Snort FAQ

1. What is Snort?
Snort is an open source network intrusion prevention system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.

2. What is open source?
The term ?open source? typically refers to a program whose source code is released for use or modification by the community. Developers are free to download and make changes to the code as they please and create their own personalized product.

3. Where can I download Snort?
You can download the latest Snort releases at http://www.snort.org/dl/. Snort rules can be downloaded at http://www.snort.org/pub-bin/downloads.cgi.

4. What can I do with Snort?
Snort has three primary uses: It can be used as a straight packet sniffer like tcpdump, a packet logger (useful for network traffic debugging, etc), or as a full blown network intrusion prevention system.

5. What is the relationship between Snort and Sourcefire?
Sourcefire was founded in 2001 by Martin Roesch, the original author of Snort, in response to increasing demand for a commercial version of the popular technology. Today Sourcefire's mission is to combine our open source roots with proprietary innovation to deliver the most effective and comprehensive real-time network defense solutions on the planet. For more information on Sourcefire, visit www.sourcefire.com.

6. Does Sourcefire sell Snort?
While Sourcefire does offer a commercial version of the Snort technology, we do not simply sell Snort. Sourcefire embraces the open source model and is committed to the GPL. Sourcefire leverages the Snort detection engine as the foundation for the Sourcefire Intrusion Sensor, adding an easy-to-use interface, optimized hardware, powerful data analysis & reporting, policy management and administration, as well as a full suite of product services and 24x7 support. All enhancements made to the Snort technology for Sourcefire's commercial offerings are contributed back to the open source community.

7. What is a Snort Integrator?
A Snort Integrator refers to any company that distributes Snort or Snort rules in their commercial offerings. This includes vendors bundling Snort or Snort rules, MSSPs and SIMs.

8. What is the role of the Sourcefire Vulnerability Research Team?
The Sourcefire Vulnerability Research Team (VRT) is a group of leading edge intrusion detection and prevention experts working to discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in the network security industry.

9. How do I send Sourcefire questions?
The open source community is very important to Sourcefire and we welcome your feedback. All questions and comments can be sent directly to Sourcefire at snort-info@sourcefire.com.

back to top

1. What is a registered user?
A registered user refers to someone who has completed the free registration process on www.snort.org. These users receive access to extra features of the site as well as faster VRT Rule updates.

2. Why do I need to register?
Registration is simple and provides users with increased site functionality as well as faster access to new Sourcefire VRT Rules. By registering you are also agreeing to the new Sourcefire VRT Certified Rules License Agreement that prohibits commercial redistribution of new Sourcefire VRT Rules. In addition, registered users have full access things such as to forums, enhanced documentation, webinars and tutorials.

3. What if I do not wish to register?
Registration is not mandatory although unregistered users will not have access to timely Sourcefire VRT Rule updates. Unregistered users will still have full access to the Snort source code and community ruleset but will only receive a static Sourcefire VRT Certified Ruleset with each Snort point release.

4. Will my information be shared with any other parties or used in any marketing efforts?
No. The privacy of the Snort community is very important to Sourcefire. If you choose to opt-out, the information collected at the time of registration will not be used for any Sourcefire marketing efforts. In addition, Sourcefire will not sell or distribute any personal information to 3rd party companies. For additional details, please read our privacy policy.

5. How can I provide feedback or suggestions for the site?
Your feedback on the new web site as well Snort in general is very important to Sourcefire. Please send any feedback to snort-feedback@sourcefire.com.

6. How can I find a user group in my area?
To help foster this sense of community and provide a platform for users to share their ideas and experiences, local Snort User Groups have been formed throughout the world. You can go to http://www.snort.org/community/usergroups.html to see if there is anyone in your area currently running a group, or interested in starting one.

7. What if there isn't a local user group?
Sourcefire is happy to help you establish a new group in your area. Send an e-mail to snort_groups@sourcefire.com to learn how to get started.

back to top

1. What is a Snort Rule?
Rules are a different methodology for performing detection, which bring the advantage of 0-day detection to the table. Unlike signatures, rules are based on detecting the actual vulnerability, not an exploit of a unique piece of data. Developing a rule requires an acute understanding of how the vulnerability actually works.

