[Snort-users] Rules and Tuning

Tony Robinson trobinson at ...1935...
Tue Aug 14 11:48:44 EDT 2012

To expand on JJ's answer,

This depends on what ruleset you are utilizing, Steve, but at least for the
VRT ruleset, there are multiple ways for you to obtain more information for
a given rule. If you have the sid number/message, the actual rule (or rule
stub in the case of SO rules) will usually have metadata associated with
the rule -- MS vulnerability IDs, CVE numbers, as well as links to websites
with more information (e.g. links to bugtraq or MS technet, virustotal,

If you don't want to dig in the .rules files, then, at least for VRT rules,
snort.org has a rule search page, that, given a SID, can give you more
information on a given rule

additionally, the downloads page has a file, opensource.gz that has rule
documentation available as well.

Hope this helps,


On Mon, Aug 13, 2012 at 1:42 PM, Steven Vona <savona at ...15736...> wrote:

> Is there someplace I can get a list of rules and what they are looking
> for?  We are getting a ton of alerts and I would like to fine tunes which
> rules should be active and which rules should be disabled.  I need more
> information than just the name of the rule.
> Thanks,
> Steve
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!


 Tony Robinson
Security Consultant I
SourceFIRE Professional Services Division
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120814/7830d89d/attachment.html>

More information about the Snort-users mailing list