, e.g., at boot time.

9.26.4 See Also

snort(8). The Snort home page is The Honeynet project's web site,, contains a wealth of information about network monitoring, including Snort. See for a sample Snort configuration file.

    Chapter 9. Testing and Monitoring