2. What is a signature?
In the security world the word signature has been given numerous definitions over the years. For the purposes of this discussion, a signature is defined as any detection method that relies on distinctive marks or characteristics being present in an exploits. These signatures are specifically designed to detect known exploits as they contain distinctive marks; such as ego strings, fixed offsets, debugging information, or any other unique marking that may or may not be related to actually exploiting a vulnerability.

This type of detection is typically classified as day after detection as actual public exploits are necessary for this type of detection to work. Anti-Virus companies utilize this type of technology for protecting their customers from virus outbreaks, As we have seen over the years this type of protection only has limited protection capabilities as the virus has already infected someone before a signatures can be written.

3. What is a vulnerability?
A lot of people have tried to define the word 'vulnerability' and how it relates to the security industry. The best definition though is how it relates to world at large.

The below is a modified version of Microsoft's definition of a vulnerability, written by Scott Culp.
"A vulnerability is any flaw that makes it infeasible, even when implemented or used properly, to prevent an attacker from; usurping privileges, regulating internal protected operations, compromising data, or assuming trust that was not explicitly granted."

This definition allows are a wide range of things to be classified as vulnerabilities. It includes everything from the LSASS Buffer Overflow to characters flaws that allow for easy social engineering. This makes sense as vulnerabilities have been around since the beginning of time and have existed in every device or idea that was created to restrict or moderate access.

4. What is an exploit?
The counterpart to a vulnerably is the exploit, without that exploit there would not be any practical method for utilizing a vulnerability. Exploits are the methodologies or techniques that are utilized to take advantage of vulnerabilities. This is also a very broad definition as it includes everything from the standard proof of concept (PoC) exploit code to strategies for picking apart the defense on a football field.

5. What is a protocol?
A protocol is the method that allows computers to 'talk' across a network. Below is a simple example of how a protocol works:

a.TCP 3-Way Handshake occurs.
b.Client system sends a Client HELLO message
c.Server system responds with a Server HELLO message
d.Both side exchange key information to determine what type of encryption to use.
e.Both sides begin encrypted communication.

6. What are Community Rules?
Community rules refer to all rules that have been submitted by members of the open source community or Snort Integrators. These rules are freely available to all Snort users and are governed by the GPL.

7. What are Sourcefire VRT Certified Rules?
Sourcefire VRT Certified Rules refer to rules that have been tested and officially approved by the Sourcefire Vulnerability Research Team (VRT). New Sourcefire VRT Certified Rules released after March 7th, 2005 are governed by the VRT Certified Rules License Agreement.

8. What is a user-defined rule?
User-defined rules refer to rules that an end user writes specifically for their environment. These rules are not contributed back to the open source community. When writing your own rule, a SID between 1,000,001 and 2,000,000 should be assigned to avoid overlap with existing rulesets.

9. How are rules distributed?
There are two sets of rules distributed on the snort.org web site. The "Community Ruleset" is freely available to all users. The "Sourcefire VRT Certified Rulesets" will be made available to users in the following ways:

a. Subscribers will receive rulesets in real-time as they are released to Sourcefire customers - 30 days ahead of registered users
b. Registered users will receive rulesets when they are published
c. Unregistered users will receive access to a static ruleset containing only the latest rules at the time of each Snort point release

back to top

1. What does the Sourcefire VRT Certified Rules Subscription entitle me to?
Understanding that attackers are constantly developing new methods of attack, uncovering new vulnerabilities and exploiting known weaknesses in commonly deployed systems, Sourcefire created the Sourcefire Vulnerability Research Team (VRT) to ensure our customers stay one step ahead of the latest threats. With this new subscription service, Snort users can benefit from the hard work of this team at the same time Sourcefire customers do. All Sourcefire VRT Certified Rules will be made available to subscribers in real-time as they are released.

Subscribers receive:

• The fastest access to Sourcefire VRT certified rule updates - The same quality ruleset developed for Sourcefire customers - 30 days faster than registered users
• Coverage in advance of exploits - The Sourcefire VRT proactively focuses on the underlying vulnerability, rather than simply reacting to known attacks
• The ability to submit false positives/negatives directly to the Sourcefire VRT - A detailed submission form sends false positives/negatives reports directly to the Sourcefire VRT
• Snort training from the source - Learn how to take advantage of the power behind Snort rules with 10% off any Sourcefire Snort Training.

2. Do I have to subscribe to receive Sourcefire VRT Rules?
No. Subscribers receive Sourcefire VRT Certified Rules updates immediately when they are available - 5 days faster. However, these rules are still made available to registered users after 30 days and to unregistered users at the time of each Snort point release (ex. 2.3.0, 2.4.0, 3.0).

3. How much does a Subscription cost?
The pricing for the Sourcefire VRT Certified Rules subscriptions break down as follows:

4. If I purchase a subscription, can I deploy the rules on other sensors?
The subscription allows you to deploy the rules only for the sensors which licenses were purchased.

5. Can I use tools such as Oinkmaster or SnortCenter to manage the subscription?
Yes. Users simply need to generate an oink code at https://www.snort.org/reg-bin/userprefs.cgi.

back to top

1. What is the GNU GPL?
The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users.

You can read the complete GPL license here.

2. What is the Sourcefire VRT Certified Rules License Agreement?
The Sourcefire VRT Certified Rules License Agreement enables registered end-users to freely download and use rules that have been certified by the Sourcefire VRT while restricting commercial redistribution.

View the complete Sourcefire VRT Certified Rules License Agreement.

3. What is the Snort Integrator License from Sourcefire?
The Snort Integrator License from Sourcefire is a fee-based license that enables Snort Integrators to distribute VRT Certified Rules with their commercial offerings. If you are interested in an integrator license, please contact Sourcefire at snort-license@sourcefire.com.

4. How is the Snort Engine licensed?
There are no changes to the licensing or distribution of the Snort engine. The Snort engine continues to be distributed under the free software/open source GNU General Public License (commonly known as the "GPL"). With the GPL license, Snort is available free of charge. Users may download the software for free and modify, integrate and distribute it. However, GPL users must abide by the rules of the GPL, which stipulates that if a Snort-derived application is redistributed, the complete source code for this application must also be open and available for redistribution.

5. Why are the rules licensed separately from the Engine?
Sourcefire is extremely committed to the advancement of Snort and the open source community. That commitment has resulted in advances such as gigabit performance capability, the integration of the snort_inline technology, the current and future generations of IP defragmentation and TCP stream reassembly functionality, protocol anomaly detectors and normalization, portscan detection, the unified output subsystem, reams of documentation and two complete code audits. In addition, Sourcefire has dedicated significant resources to improving the quality, accuracy and timeliness of Snort rules. The nature of rule development and distribution has always made the rules research, development and distribution a parallel process with Snort development, with its own licensing needs.

6. Previously Snort and all the rules were licensed exclusively under the GPL, what prompted the change?
Sourcefire has learned of people that were misusing the GPL by distributing the Snort rules tightly coupled with their applications and claiming that the GPL doesn't affect them. This change has allowed Sourcefire to support the open source model by better identifying when someone is using the Snort rules in a closed source fashion without commitment to the open source philosophy. For developers building open source applications using Snort rules or Snort end users in general, the change in the licensing policy has no effect. The changes in the license apply specifically to organizations that are commercially redistributing the rules for either a product or a service offering.

7. With the commercial license option, is Snort still an open source solution?
Yes, Snort is still an open source technology licensed under the GPL and Sourcefire remains completely committed to the open source values and philosophy. We believe the open source model of development and distribution is the most efficient way to produce high-quality software.

8. What license is used if I contribute code for the Snort Engine?
When contributing code or bug fixes for the Snort Engine, the GPL applies.

9. What license is used if I contribute a rule for Snort?
When you contribute a new rule for Snort, you will have the option of having this rule included in the Community Ruleset or considered for inclusion in the VRT Certified Ruleset. Rules submitted to the Community Ruleset will be covered by the GPL. If you would like to have your rule considered for the VRT Certified Ruleset, you must agree to assign all ownership and copyrights over to Sourcefire. If this rule is selected, your name will be published in the associated documentation declaring you a "contributor" to that rule. Prior to submitting a new rule for the VRT Certified Ruleset, Sourcefire recommends that you carefully read the agreement and contact us if you have any unanswered questions.

10. If I am currently running Snort, do I have to change anything or do anything differently under this new licensing model?
No, end-users can continue to use Snort without any changes.

back to top